DDE is an old MS technology that is used to facilitate data transfer between applications. DDE sends messages between applications that share data and uses shared memory to exchange data between applications. DDE can be embedded in several Office file formats

To leverage this attack vector:

Open a new MS document and insert a field

It will add an "!Unexpected End of Formula" to the document, we right-click it and "Toggle field codes" :

We then replace the = \* MERGEFORMAT with the payload:

{ DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe start calc # " "required"}​

If we save the document, reopen our document and accept the 2 prompts, calculator will popup.

Obfuscating Field Codes


Last updated