Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • State of Current Payloads
  • Benefits of CACTUSTORCH
  • Using CACTUSTORCH
  • Integration with Cobalt Strike
  • Credits

Was this helpful?

  1. Red Team
  2. General Exploitation

Payload Generation with CACTUSTORCH

PreviousGeneral ExploitationNextExploiting CVE-2017–8759: SOAP WSDL Parser Code Injection

Last updated 6 years ago

Was this helpful?

Note: posted on June 2017

This post was originally published on when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.

CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the following payload types:

  • VBS

  • VBA

  • JS

  • JSE

  • WSF

  • HTA

  • VBE

State of Current Payloads

Generation of payloads for the supported formats already exists in several frameworks, including Metasploit and Cobalt Strike. There are however some drawbacks to how these payloads are generated.

In Metasploit framework the following payload formats work as such:

  • VBS: File drop and execute — Touches disk.

  • HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

  • VBA-EXE: File drop and execute — Touches disk.

  • VBA: Shellcode injection by declaring Kernel32 API — Known indicators for Maldoc scanning.

  • VBA-PSH: Runs powershell.exe with a Shell object — Powershell.exe is well known to blue team.

In CobaltStrike, the following payload formats work as such:

  • VBS: Weakens the target, creates a COM object to Excel, creates worksheet, injects VBA macro code and executes. — Relies on Office being installed and Kernel32 API declarations in injected VBA.

  • VBA: Shellcode injection by declaring Kernel32 API — Known indicators for Maldoc scanning.

  • HTA-EXE: File drop and execute — Touches disk.

  • HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

  • HTA-VBA: Wraps around a VBS that does the weakening, COM object to Excel, macro injection of Kernel32 API declaration VBA code.

Benefits of CACTUSTORCH

CACTUSTORCH offers a number of improvements on current payload generation that are currently beyond the capabilities of the public frameworks:

  • Does not use Kernel32 API declarations in the payload

  • Obfuscated within the C# binary

  • Allows for arbitrary specification of target binary to spawn.

  • Allows for arbitrary shellcode to be specified.

  • Does not spawn PowerShell.exe.

  • Does not require Powershell.

  • Does not require Office.

  • Does not invoke WScript.Shell.

  • Does not require staging as the full stageless shellcode can be contained within the delivered payload.

  • No static parent to child spawn, the user can change what wscript.exe spawns.

  • exe spawning Powershell.exe is suspicious, spawning rundll32.exe is arguably less indicative of compromise. You can change this to calc.exe, ping.exe /t or similar less suspicious binaries.

Using CACTUSTORCH

Using CACTUSTORCH is relatively straight forward, the following outlines the steps required to generate a custom payload:

  • Select the payload format you want to use from the cloned directory

  • Select a binary container you want to inject into, has to exist in both SYSWOW64 and SYSTEM32

  • Generate raw shellcode for your listener

  • $> cat payload.bin | base64 -w 0 > out.txt

  • Copy the out.txt base64 raw payload into the “code” variable of the template

  1. If doing it for the VBA, run the out.txt through vbasplit.py out.txt split.txt

  2. Then copy the split.txt into the code section highlighted in the VBA template. Payload is ready

  3. Do obfuscation if you want

A video demonstrating these steps is shown below:

Integration with Cobalt Strike

As part of the process for streamlining adversary simulation engagements so that more time can be placed into creating more sophisticated and bespoke attacks, Vincent has created a CACTUSTORCH aggressor script to facilitate this.

After loading the aggressor script, the following menu is presented as an option under the “Attack” tab. You can now select the payloads you want to use and options, it will generate the payload and host it for you. In terms of the VBA code, it will be presented in a textbox where it can be copied from and pasted into a Word VBA Macro.

The aggressor script is demonstrated in the following video:

Credits

The scripts, proof of concepts and aggressor script addon is created by Vincent Yiu. We would like to also thank the following people for their contributions:

Prior to this, it was not possible to invoke shellcode injection directly from multiple formats with the exclusion of VBA macros (more on this later in the post). CACTUSTORCH has a self-contained C# binary which accepts a binary name and base64 encoded shellcode to inject. Additionally, it borrows concepts from / CobaltStrike’s VBA macro injection whereby it selects the 32 bit executable to inject into.

: James Forshaw for DotNet2Jscript

: Inspiration with StarFighters

: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into

: Testing and giving recommendations around README

CACTUSTORCH can be downloaded from my page.

@armitagehacker
@tiraniddo
@cn33liz
@armitagehacker
@_RastaMouse
GitHub
https://www.mdsec.co.uk/blog/
DotNetToJScript