Metasploit mailing list archives

msfpayload - Replacing Shell Code in Exploit

From: hdm at metasploit.com (H D Moore)
Date: Sat, 07 Feb 2009 18:14:24 -0600

On Sat, 2009-02-07 at 15:30 +0100, Florian Roth wrote:

Can anyone explain how to handle 2-stage shell code (meterpreter) or
how to integrate it in the working exploit?


There is more to it than just sending the right bytes. 

1. Send the stager (reverse|bind) in the exploit itself
2. Handle the connection to the stager, send a middle stager
3. Transfer the 2000+ byte DLL injection stage using the middle stager
4. Transfer the Meterpreter DLL using the DLL injection stager
5. Communicate over the port using the Meterpreter API/protocol
6. Use this protocol to load stdapi,priv,etc

In the 2-part stage above (shell), send the first part in the exploit,
and once the connection is established, send the second part, and you
have your shell. If you don't want a staged payload, generate
windows/shell_(reverse|bind)_tcp instead.

-HD

Current thread:

msfpayload - Replacing Shell Code in Exploit Florian Roth (Feb 07)
- msfpayload - Replacing Shell Code in Exploit H D Moore (Feb 07)