Recently, there was an interesting discussion on the metasploit-framework mailing list about the staging protocol for Meterpreter. egypt let loose with some wisdom about what it would take to write a client to download and execute a payload from a Metasploit Framework multi/handler. mihi completed the discussion by advising where to place the socket value, so meterpreter could pick it up.

The basic process is:

  1. Connect to the multi/handler
  2. Read the length of the payload into a 4 byte unsigned integer in native byte order
  3. allocate a buffer with Read, Write, and Execute access
  4. copy the socket file descriptor from step 1 to the EDI register
  5. Read the payload from the socket into our buffer
  6. Cast the buffer to a function and call it

My ears perked up at this discussion, because it’s something I knew I’d have to dig into soon. Our friends at the anti-virus companies are doing a great job of picking up Metasploit’s stager, no matter how it’s encoded or which template executable I throw at it. Trust me, I tried. Before releasing Cobalt Strike, I had this idea to license a multi-AV engine and operate a cloud service to encode binaries again and again until they were clean. The prototype of this idea was a complete failure. Since then, I’ve been meaning to investigate writing my own client.

Armed with this guidance, I wrote a quick client for a Metasploit reverse_tcp multi/handler. The code is on GitHub.

If you’d like more information on how AV is picking up executables generated by the Metasploit Framework, read Facts and myths about antivirus evasion with Metasploit.