Bugtraq mailing list archives
Re: MSword execution of dlls
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Thu, 22 Feb 2001 05:58:41 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you have access to any of the Microsoft Office products, you already have an easy way to execute commands, modify the registry, or create a network backdoor. VBA macros can be used to do ANYTHING. Every office product supports them and almost everyone can write them. For example: 1. Open Word. 2. Hit Alt+F11 or select the Visual Basic Macro Editor from the Tools menu. 3. Double-Click the ThisDocument object in the Project window 4. Select the Document object from the left drop-down in the code window 5. Select the New event from the right drop-down in the code window 6. Add the following line into the Document_New() subroutine. Shell "cmd.exe" 7. Hit F5 and wait for your command shell. I have used this to do everything from removing access limiting software to creating remote command shells that use an outbound connection... - -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play) http://www.cansecwest.com (elite) On Thursday 22 February 2001 04:11 am, Anders Ingeborn wrote:
Hi,
[ snip ]
Details: It can be exploited as: (1) write a program with main function DllMain() and compile it as a .dll that you give the name "ntshrui.dll" (2) Put your .dll in the same directory as a word document. (3) Close all Office applications (4) Double-click on the word document (5) When MS Word initializes it will use your ntshrui.dll instead of the one in %systemroot% and your code will be executed
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOpT++DwRvqMPEDLhEQK1NwCdFnrqBDybBHHdd+qYLA5Dc215kwkAnjly by3BQyyUPkVAjxXU2FSobssZ =5+7i -----END PGP SIGNATURE-----
Current thread:
- MSword execution of dlls Anders Ingeborn (Feb 22)
- Re: MSword execution of dlls Ryan W. Maple (Feb 22)
- Re: MSword execution of dlls H D Moore (Feb 22)
- <Possible follow-ups>
- Re: MSword execution of dlls Ben Greenbaum (Feb 23)