Re: MSword execution of dlls

[H D Moore <hdm () SECUREAUSTIN COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you have access to any of the Microsoft Office products, you already have
an easy way to execute commands, modify the registry, or create a network
backdoor.  VBA macros can be used to do ANYTHING.  Every office product
supports them and almost everyone can write them. For example:

1. Open Word.
2. Hit Alt+F11 or select the Visual Basic Macro Editor from the Tools menu.
3. Double-Click the ThisDocument object in the Project window
4. Select the Document object from the left drop-down in the code window
5. Select the New event from the right drop-down in the code window
6. Add the following line into the Document_New() subroutine.

Shell "cmd.exe"

7. Hit F5 and wait for your command shell.

I have used this to do everything from removing access limiting software to
creating remote command shells that use an outbound connection...

- -HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)    
http://www.cansecwest.com (elite)



On Thursday 22 February 2001 04:11 am, Anders Ingeborn wrote:
> Hi,
[ snip ]
> Details: It can be exploited as:
> (1) write a program with main function DllMain() and compile it as a .dll
> that you give the
> name "ntshrui.dll"
> (2) Put your .dll in the same directory as a word document.
> (3) Close all Office applications
> (4) Double-click on the word document
> (5) When MS Word initializes it will use your ntshrui.dll instead of the
> one in %systemroot% and your code will be executed

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOpT++DwRvqMPEDLhEQK1NwCdFnrqBDybBHHdd+qYLA5Dc215kwkAnjly
by3BQyyUPkVAjxXU2FSobssZ
=5+7i
-----END PGP SIGNATURE-----