public
Created

Connecting a custom binary to the Meterpreter handler

  • Download Gist
custom_meterp_bind.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
* connect to the handler
* read a 4-byte length
* allocate a length-byte buffer
* mark it as writable and executable (on Windows you'll need VirtualProtect for this)
* read length bytes into that buffer
* jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it.
 
via egypt
 
Assuming x86 arch, you have to make sure that the EDI register contains your socket descriptor (the value of the ConnectSocket variable). You can do this via inline asm, but it might be easier to just prepend the 5 bytes for setting it to your shellcode:
 
BF 78 56 34 12  mov edi, 0x12345678
 
For 64 bit, you have to use the RDI register (and need 10 bytes):
 
48 BF 78 56 34 12 00 00 00 00 mov rdi, 0x12345678
 
PS: This is the reason why the calling convention within Metasploit is
called "sockedi"
 
Via Michael Schierl

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.