Metasploit mailing list archives
Re: inline meterpreter payload
From: egypt () metasploit com
Date: Wed, 12 Sep 2012 15:10:45 -0500
Answers inline. On Wed, Sep 12, 2012 at 12:26 PM, Richard Miles <richard.k.miles () googlemail com> wrote:
Hi egypt Thanks. In the case of the second stage for meterpreter, I guess that: A) At point 2 (read a 4-byte length) you remotely check the size of metsrv.dll, correct?
Yes, Metasploit calculates the size of the next stage and sends that as the first four bytes to the stager.
B) At point 5 ( read length bytes into that buffer) are you downloading metsrv.dll, correct? Is it transferred as a .DLL ? Is there any evasion here? I'm asking because as someone pointed out some proxies blocks .DLL downloads and also some AV gateways may have signature for metsrv.dll, not?
No, there is no evasion in the dll. That being said, the reverse_tcp stager doesn't go through proxies anyway and the reverse_https stager will grab it from SSL, so proxies shouldn't really matter.
C) Finally, is it possible to do step 6 ( jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it.) with a whole .DLL in that buffer? My previous understand is that you needed a proper shellcode to do it, since a DLL as specific loading that I was not aware that could be accomplished by being called on this way. For example, I was not aware that you could store a whole .DLL at "addr" and execute it such as ((void (*)(void))addr)();
That is how Reflective works. It fiddles with the bits in the DLL header and turns it into shellcode. If you want details, I suggest you read the paper mentioned earlier in this thread.
Thanks.
You're welcome. egypt _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: inline meterpreter payload, (continued)
- Re: inline meterpreter payload Richard Miles (Sep 11)
- Re: inline meterpreter payload egypt (Sep 11)
- Re: inline meterpreter payload Chip (Sep 11)
- Re: inline meterpreter payload egypt (Sep 11)
- Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload Stephen Haywood (Sep 11)
- Re: inline meterpreter payload Stephen Haywood (Sep 11)
- Re: inline meterpreter payload Michael Schierl (Sep 12)
- Re: inline meterpreter payload Joshua Smith (Sep 12)
- Re: inline meterpreter payload Richard Miles (Sep 12)
- Re: inline meterpreter payload egypt (Sep 12)
- Re: inline meterpreter payload Jonathan Cran (Sep 11)
- Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload Richard Miles (Sep 13)
- Re: inline meterpreter payload Sherif El-Deeb (Sep 13)
- Re: inline meterpreter payload Richard Miles (Sep 14)
- Re: inline meterpreter payload Matthew Weeks (Sep 16)