Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: inline meterpreter payload

From: Joshua Smith <lazydj98 () gmail com>
Date: Wed, 12 Sep 2012 12:08:56 -0500
I updated the gist with this info
https://gist.github.com/3702565 

-Josh

On Sep 12, 2012, at 11:07, Michael Schierl <schierlm () gmx de> wrote:


[resent message as I was subscribed with the wrong email address]

Am 12.09.2012 01:37, schrieb Stephen Haywood:

I've got  a C program that does exactly that but have never been able
to get it to connect back to Metasploit after the second stage is
executed.


Assuming this is for X86 arch, you have to make sure that the EDI
register contains your socket descriptor (the value of the ConnectSocket
variable). You can do this via inline asm, but it might be easier to
just prepend the 5 bytes for setting it to your shellcode:

BF 78 56 34 12           mov edi, 0x12345678

For 64 bit, you have to use the RDI register (and need 10 bytes):

48 BF 78 56 34 12 00 00 00 00     mov rdi, 0x12345678


Hope this helps,


Michael

PS: This is the reason why the calling convention within Metasploit is
called "sockedi" :-)
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: