How to determine the size of payloads available in MetaSploit

Question

I've noticed that there are a lot of different payloads to choose from in MetaSploit, and the choice (assuming there's enough room in the target) usually depends on what you're trying to do.

However, from what I understand the payloads vary in size greatly. How can I determine the size of each payload so that I'll know if they will fit in the exploit? For example, how much room would I need for a bind_tcp v. reverse_tcp? Is meterpreter generally smaller than a bind shell?

Is there a way to determine the typical size of the MetaSploit generated payloads for a specific platform?

void_in · Accepted Answer · 2016-12-19T04:31:50.957

The msfvenom -s or generate command is useful for individual payload sizes. Sometimes you will want to know all the payloads within a certain payload size constraint. For example if you are developing an exploit, you know you have limited space to carry a payload of say 100 bytes and you want to know all the payloads that are less than or equal to 100 bytes, you can use payload_length.rb tool provided inside the tools/modules/ directory.
root@kali:/opt/metasploit-framework/tools/modules# ./payload_lengths.rb
The above command will show you size of every payload. If you want to restrict it within a certain size limit, you can always use the handy awk Linux utility:
root@kali:/opt/metasploit-framework/tools/modules# ./payload_length.rb | awk ' $2<=100'
This command is going to tell you every payload in the Metasploit framework having a size less than or equal to 100 bytes.

PS: The question has been answered but it is always good to know more than one way to do a certain task!

Thank you very much! This is very handy. This is really what I needed! — Freedom_Ben, Jul 14 '13 at 14:36

score 1 · Answer 2 · answered Jul 14 '13 at 05:13

1

You could either use the msfpayload command and watch for the line Total size:

msfpayload PAYLOAD O

Or use the generate command inside the MetaSploit console and watch for the first line

use payload/PAYLOAD
payload(PAYLOAD) > generate

answered Jul 14 '13 at 05:13

Adi

43,808
16
135
167

Ah! 30 seconds too late. – Adi Jul 14 '13 at 05:14
Lol, gotta love that. Thanks for the `generate` command though! That's a new one for me and it looks handy – Freedom_Ben Jul 14 '13 at 05:14

score 0 · Answer 3 · answered Jul 14 '13 at 05:13

OK, after digging through the MetaSploit tools I found something that works well for this. The msfpayload tool with the O option.

msfpayload <payload-to-check> O

So for example:

msfpayload windows/vncinject/reverse_http O

Will tell you the size of the VNC inject reverse HTTP for Windows. The output for the previous command looks as follows:

       Name: VNC Server (Reflective Injection), Reverse HTTP Stager
     Module: payload/windows/vncinject/reverse_http
    Version: $Revision$
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 336
       Rank: Normal

Provided by:
  sf <stephen_fewer@harmonysecurity.com>
  hdm <hdm@metasploit.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
AUTOVNC   true             yes       Automatically launch VNC viewer if present
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST                      yes       The local listener hostname
LPORT     8080             yes       The local listener port
VNCHOST   127.0.0.1        yes       The local host to use for the VNC proxy
VNCPORT   5900             yes       The local port to use for the VNC proxy

Description:
  Tunnel communication over HTTP, Inject a VNC Dll via a reflective 
  loader (staged)

How to determine the size of payloads available in MetaSploit

3 Answers3