mailing list archives
Re: inline meterpreter payload
From: egypt () metasploit com
Date: Wed, 12 Sep 2012 15:10:45 -0500
On Wed, Sep 12, 2012 at 12:26 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:
Thanks. In the case of the second stage for meterpreter, I guess that:
A) At point 2 (read a 4-byte length) you remotely check the size of
Yes, Metasploit calculates the size of the next stage and sends that as
the first four bytes to the stager.
B) At point 5 ( read length bytes into that buffer) are you downloading
metsrv.dll, correct? Is it transferred as a .DLL ? Is there any evasion
here? I'm asking because as someone pointed out some proxies blocks .DLL
downloads and also some AV gateways may have signature for metsrv.dll, not?
No, there is no evasion in the dll. That being said, the reverse_tcp
go through proxies anyway and the reverse_https stager will grab it
from SSL, so
proxies shouldn't really matter.
C) Finally, is it possible to do step 6 ( jump to the buffer. easiest way to
do this in C is cast it to a function pointer and call it.) with a whole
.DLL in that buffer? My previous understand is that you needed a proper
shellcode to do it, since a DLL as specific loading that I was not aware
that could be accomplished by being called on this way.
For example, I was not aware that you could store a whole .DLL at "addr" and
execute it such as ((void (*)(void))addr)();
That is how Reflective works. It fiddles with the bits in the DLL
header and turns it
into shellcode. If you want details, I suggest you read the paper
in this thread.
Re: inline meterpreter payload HD Moore (Sep 07)
Re: inline meterpreter payload Raphael Mudge - Raffi's House of Shells (Sep 13)