Link Search Menu Expand Document

Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written in C by Matt “skape” Miller, dozens of contributors have provided additional code, including implementations in PHP, Python, and Java. The payload continues to be frequently updated as part of Metasploit development.

Meterpreter development occurs in the metasploit-payloads repository and the compiled results are published as part of the metasploit-payloads gem. For a detailed understanding of the Meterpreter architecture, please review the original specification.

Additional documentation about Meterpreter can be found on this wiki:

Extension-specific documentation:

A wishlist of features is maintained at the Meterpreter Wishlist page.

Examples of specific use cases can also be found on this wiki:

Those interested in the technical details of Meterpeter, along with rationale behind some of the implementations, should read the following:

Got dead Meterpreter sessions? Read this: Debugging Dead Meterpreter Sessions.

Architecture

To avoid confusion, the victim running meterpreter is always called the server and the ruby side controlling it is always called the client, regardless of the direction of the network transport connection.

The Meterpreter server is broken into several pieces:

  • metsrv.dll and meterpreter.{jar,php,py} - this is the heart of meterpreter where the protocol and extension systems are implemented.
  • ext_server_stdapi.{dll,jar,php,py} - this extension implements most of the commands familiar to users.
  • ext_server_*.{dll,jar,php,py} - other extensions provide further functionality and can be specific to particular environments.

Delivering Meterpreter

  1. Using a technique developed by Stephen Fewer called Reflective DLL Injection (RDI), metsrv.dll’s header is modified to be usable as shellcode. From there, Metasploit can embed it in an executable or run it via an exploit like any other shellcode.