mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-02-28 06:13:03 +01:00
9e3aef62bc
The last issue we had in removing the OpenSSL library from Windows meterp is making it so that reconnects would behave. With a staged listener, the first thing that gets sent down the wire is metsrv.dll. As a result, when a fully staged connect comes in (whether it be from a stageless payload, from a transport switch or from a sleeping session waking up), Meterpreter needs to handle the case that the data coming down the wire is no actually a TLV packet, and hence ignore it. This "hack" abuses the properties of the XOR key for the packet, relying on the fact that the XOR key will never contain NULl bytes and that the first 4 bytes from a staged listener starts with the length of the metsrv DLL, which is small enough to result in a NULL byte in the MSB position. If we see a NULL byte in that position, we assume it's the metsrv header coming in, and we just ignore it and move on. If the XOR key looks legit, we assume it's a valid TLV packet. Dirty, but it's quick and it works!
metasploit-payloads >
This is a unified repository for different Metasploit Framework payloads, which merges these repositories:
The Native Linux / Posix payload, Mettle, currently is developed at https://github.com/rapid7/mettle (to be moved here at some point?)
See the individual directories for meterpreter-specific README, build instructions and license details: