[framework] inline meterpreter payload

egypt at metasploit.com egypt at metasploit.com
Tue Sep 11 17:13:10 CDT 2012


On Tue, Sep 11, 2012 at 4:40 PM, Chip <jeffschips at gmail.com> wrote:
> On 9/11/2012 5:35 PM, egypt at metasploit.com wrote:
>
> On Tue, Sep 11, 2012 at 4:31 PM, Richard Miles
> <richard.k.miles at googlemail.com> wrote:
>
> Hi Joshua
>
> For example, if I use shellcodeexec and it's not detected by AV the first
> stage will be loaded on memory and it will download the second stage (.dll)
> and only run it from memory, right?
>
> Thanks
>
> The executables that Metasploit creates do not contain meterpreter,
> just a stager stub that reads a 4-byte length followed by that many
> bytes of a second stage. In the case of meterpreter, the second stage
> is a Reflective DLL. Anything that can connect to a Metasploit handler
> and follow the same steps will accomplish the same thing.
>
> egypt
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
> I've been looking for this explanation for a long time.  Is there a tutorial
> on how to do exactly that -- connect a home-grown binary to the Metasploit
> handler in the proper fashion so it works?


No tutorials that I know of, but here are the basic steps:

* connect to the handler
* read a 4-byte length
* allocate a length-byte buffer
* mark it as writable and executable (on Windows you'll need
VirtualProtect for this)
* read length bytes into that buffer
* jump to the buffer. easiest way to do this in C is cast it to a
function pointer and call it.


Hope this helped,
egypt



More information about the framework mailing list