Re: inline meterpreter payload

[Richard Miles <richard.k.miles () googlemail com>]

Hi Joshua

For example, if I use shellcodeexec and it's not detected by AV the first
stage will be loaded on memory and it will download the second stage (.dll)
and only run it from memory, right?

Thanks

On Tue, Sep 11, 2012 at 4:16 PM, Joshua Smith <lazydj98 () gmail com> wrote:

> All meterpreter dll's are loaded and run directly in memory, usually via
> reflective dll injection.  Assuming meterpreter is launched via an exploit.
>  If you write meterpreter to disk as an executable etc, then obviously AV
> will typically have a field day with it.
>
> -Josh
>
> On Sep 11, 2012, at 4:04 PM, Richard Miles wrote:
>
> Hi,
>
> So everytime that meterpreter is executed a .dll is transfered? Is this
> metsrv.dll static on the Metasploit tree? If yes, why the AVs do not detect
> it easily every time? Is this DLL loaded directly from memory (never
> touching the disk) by the stager1?
>
> Thanks
>
> On Fri, Sep 7, 2012 at 7:57 AM, Sherif El-Deeb <archeldeeb () gmail com>wrote:
>
> > AFAIK there's no way to create a single stage meterpreter currently, I
> > did however try to hard code all the parameters, and compile the metsrv.dll
> > as an exe along with all the necessary changes "winmain, compiler
> > settings... Etc." But still working on it and will.post back the steps
> > once/if I succeed.
> > It should not be that difficult to be implemented in the framework I
> > guess "the inline meterpreter", but will only be good as a stand alone exe
> > since I cannot think of an exploit that has space for such a gigantic
> > payload :)
> >
> > @HD: can we please have an inline meterpreter payload that overcomes all
> > the issues of getting the second stage? "e.g. Internet gateways that do not
> > allow dll files to be downloaded..." Instead of banging our heads against
> > the wall compiling an exe from meterpreter's source?
> > On Sep 7, 2012 2:14 PM, "_Vlad_" <karavay () gmail com> wrote:
> >
> > > Good day to all,
> > >
> > >
> > > have got 2 questions (which i did post on rapid7 but got no reply so
> > > i'll rephase it abit ):
> > >
> > >
> > > 1 ) Is there a method to generate inline (all in one ) meterpreter
> > > (reverse_https for example) PE through msfpayload ,as by default it only
> > > spits out the Stager (1st stage).
> > > 2 ) does meterpreters 1 st stage (the initial stager) provides an
> > > encrypted channel for meterpreter core loading (i belive its "reflective"
> > > stub which handles it ) i know it does implement TLS at later stages?
> > >
> > > Look forward to any feedback on this,
> > >
> > > Thanks,
> > >
> > >
> > > --
> > > Regards Vlad,
> > >
> > > ----------------------------------------------------------------
> > > Public key - Version: GnuPG v1.4.7 (GNU/Linux)
> > >
> > > Download:
> > >
> > >
> > > http://keyserver.veridis.com:11371/export?id=8855460614872382293&created=1201896764000
> > >
> > > Description:
> > >
> > >
> > > http://keyserver.veridis.com:11371/search?q=vlad.O&searchformsubmit=Search
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework