Metasploit mailing list archives
Re: inline meterpreter payload
From: Richard Miles <richard.k.miles () googlemail com>
Date: Wed, 12 Sep 2012 12:26:22 -0500
Hi egypt Thanks. In the case of the second stage for meterpreter, I guess that: A) At point 2 (read a 4-byte length) you remotely check the size of metsrv.dll, correct? B) At point 5 ( read length bytes into that buffer) are you downloading metsrv.dll, correct? Is it transferred as a .DLL ? Is there any evasion here? I'm asking because as someone pointed out some proxies blocks .DLL downloads and also some AV gateways may have signature for metsrv.dll, not? C) Finally, is it possible to do step 6 ( jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it.) with a whole .DLL in that buffer? My previous understand is that you needed a proper shellcode to do it, since a DLL as specific loading that I was not aware that could be accomplished by being called on this way. For example, I was not aware that you could store a whole .DLL at "addr" and execute it such as ((void (*)(void))addr)(); Thanks. On Tue, Sep 11, 2012 at 5:13 PM, <egypt () metasploit com> wrote:
On Tue, Sep 11, 2012 at 4:40 PM, Chip <jeffschips () gmail com> wrote:On 9/11/2012 5:35 PM, egypt () metasploit com wrote: On Tue, Sep 11, 2012 at 4:31 PM, Richard Miles <richard.k.miles () googlemail com> wrote: Hi Joshua For example, if I use shellcodeexec and it's not detected by AV the first stage will be loaded on memory and it will download the second stage(.dll)and only run it from memory, right? Thanks The executables that Metasploit creates do not contain meterpreter, just a stager stub that reads a 4-byte length followed by that many bytes of a second stage. In the case of meterpreter, the second stage is a Reflective DLL. Anything that can connect to a Metasploit handler and follow the same steps will accomplish the same thing. egypt _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework I've been looking for this explanation for a long time. Is there atutorialon how to do exactly that -- connect a home-grown binary to theMetasploithandler in the proper fashion so it works?No tutorials that I know of, but here are the basic steps: 1- connect to the handler 2- read a 4-byte length 3- allocate a length-byte buffer 4- mark it as writable and executable (on Windows you'll need VirtualProtect for this) 5- read length bytes into that buffer 6- jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it. Hope this helped, egypt
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: inline meterpreter payload, (continued)
- Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload Richard Miles (Sep 11)
- Re: inline meterpreter payload egypt (Sep 11)
- Re: inline meterpreter payload Chip (Sep 11)
- Re: inline meterpreter payload egypt (Sep 11)
- Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload Stephen Haywood (Sep 11)
- Re: inline meterpreter payload Stephen Haywood (Sep 11)
- Re: inline meterpreter payload Michael Schierl (Sep 12)
- Re: inline meterpreter payload Joshua Smith (Sep 12)
- Re: inline meterpreter payload Richard Miles (Sep 12)
- Re: inline meterpreter payload egypt (Sep 12)
- Re: inline meterpreter payload Jonathan Cran (Sep 11)
- Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload Richard Miles (Sep 13)
- Re: inline meterpreter payload Sherif El-Deeb (Sep 13)
- Re: inline meterpreter payload Richard Miles (Sep 14)
- Re: inline meterpreter payload Matthew Weeks (Sep 16)