1/3

mdsecactivebreach

mdsecactivebreach/CACTUSTORCH: CACTUSTORCH:
Payload Generation for Adversary Simulations

github.com/mdsecactivebreach/CACTUSTORCH

Author and Credits

Author: Vincent Yiu (@vysecurity)

Credits:

@cn33liz: Inspiration with StarFighters
@tiraniddo: James Forshaw for DotNet2JScript
@armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit
architecture machines for injection into
@_RastaMouse: Testing and giving recommendations around README
@bspence7337: Testing

                               (              )  (            )   
  (    (       (    *   )      )\ )  *   ) ( /(  )\ )  (   ( /(   
  )\   )\      )\ ` )  /(   ( (()/(` )  /( )\())(()/(  )\  )\())  
(((_|(((_)(  (((_) ( )(_))  )\ /(_))( )(_)|(_)\  /(_)|((_)((_)\   
)\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_())  ((_)(_)) )\___ _((_)  
((/ __(_)_\(_|(/ __|_   _| | | / __||_   _| / _ \| _ ((/ __| || |  
| (__ / _ \  | (__  | | | |_| \__ \  | |  | (_) |   /| (__| __ |  
 \___/_/ \_\  \___| |_|  \___/|___/  |_|   \___/|_|_\ \___|_||_|  

https://github.com/mdsecactivebreach/CACTUSTORCH


2/3

Description

A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary
specified and inject shellcode into it.

DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript

Usage:

Choose a binary you want to inject into, default "rundll32.exe", you can use
notepad.exe, calc.exe for example...

Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt
Strike, Metasploit Framework

Run: cat payload.bin | base64 -w 0

For JavaScript: Copy the base64 encoded payload into the code variable below

var code = "<base64 encoded 32 bit raw shellcode>";

For VBScript: Copy the base64 encoded payload into the code variable below

Dim code: code = "<base64 encoded 32 bit raw shellcode>"

Then run:

wscript.exe CACTUSTORCH.js  or wscript.exe CACTUSTORCH.vbs  via command line on
the target, or double click on the files within Explorer.

For VBA: Copy the base64 encoded payload into a file such as code.txt

Run python splitvba.py code.txt output.txt

Copy output.txt under the following bit so it looks like:

Copy and paste the whole payload into Word Macro

Save Word Doc and send off or run it.

CobaltStrike

Load CACTUSTORCH.cna
Go to Attack -> Host CACTUSTORCH Payload

code = "" 
code = code & "<base64 code in 100 byte chunk" 
code = code & "<base64 code in 100 byte chunk" 

https://github.com/tyranid/DotNetToJScript


3/3

Fill in fields
File hosted and ready to go!