( ) ( )
( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
)\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
(((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
)\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
| (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
\___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
Author and Credits
Author: Vincent Yiu (@vysecurity)
Credits:
- @cn33liz: Inspiration with StarFighters
- @tiraniddo: James Forshaw for DotNet2JScript
- @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
- @_RastaMouse: Testing and giving recommendations around README
- @bspence7337: Testing
Description
A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript
Usage:
-
Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
-
Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
-
Run: cat payload.bin | base64 -w 0
-
For JavaScript: Copy the base64 encoded payload into the code variable below
var code = "<base64 encoded 32 bit raw shellcode>"; -
For VBScript: Copy the base64 encoded payload into the code variable below
Dim code: code = "<base64 encoded 32 bit raw shellcode>" -
Then run:
wscript.exe CACTUSTORCH.js or wscript.exe CACTUSTORCH.vbs via command line on the target, or double click on the files within Explorer.
-
For VBA: Copy the base64 encoded payload into a file such as code.txt
-
Run python splitvba.py code.txt output.txt
-
Copy output.txt under the following bit so it looks like:
code = "" code = code & "<base64 code in 100 byte chunk" code = code & "<base64 code in 100 byte chunk" -
Copy and paste the whole payload into Word Macro
-
Save Word Doc and send off or run it.
CobaltStrike
- Load CACTUSTORCH.cna
- Go to Attack -> Host CACTUSTORCH Payload
- Fill in fields
- File hosted and ready to go!