Skip to content

Meterpreter HTTP Communication

HD Moore edited this page Jun 25, 2015 · 9 revisions

The Meterpreter payload supports a number of transport, including reverse_http and reverse_https. This document describes how these transports work.

During the generation process for a new reverse_http or reverse_https payload, an initial connect-back URL will be created. This URL will be either "short" or "long" and the 8-bit checksum of this URL will be set to one of the INIT_* constants defined in the UriChecksum mixin. The URL will be generated using the Base64Url character set. The "short" URL will always be 5 bytes in length while the "long" URL will be between 30 and 128 bytes in length. Which variant is used is determined by the space constraints of the exploit that generates the payload. The "long" URL can also include an embedded Payload UUID.

The HTTP handler within Metasploit will receive the request for the initial URL, determine which INIT_* checksum it correlates to, extract any embedded Payload UUID, and then respond with either the second stage for staged payloads or a new URL for stageless payloads. The new URL is generated by the handler, will embed any Payload UUID that was included in the original request, and will hash to the value defined by the URI_CHECKSUM_CONN constant.

The connect URL must be unique between sessions in order for the sessions to function properly.

Once the Meterpreter connect URL is requested, the actual dispatch loop starts to run. The Meterpreter payload will make repeated requests with a HTTP body consistent of "RECV". Any queued commands will be returned to the payload, which will process them individually, and return the results in a following request.

Metasploit Wiki Pages


Clone this wiki locally