ruler v2.5 releases: abuse Exchange services

by do son · Published August 23, 2018 · Updated November 4, 2024

Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is to abuse the client-side Outlook features and gain a shell remotely.

The full low-down on how Ruler was implemented and some background regarding MAPI can be found in our blog posts:

What does it do?

Ruler has multiple functions and more are planned. These include

Enumerate valid users
Create new malicious mail rules
Dump the Global Address List (GAL)
VBScript execution through forms
VBScript execution through the Outlook Home Page

Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.

Changelog

v2.5

Add Makefile

v2.4

This is a big release and contains numerous fixes and additions thanks to Roman Maksimov (@rmaksimov).

Fixes:

#112 – fix fragmentation bug; remove an unnecessary code in SplitData function
#113 – fixes HTTP WWW-Authentication header parsing. Case sensitive parsing of the Authorization header gave false authorization failures
#114 – fixes authentication bug that existed for the usage of --basic. Smarter auto authnetication scheme selection
#115 – fixes autodiscover cache creation. Valid cache was being overwritten with empty file when autodiscover failed
#117 – fix 503 RPC error that occurred due to extra Cookie header and bad line-breaks (hopefully fixes issue #51)
#118 – misc error details improvements and code clean-up

Additions:

#116 – adds a --hostname option that allows controlling the Workstation name that gets sent in NTLM authentication attempts
#118 – adds --useragent for controlling the user-agent sent in HTTP headers