Salsa-tools is a collection of three tools programmed with C# used to take over a windows machine and bypass AV and get a reverse shell without the need for PowerShell on the victim machine. Salsa-Tools combines three different ingredients: – EvilSalsa – EncrypterAssembly – SalseoLoader
Installation
To install the Tool we will need a machine that got VScode installed
1 – Go to Github Repository
2 – If you don’t have VSCode install it from here VScode Download Link
3 – Navigate to Location of the Tool {YOURPATH}Salsa-tools-masterSalseoLoaderSalseoLoader
3.1 Open Program.cs with VScode
3.2 You will add some code to the file and we will compile it
3.3 The code is here Code
3.4 Create a file in the same directory named args.txt with this code Code Link and save it
3.5 Press Ctrl+Shift+B or Click Terminal "Run Build Test"
A File will be created called SalseoLoader.exe
Usage
N.B: In this usage scenario we will use another tool called Evil Winrar Gen Link Proof Of Concept RCE Winrar CVE-2018-20250
To make the attack more real
After Compiling and creating SalseoLoader.exe
We will now Encrypt System.Management.Automation.dll
Which we will rename in this scenario EvilSalsa.dll
1 – Open Terminal and Visit {YOURPATH}Salsa-tools-masterEncrypterAssembly
2 – Execute script with argument {file} {password} {ouputfile} | See Below
3 – Now we will create the Fake Rar File with Evil Winrar Gen ./evilWinrar.py -e SalseoLoader.exe -g picture.jpg
SalseoLoader is the Payload we created in the Installation Section, Picture.jpg can be any picture or a file you want to compress in order to deceive the victim
4 – Now we send the rar file to our victim, Once they extract the RAR the picture attached will be extracted and SalseoLoader.exe we be placed in Startup Folder
5 – Open Terminal and Netcat listen on the port you used in args.txt
6 – Once victim reboots you will get a reverse connection
What Bunny Rating Does it Get?
– Fully Undetected
– Easy to use
– Silent Mode