( ) ( ) ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
Author and Credits
Author: Vincent Yiu (@vysecurity)
- @cn33liz: Inspiration with StarFighters
- @tiraniddo: James Forshaw for DotNet2JScript
- @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
- @_RastaMouse: Testing and giving recommendations around README
- @bspence7337: Testing
DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript
Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
Run: cat payload.bin | base64 -w 0
var code = "<base64 encoded 32 bit raw shellcode>";
For VBScript: Copy the base64 encoded payload into the code variable below
Dim code: code = "<base64 encoded 32 bit raw shellcode>"
wscript.exe CACTUSTORCH.js or
wscript.exe CACTUSTORCH.vbs via command line on the target, or double click on the files within Explorer.
For VBA: Copy the base64 encoded payload into a file such as code.txt
Run python splitvba.py code.txt output.txt
Copy output.txt under the following bit so it looks like:
code = "" code = code & "<base64 code in 100 byte chunk" code = code & "<base64 code in 100 byte chunk"
Copy and paste the whole payload into Word Macro
Save Word Doc and send off or run it.
- Load CACTUSTORCH.cna
- Go to Attack -> Host CACTUSTORCH Payload
- Fill in fields
- File hosted and ready to go!