Metasploit mailing list archives

Re: inline meterpreter payload

From: Stephen Haywood <stephen () averagesecurityguy info>
Date: Tue, 11 Sep 2012 19:38:48 -0400

You can download it at http://github.com/averagesecurityguy/scripts

Stephen Haywood
Information Security Consultant
W: www.averagesecurityguy.info
T: @averagesecguy

On Sep 11, 2012, at 7:37 PM, Stephen Haywood
<stephen () averagesecurityguy info> wrote:

I've got  a C program that does exactly that but have never been able
to get it to connect back to Metasploit after the second stage is
executed.

Stephen Haywood
Information Security Consultant
W: www.averagesecurityguy.info
T: @averagesecguy

On Sep 11, 2012, at 6:14 PM, "egypt () metasploit com"
<egypt () metasploit com> wrote:

On Tue, Sep 11, 2012 at 4:40 PM, Chip <jeffschips () gmail com> wrote:

On 9/11/2012 5:35 PM, egypt () metasploit com wrote:

On Tue, Sep 11, 2012 at 4:31 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:

Hi Joshua

For example, if I use shellcodeexec and it's not detected by AV the first
stage will be loaded on memory and it will download the second stage (.dll)
and only run it from memory, right?

Thanks

The executables that Metasploit creates do not contain meterpreter,
just a stager stub that reads a 4-byte length followed by that many
bytes of a second stage. In the case of meterpreter, the second stage
is a Reflective DLL. Anything that can connect to a Metasploit handler
and follow the same steps will accomplish the same thing.

egypt
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

I've been looking for this explanation for a long time.  Is there a tutorial
on how to do exactly that -- connect a home-grown binary to the Metasploit
handler in the proper fashion so it works?



No tutorials that I know of, but here are the basic steps:

* connect to the handler
* read a 4-byte length
* allocate a length-byte buffer
* mark it as writable and executable (on Windows you'll need
VirtualProtect for this)
* read length bytes into that buffer
* jump to the buffer. easiest way to do this in C is cast it to a
function pointer and call it.


Hope this helped,
egypt
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

inline meterpreter payload _Vlad_ (Sep 07)
- Re: inline meterpreter payload Sherif El-Deeb (Sep 07)
  - Re: inline meterpreter payload Richard Miles (Sep 11)
    - Re: inline meterpreter payload Joshua Smith (Sep 11)
    - Re: inline meterpreter payload Richard Miles (Sep 11)
    - Re: inline meterpreter payload egypt (Sep 11)
    - Re: inline meterpreter payload Chip (Sep 11)
    - Re: inline meterpreter payload egypt (Sep 11)
    - Re: inline meterpreter payload Joshua Smith (Sep 11)
    - Re: inline meterpreter payload Stephen Haywood (Sep 11)
    - Re: inline meterpreter payload Stephen Haywood (Sep 11)
    - Re: inline meterpreter payload Michael Schierl (Sep 12)
    - Re: inline meterpreter payload Joshua Smith (Sep 12)
    - Re: inline meterpreter payload Richard Miles (Sep 12)
    - Re: inline meterpreter payload egypt (Sep 12)
    - Re: inline meterpreter payload Jonathan Cran (Sep 11)
    - Re: inline meterpreter payload Joshua Smith (Sep 11)
- Re: inline meterpreter payload HD Moore (Sep 07)
- <Possible follow-ups>
- Re: inline meterpreter payload Raphael Mudge - Raffi's House of Shells (Sep 12)
  - Re: inline meterpreter payload Richard Miles (Sep 13)
    - Re: inline meterpreter payload Sherif El-Deeb (Sep 13)

(Thread continues...)