3 months ago

How to Hide DDE Based Attacks in MS Word « Null Byte :: WonderHowTo

In our previous article, we learned how to take advantage of a feature, Dynamic Data Exchange (DDE), to run malicious code when a MS Word document can be opened. The biggest challenge of This particular attack can be in which This particular requires getting the user to agree to a pop-up prompt. Fortunately, since I posted in which article, many fresh obfuscation techniques have been discovered to make This particular easier. Today we explore in addition to combine some of them to make the ultimate hidden DDE attack.

If you haven’t already read the last article, we explored how to abuse Windows DDE. In simple terms, DDE both executes an application in addition to sends This particular data. We can use This particular to open any application, including command prompt, in addition to send This particular data, or in our case, code to execute. When the user opens our Word document, the code runs on after the user accepts two separate pop-up notifications. This particular article will explore how to make in which process easier by hiding the pop-up windows in addition to disguising the content.

Don’t Miss: How To Use Pupy, A Linux Remote Access Tool

If you haven’t read my last article on DDE, I advise you do so before proceeding with This particular one. Let’s dive right in.

Step 1: Make the Field Invisible

The first in addition to easiest way to obfuscate the DDE field can be to turn This particular invisible. Thanks to WhiskeyS373N for the idea!

Image via WhiskeyS373N

With your payload open in Word, find inside top left in addition to click “Insert” then find “Footer” on the right side of the bar, in addition to left click This particular. Left click “Blank” in addition to you should be taken to a fresh footer at the bottom of the page.

You could at This particular point add a field the same way as inside first article, however there’s a much easier way. Pressing Ctrl + F9 will open a blank field. Then, you simply add your code. Here, I’ll be using the standard calc.exe.

{DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” }

Once you have your code in place, highlight This particular in addition to the right click on This particular. inside middle bottom of the pop-up window, left click on the arrow beside “A” in addition to then left click on the white block, the top leftmost one.

The text should at This particular point be white in addition to hidden coming from sight. As you can see below, This particular’s quite invisible to the human eye.

However, This particular does not mean This particular can be invisible to the computer, This particular will still execute when Word can be opened. If you don’t believe me, try This particular for yourself. Save the document in addition to reopen This particular, This particular will work just the same as if This particular were inside body of the text.

Check Out: Getting commenced with Post-Exploitation of Windows Hosts

If you still need to work on the field, then either keep This particular highlighted to see This particular or turn This particular back to black. Just don’t forget to set This particular back to white before sending This particular to a target.

Step 2: Modify the User Warning

As we have discussed before, one of the great things about the DDE based attack can be the user never gets an explicit security warning. Unfortunately, they do still get two pop-ups in which we need them to say yes to, in addition to there’s nothing we can do to change in which. Fortunately, since they aren’t security warnings, they have less strict policies about changing them, which allows us to modify the second one.

There’s nothing we can do about the first one, however This particular’s already pretty mundane, asking the user to update the document. As we discussed in our first article, the best way to tackle This particular problem can be with social engineering.

The second one can cause us some trouble in addition to definitely can draw attention coming from more security-minded users. This particular asks them about starting an application, which can tip off the target in which something fishy can be happening. Interestingly, the text of the pop-up prompt actually incorporates portions of the DDEAUTO command. Specifically, This particular gets the bit in parentheses just after remote data in addition to at the end where This particular lists the application.

The original SensePost blog suggests in which This particular can be modified.

The second prompt asks the user whether or not they want to execute the specified application, at This particular point This particular can be considered as a security warning since This particular asks the user to execute “cmd.exe”, however with proper syntax modification This particular can be hidden.

— Etienne Stalmans, Saif El-Sherei

This particular naturally peaked the interest of two researchers in which came up with two slightly different methods to achieve the same effect. Because the second prompt can be reading directly coming from the DDE command field, we can manipulate This particular to change the message.

Check Out: CMD Remote Commands for the Aspiring Hacker, Part 1

The major difference coming from the standard method can be the directory manipulation in addition to message verbiage added to the second parameter of the DDE command. Ryan Hanson was one of the first to post on Twitter how to do This particular.

Image via Ryan Hanson

{ DDEAUTO “Microsoft Word” “Document \..\..\..\..\Windows\File.docx\..\System32\cmd.exe” “” }

However, when I attempted to copy in addition to paste This particular, the code worked, however didn’t look quite the same.

Mike Czumak had a slightly a different method of solving This particular problem.

