A loader for Metasploit’s Meterpreter

September 13, 2012

Recently, there was an interesting discussion on the metasploit-framework mailing list about the staging protocol for Meterpreter. egypt let loose with some wisdom about what it would take to write a client to download and execute a payload from a Metasploit Framework multi/handler. mihi completed the discussion by advising where to place the socket value, so meterpreter could pick it up.

The basic process is:

  1. Connect to the multi/handler
  2. Read the length of the payload into a 4 byte unsigned integer in native byte order
  3. allocate a buffer with Read, Write, and Execute access
  4. copy the socket file descriptor from step 1 to the EDI register
  5. Read the payload from the socket into our buffer
  6. Cast the buffer to a function and call it

My ears perked up at this discussion, because it’s something I knew I’d have to dig into soon. Our friends at the anti-virus companies are doing a great job of picking up Metasploit’s stager, no matter how it’s encoded or which template executable I throw at it. Trust me, I tried. Before releasing Cobalt Strike, I had this idea to license a multi-AV engine and operate a cloud service to encode binaries again and again until they were clean. The prototype of this idea was a complete failure. Since then, I’ve been meaning to investigate writing my own client.

Armed with this guidance, I wrote a quick client for a Metasploit reverse_tcp multi/handler. The code is on GitHub.

If you’d like more information on how AV is picking up executables generated by the Metasploit Framework, read Facts and myths about antivirus evasion with Metasploit


  1. I used a PE Crypter, and evaded AV easily. It used AES encryption with small cipher key which was decrypted at the time of execution. Was a great idea. More info: http://3ncrypt0r.blogspot.in/2012/09/byepassing-avs-with-pe-crypters.html

    • Good information. The purpose of this post wasn’t really to talk much about an anti-AV solution. I included the AV information because I thought it was interesting how a binary that is functionally equivalent to the code we’re usually obfuscating passes most antivirus without any obfuscation.

  2. Hi rsmudge
    it possible to hardcoded the ip addr and port in it ? so we just double click it will get a shell

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s