Payload, in simple terms, are simple scripts that the attackers use to interact with a hacked system. Using payloads, they can transfer data to a victim system. Metasploit payloads can be of three types:
Singles, Stagers, and Stages
Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe.
These kinds of payloads are self-contained, so they can be caught with non-metasploit handlers such as netcat.
Stagers setup a network connection between the attacker and victim and are designed to be small and reliable. It is difficult to always do both of these well so the result is multiple similar stagers. Metasploit will use the best one when it can and fall back to a less-preferred one when necessary.
Windows NX vs NO-NX Stagers
- Reliability issue for NX CPUs and DEP
- NX stagers are bigger (VirtualAlloc)
- Default is now NX + Win7 compatible
Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter, VNC Injection, and the iPhone ‘ipwn’ Shell.
Payload stages automatically use ‘middle stagers’
- A single recv() fails with large payloads
- The stager receives the middle stager
- The middle stager then performs a full download
- Also better for RWX