Re: inline meterpreter payload

[egypt () metasploit com]

Answers inline.

On Wed, Sep 12, 2012 at 12:26 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:
> Hi egypt
>
> Thanks. In the case of the second stage for meterpreter, I guess that:
>
> A) At point 2 (read a 4-byte length) you remotely check the size of
> metsrv.dll, correct?

Yes, Metasploit calculates the size of the next stage and sends that as
the first four bytes to the stager.


> B) At point 5 ( read length bytes into that buffer) are you downloading
> metsrv.dll, correct? Is it transferred as a .DLL ? Is there any evasion
> here? I'm asking because as someone pointed out some proxies blocks .DLL
> downloads and also some AV gateways may have signature for metsrv.dll, not?

No, there is no evasion in the dll.  That being said, the reverse_tcp
stager doesn't
go through proxies anyway and the reverse_https stager will grab it
from SSL, so
proxies shouldn't really matter.


> C) Finally, is it possible to do step 6 ( jump to the buffer. easiest way to
> do this in C is cast it to a function pointer and call it.) with a whole
> .DLL in that buffer? My previous understand is that you needed a proper
> shellcode to do it, since a DLL as specific loading that I was not aware
> that could be accomplished by being called on this way.
>
> For example, I was not aware that you could store a whole .DLL at "addr" and
> execute it such as ((void (*)(void))addr)();

That is how Reflective works.  It fiddles with the bits in the DLL
header and turns it
into shellcode.  If you want details, I suggest you read the paper
mentioned earlier
in this thread.


> Thanks.

You're welcome.

egypt
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework