Building in the Meterpreter .dll

Today we are releasing a few new modules that take a slightly different approach to payload delivery.  Please welcome the shellcode-less python/MeterHTTPContained and python/MeterHTTPSContained modules, which encapsulate the meterpreter .dll within a python payload.

These payloads read in the meterpreter metsrv.dll from the Metasploit install path, binary patch in some header information, an agent string, communication/expiration timeouts, ssl information, and finally the address/port of the metasploit handler. The binary data of the .dll is then compressed using zlib and transformed into a base64 string, and a launcher is built that decompresses the .dll and injects it into memory. Since the meterpreter .dll is built for reflective injection, it will take over execution from there.

reverse_http_contained

One detail that was glossed over: meterpreter’s checkin for reverse_http and reverse_https aren’t quite a simple as “connect and read”. Various URI’s with varying checksums are sent depending on communication state. Normally, a stager checks in with a handler, receives the meterpreter .dll as a response, and starts comms. So how do we ‘trick’ the handler into not sending the full .dll? We use the already-established comms checksum value, which will register the stager as an ‘orphaned session’ and reattach it to the particular handler.

reverse_http_checksum

For anyone interested in the technical details, the metasploit reverse_http/https handler is located at /usr/share/metasploit-framework/lib/msf/core/handler/reverse_http.rb . URI_CHECKSUM_CONN is the checksum value for established comms that we use to generate our initial URI, and generate_uri_checksum(sum) is the short checksum algorithm that the handler uses. The checksum was ported over to python so we can generate unique checkins instead of hardcoding values.

 

2 thoughts on “Building in the Meterpreter .dll

Leave a Reply