[19340] in bugtraq
Re: MSword execution of dlls
daemon@ATHENA.MIT.EDU (H D Moore)
Thu Feb 22 20:30:25 2001
X-Qmail-Scanner-Mail-From: hdm@secureaustin.com via webserver
X-Qmail-Scanner-Rcpt-To: ingeborn@IXSECURITY.COM BUGTRAQ@SECURITYFOCUS.COM
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <01022205584100.08945@odin>
Date: Thu, 22 Feb 2001 05:58:41 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: Anders Ingeborn <ingeborn@IXSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <412569FB.0037FFAB.00@guardianit.se>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you have access to any of the Microsoft Office products, you already have
an easy way to execute commands, modify the registry, or create a network
backdoor. VBA macros can be used to do ANYTHING. Every office product
supports them and almost everyone can write them. For example:
1. Open Word.
2. Hit Alt+F11 or select the Visual Basic Macro Editor from the Tools menu.
3. Double-Click the ThisDocument object in the Project window
4. Select the Document object from the left drop-down in the code window
5. Select the New event from the right drop-down in the code window
6. Add the following line into the Document_New() subroutine.
Shell "cmd.exe"
7. Hit F5 and wait for your command shell.
I have used this to do everything from removing access limiting software to
creating remote command shells that use an outbound connection...
- -HD
http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)
http://www.cansecwest.com (elite)
On Thursday 22 February 2001 04:11 am, Anders Ingeborn wrote:
> Hi,
[ snip ]
> Details: It can be exploited as:
> (1) write a program with main function DllMain() and compile it as a .dll
> that you give the
> name "ntshrui.dll"
> (2) Put your .dll in the same directory as a word document.
> (3) Close all Office applications
> (4) Double-click on the word document
> (5) When MS Word initializes it will use your ntshrui.dll instead of the
> one in %systemroot% and your code will be executed
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOpT++DwRvqMPEDLhEQK1NwCdFnrqBDybBHHdd+qYLA5Dc215kwkAnjly
by3BQyyUPkVAjxXU2FSobssZ
=5+7i
-----END PGP SIGNATURE-----
