Obfuscate CactusTorch
Author: Arno0x0x - @Arno0x0x
The CactusTorch project from Vincent Yiu (@vysecurity) is a fantastic toolkit making use of the DotNetToJScript project.
This little tool tries to achieve two goals:
- Make a more obfuscated versions of the Office macro (VBA) and JScript stagers,
- Make use my WebDavDelivery project to deliver the shellcode and CactusTorch serialized assembly.
Here is born ObfuscateCactusTorch, when CactusTorch meets WebDavDelivery :-).
How to use it
Installation is pretty straight forward:
- Git clone this repository:
git clone https://github.com/Arno0x/ObfuscateCactusTorch ObfuscateCactusTorch
- cd into the WebDAVDelivery folder:
cd ObfuscateCactusTorch
- Give the execution rights to the main script:
chmod +x obfuscateCactusTorch.py
-
Get a working copy of WebDavDelivery tool
-
Lunch
obfuscateCactusTorch.py
with the following arguments:- type of stager to generate: can be either
js
orvba
- IP address or FQDN of the WebDavDelivery server
- binary name in which CactusTorch should inject the shellcode (must be a 32 bits binary check CactusTorch project for details)
- output file name for the generated stager (either VBA or JS)
- type of stager to generate: can be either
- Generate an x86 shellcode with no encoding, you can use metasploit for instance.
- Copy the shellcode file as well as the provided
cactusTorch/cactusTorch_serialized.bin
in theservedFiles
folder of your WebDav Delivery folder. - Start WebDavDelivery.
- On the target system, launch the stager generated in step 2.
- You can see on the WebDavDelivery side that the stager is downloading the shellcode and the serialized object.
- Let the magic happen :-)
DISCLAIMER
This tool is intended to be used in a legal and legitimate way only:
- either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
- on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)
Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.