DotNetToJScript can be found here: http://ift.tt/2ocnTpH
git clone http://ift.tt/2upi7Y1
Choose a binary you want to inject into, default “rundll32.exe”, you can use notepad.exe, calc.exe for example…
Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
Run: cat payload.bin | base64 -w 0
For VBScript: Copy the base64 encoded payload into the code variable belowDim code: code = “”
wscript.exe CACTUSTORCH.js or wscript.exe CACTUSTORCH.vbs via command line on the target, or double click on the files within Explorer.
For VBA: Copy the base64 encoded payload into a file such as code.txt
Run python splitvba.py code.txt output.txt
Copy output.txt under the following bit so it looks like:
code = “”
code = code & “<base64 code in 100 byte chunk"
code = code & " Host CACTUSTORCH Payload
Fill in fields
File hosted and ready to go!
Payload Generation with CACTUSTORCH
Author and Credits
Author: Vincent Yiu (@vysecurity)
@cn33liz: Inspiration with StarFighters
@tiraniddo: James Forshaw for DotNet2JScript
@armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
@_RastaMouse: Testing and giving recommendations around README
The post CACTUSTORCH: Payload Generation for Adversary Simulations appeared first on Penetration Testing.