Image via Mike Czumak‏

I had better luck with getting his example working. I used the following without payload for testing.

{DDEAUTO “C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\windows\system32\WindowsPowerShell\v1.0\powershell.exe $e # ” “for security reasons”}

Of the two, This particular one can be more likely to make sense to the average end user in addition to therefore fool them. You could also try “Due to Security Settings” instead of “for security reasons” or some additional variation. Below, you can see my much less suspicious result.

Step 3: Obfuscate the Payload

Etienne Stalmans, one of the two authors of the SensePost blog in which commenced all the DDE rage, discovered a way to actually obfuscate the payload itself. The method relies on the clever use of the quote field in addition to the fact in which these field codes can be nested.

You can feed the quote field characters in ASCII, in addition to the field This particular can be in will read in which given ASCII character. For example, {QUOTE 65 66 67} would certainly return ABC. This particular allows us to represent our payload as integers, in addition to have word convert This particular to a string before executing our DDE field. There are many tools to convert strings to ASCII.

Another tool we can use can be the “set” in addition to “ref” functions, which set a variable in addition to then reference This particular. For example, if we had This particular inside field:

{SET c “{QUOTE 65 65 65 65}”}
{SET d “{QUOTE 71 71 71 71}”}
{DDE {REF c} {REF d}}

This particular can be what the computer would certainly see before executing the DDE field:


In This particular way, we can obfuscate the entire payload, as This particular will appear as nothing more than a string of numbers to any virus scanning software, until the user says yes to the second prompt. Opening PowerShell would certainly appear like below.

{SET C “{QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101} “}

{DDE {REF C} “a”}

However, Microsoft doesn’t update every field when This particular’s opened, in addition to This particular will not work if the quote does not execute. Luckily, there’s something we can do to make sure This particular updates, by marking This particular “dirty” inside XML file.

To do This particular, save the word document in addition to the find This particular in your documents. Rename This particular coming from a .docx to a .zip then open the zip file. Within the zip file should be the “Word” folder, open This particular. at This particular point, copy “document.xml” by dragging This particular to the desktop, in addition to open This particular for editing.

Don’t Miss: Create & Obfuscate a Virus Inside of a Microsoft Word Document

at This particular point we need to make our links “dirty” by adding the w:dirty=”true” to each begin <w:fldChar>.
The easy way to find these can be Ctrl + F in addition to search for fldChar. This particular should look like This particular when you are done.

<w:fldChar w:fldCharType=”begin” w:dirty=”true”/>

Once in which can be done, save your edits, in addition to place This particular file back where you found This particular. Then you can change the file extension back coming from .zip to .docx.

at This particular point, in addition to our obfuscated payload, we also get a much cleaner looking first prompt.

Step 4: Publisher

at This particular point for the coup de grâce when sending a DDE attack document. One of the troubles when sending a Word document over the internet can be in which This particular will normally be opened in Protected View by default. This particular just puts another layer of pop-ups between the target in addition to code execution.

Thanks to research done by Matt Nelson, we can circumvent Protected View in addition to make This particular in which much easier for the target to mess up.

Image via Matt Nelson

This particular can be as simple as opening Publisher, in addition to going to File, then import Word Document. Once you have This particular saved as a .pub file, you can send This particular to the target in addition to This particular should work just like a normal Word doc, however without triggering Protected View.

Step 5: Putting This particular All Together & Defending

at This particular point, we can combine all of these obfuscation methods to make make the ultimate super sneaky DDE attack. By turning our payload into ASCII, we avoid most anti-virus tools. We then trick the user by editing the prompts they get, in addition to even turn the DDE field inviable so they can’t easily find This particular by inspecting the document. Lastly, we take away their last saving grace, Protected View, by using Publisher to slip past.

Combining these methods have made This particular exploit significantly more dangerous in addition to much more likely to trick the average user. The flexibility of This particular attack, combined with the modular payload in addition to steep consequences for a user clicking “OK” on the wrong prompt make This particular a potent tool for delivering malware.

So how can you defend against This particular sort of attack? The key lies in your observation. When opening files, look for any unusual behaviors in addition to be wary of giving permissions to processes you don’t understand or aren’t familiar. There’s not actually much you can do additional than being paranoid whenever you open a document coming from an untrusted source. Just remember the golden rule: always say NO to unexpected pop-us in addition to prompts.

Thanks for reading! If you have any questions, you can ask here or on Twitter.

Screenshots & Cover Photo by Hoid/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

fifteen − four =