Home page logo

metasploit logo Metasploit mailing list archives

Re: inline meterpreter payload
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 13 Sep 2012 09:31:30 -0500

Hi Raphael

This is nice, in special if it's working with meterpreter.

Based on this I'm curious now, I looked into your code and you do exactly
what was described and I before I was thinking that there was just one .dll
for all meterpreters and in somehow it used the first stage connection. But
now, looking and your code and Egypt description I think it's not possible,
I guess that exist one .dll compiled for each meterpreter payload. Is it

The virustotal output of your file is good

Thanks for share.

On Wed, Sep 12, 2012 at 11:02 PM, Raphael Mudge - Raffi's House of Shells <
contact () fastandeasyhacking com> wrote:

If anyone feels like playing, here's a working loader based on this


It doesn't do too bad on virustotal either:


I tried connecting it to a handler for a shell payload and it died.
Any thoughts as to why? Works fine with meterpreter though.

-- Raphael

On Wed, Sep 12, 2012 at 1:00 PM,
<framework-request () spool metasploit com> wrote:

Date: Wed, 12 Sep 2012 18:07:45 +0200
From: Michael Schierl <schierlm () gmx de>
To: Stephen Haywood <stephen () averagesecurityguy info>
Cc: "framework () spool metasploit com" <framework () spool metasploit com>
Subject: Re: [framework] inline meterpreter payload
Message-ID: <5050B351.2040503 () gmx de>
Content-Type: text/plain; charset=ISO-8859-1

[resent message as I was subscribed with the wrong email address]

Am 12.09.2012 01:37, schrieb Stephen Haywood:
I've got  a C program that does exactly that but have never been able
to get it to connect back to Metasploit after the second stage is

Assuming this is for X86 arch, you have to make sure that the EDI
register contains your socket descriptor (the value of the ConnectSocket
variable). You can do this via inline asm, but it might be easier to
just prepend the 5 bytes for setting it to your shellcode:

BF 78 56 34 12           mov edi, 0x12345678

For 64 bit, you have to use the RDI register (and need 10 bytes):

48 BF 78 56 34 12 00 00 00 00     mov rdi, 0x12345678

Hope this helps,


PS: This is the reason why the calling convention within Metasploit is
called "sockedi" :-)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]