MSWord as a DDE Server

even though DDE is being replaced with other methods for RPCs, an ancient DDE server still exists within office products, providing integration with other systems and forms, each product has its own server with its Topics, and is waiting for messages the moment the product is started.

By trying to send some DDE messages, I noticed that WinWord -Word DDE server- responds to WM_DDE_EXECUTE messages in a strange way.

if you send WinWord server a message on System topic, it will post it directly in the active sheet, but -let the fun begins- if you enclosed the message with [] brackets, Word puts the message in a macro function TmpDDE() within a module called WordTmpDDEMod, and executes it.

that means if we could trigger a DDE Execute with MSWord, we can inject our own code and execute it under Word.exe process.

to do so, I used David Naylor’s DDE client in python to send the execute code, then figured out there are other command line tools like CMCDDE and others that you can use for the same purpose.

now, if you tried to send a regular VB code, Word does the following:

it suffixes function like CreateObject with __ .

. it prefixes known functions like MsgBox with WordBasic. which renders most functions useless.

which renders most functions useless. it replaces some dots with commas, defines undefined variables too.

so a valid command like:

[CreateObject(“Wscript.Shell”).Run “notepad”]

will be transformed into this:

CreateObject___(“Wscript.Shell”), Run “notepad”

which gives a Syntax error as it doesn’t recognize that function or as “,” isn’t well placed.

after some tries to find a running code, with the old “On error Resume Next” I figured out that WordBasic.Shell is a valid function, so by sending:

[shell “notepad”]

Word proceed to execute it as:

WinWord.Shell(“notepad”)

which pops notepad with Word process as a parent -with no log trace as no one records DDE messages-.