Home page logo

metasploit logo Metasploit mailing list archives

Re: inline meterpreter payload
From: egypt () metasploit com
Date: Wed, 12 Sep 2012 15:10:45 -0500

Answers inline.

On Wed, Sep 12, 2012 at 12:26 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:
Hi egypt

Thanks. In the case of the second stage for meterpreter, I guess that:

A) At point 2 (read a 4-byte length) you remotely check the size of
metsrv.dll, correct?

Yes, Metasploit calculates the size of the next stage and sends that as
the first four bytes to the stager.

B) At point 5 ( read length bytes into that buffer) are you downloading
metsrv.dll, correct? Is it transferred as a .DLL ? Is there any evasion
here? I'm asking because as someone pointed out some proxies blocks .DLL
downloads and also some AV gateways may have signature for metsrv.dll, not?

No, there is no evasion in the dll.  That being said, the reverse_tcp
stager doesn't
go through proxies anyway and the reverse_https stager will grab it
from SSL, so
proxies shouldn't really matter.

C) Finally, is it possible to do step 6 ( jump to the buffer. easiest way to
do this in C is cast it to a function pointer and call it.) with a whole
.DLL in that buffer? My previous understand is that you needed a proper
shellcode to do it, since a DLL as specific loading that I was not aware
that could be accomplished by being called on this way.

For example, I was not aware that you could store a whole .DLL at "addr" and
execute it such as ((void (*)(void))addr)();

That is how Reflective works.  It fiddles with the bits in the DLL
header and turns it
into shellcode.  If you want details, I suggest you read the paper
mentioned earlier
in this thread.


You're welcome.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]