Skip to content
/ CACTUSTORCH Public
forked from vysecurity/CACTUSTORCH

CACTUSTORCH: Payload Generation for Adversary Simulations

1 star 223 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

m00zh33/CACTUSTORCH

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

CACTUSTORCH.cs

CACTUSTORCH.cs

 
 

CACTUSTORCH.cna

CACTUSTORCH.cna

 
 

CACTUSTORCH.hta

CACTUSTORCH.hta

 
 

CACTUSTORCH.js

CACTUSTORCH.js

 
 

CACTUSTORCH.jse

CACTUSTORCH.jse

 
 

CACTUSTORCH.vba

CACTUSTORCH.vba

 
 

CACTUSTORCH.vbe

CACTUSTORCH.vbe

 
 

CACTUSTORCH.vbs

CACTUSTORCH.vbs

 
 

README.md

README.md

 
 

banner.txt

banner.txt

 
 

splitvba.py

splitvba.py

 
 

Repository files navigation

                                (              )  (            )  
   (    (       (    *   )      )\ )  *   ) ( /(  )\ )  (   ( /(  
   )\   )\      )\ ` )  /(   ( (()/(` )  /( )\())(()/(  )\  )\()) 
 (((_|(((_)(  (((_) ( )(_))  )\ /(_))( )(_)|(_)\  /(_)|((_)((_)\  
 )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_())  ((_)(_)) )\___ _((_) 
((/ __(_)_\(_|(/ __|_   _| | | / __||_   _| / _ \| _ ((/ __| || | 
 | (__ / _ \  | (__  | | | |_| \__ \  | |  | (_) |   /| (__| __ | 
  \___/_/ \_\  \___| |_|  \___/|___/  |_|   \___/|_|_\ \___|_||_|

Author and Credits

Author: Vincent Yiu (@vysecurity)

Credits:

  • @cn33liz: Inspiration with StarFighters
  • @tiraniddo: James Forshaw for DotNet2JScript
  • @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
  • @_RastaMouse: Testing and giving recommendations around README
  • @bspence7337: Testing

Description

A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.

DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript

Usage:

  • Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...

  • Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework

  • Run: cat payload.bin | base64 -w 0

  • For JavaScript: Copy the base64 encoded payload into the code variable below

    var code = "<base64 encoded 32 bit raw shellcode>";

  • For VBScript: Copy the base64 encoded payload into the code variable below

    Dim code: code = "<base64 encoded 32 bit raw shellcode>"

  • Then run:

wscript.exe CACTUSTORCH.js or wscript.exe CACTUSTORCH.vbs via command line on the target, or double click on the files within Explorer.

  • For VBA: Copy the base64 encoded payload into a file such as code.txt

  • Run python splitvba.py code.txt output.txt

  • Copy output.txt under the following bit so it looks like:

    code = ""
code = code & "<base64 code in 100 byte chunk"
code = code & "<base64 code in 100 byte chunk"

  • Copy and paste the whole payload into Word Macro

  • Save Word Doc and send off or run it.

CobaltStrike

  • Load CACTUSTORCH.cna
  • Go to Attack -> Host CACTUSTORCH Payload
  • Fill in fields
  • File hosted and ready to go!

About

CACTUSTORCH: Payload Generation for Adversary Simulations

Topics

actors apt threat andrew real thompson dailytooldrop

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Visual Basic .NET 61.6%
  • JavaScript 21.2%
  • C# 16.0%
  • Python 1.2%