From a58d5f4e5ebc69e8580d2ac197a8be1ba6bf9440 Mon Sep 17 00:00:00 2001
From: Matt Miller <mmiller@hick.org>
Date: Sun, 27 Nov 2005 23:15:30 +0000
Subject: [PATCH] payload docs

git-svn-id: file:///home/svn/incoming/trunk@3141 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../devguide/dev_guide_payload_hierarchy.png  | Bin 0 -> 5420 bytes
 .../devguide/developers_guide.tex             | 355 +++++++++++++++++-
 2 files changed, 352 insertions(+), 3 deletions(-)
 create mode 100755 dev/documentation/devguide/dev_guide_payload_hierarchy.png

diff --git a/dev/documentation/devguide/dev_guide_payload_hierarchy.png b/dev/documentation/devguide/dev_guide_payload_hierarchy.png
new file mode 100755
index 0000000000000000000000000000000000000000..524098f6640b5b203a48a95161590b0789346519
GIT binary patch
literal 5420
zcmbVQXHXMhla7KQJro0>hTcUfp_gC)=@6tTQbMm%qzEE}qLI*%4$`C-h0v=d^d>!Y
z42tw7P3m#qeKU98+|AtF{n~fmnSFO=XZP9XdEXl7X;6_flLG(%D$R#*#I^MU0B-o+
zzIlDB;d^UwZEpA=G*kgqL#%7p4zVLl7X|=S$5EWy+`9H5whs}y06-ug01z4h0GwW5
zg{}eszV`rtb!z}XE)4)+^vr5DQ~&@N$~57yM*)^w*~+VIouKaE$g8l(5?n6rD7qR5
zXQvC>We<a(^NoLMLY!<=h$&z&I8c?Gf`!xC*2YE<$!XGlH^v%VF`6!}7WMAM;%|P|
z?)f%(tbEYX&_b5ztLc{G0a=M0Ssy>_@xsOB@?_-`e`B|+3!ie&?@nWmIl)JVQ&v_*
zKB^YjY#A>?IE~WD<`VQv<(I_zN?#tF=|{__Wzt(GWVme~TJ(-J&MNqDB9emffRUu*
zd>>=!G8;*Jwit5N_RMp+i)zN@jsFY59P`iI4pC0?EPG=fppM<I6zg+I`bwHR@?!E2
zMh)ymGGQ(qm#4z~2hTb#OsKYg^+cqH_*$o?e|7HHLyV!N6x>73_ujnDV~goVQzSvX
zO`87xc*C(S%7%hWmv#6>Ob7nX_J3%jz#{)Qfft3B;i7SPT|Vv}W#%r=K43hCwke}D
z-nl_ckX{HNBCNM9g$*DUay{opCo{@9&mfaZ?sW+(r>+{c+!AygeJhi|{snOW&Dx|K
za%8-##LaDH3dWn!r|O93Hm8(vpb+rx`NHw)<O^PqWA7vPzEzmnQO4T4%M_q+q$coJ
z24|5-ypvsi+e9zK@-g)cB9xn7QM}F8L5digATp^lMn6d2U**&1u808x9Lt{nz$74|
zqYPu2f-*kG3Vt9@8j0%BSw#=Rqhv&7vbIGqr9CXd43q$J=e+OugV8dZjOdGTsES2E
z=<t9UZw2Lg_)+QpyCB&&b?NstL2Ro5t5&wPnVo(Uy|=`Y6WBblUVGNh5=JbVr(so?
z!&J6~I<^)UJuz>xDAG;ikG+9DnU;+HRfGmZ3~Bi~h^9WX^T`KU{BM;_rDT*0u!Y`}
z=DPt%c@Iaw7<`;PG(}o36>);EwvAK1JlPAMWe-?F6`E+h{3NMUlP3~8yj|1FZq90+
zrAx;VF2JB<LI3fej{wbC(eq@Dq-YUp+&1wX5gbH{^uM`%g9}4cEq~(}KxJR;0qUlq
z?c#4e(wpUuQ}A9NFAZUvn=}A*Ul7~|%LWN5tY|DTA>~{LUN@KznxY%1r@@)S>qt<I
zDc1GDkRh%zsoS_ZV(b=?7s#*@2C3prbLT)~(JoXsy+psbovCE0J#q!2UCA6~8zKYh
zp6ojgWtne*;Z&TLmuEXu;G-wc+I)A~j@yrBTsI=lRx+Q}q+2=}1a&mt(<z)D%#_xD
zukd&FS;yK=o$HiPTjktK7W8!$mNATC<T0<B|6B)D4U~w_kpP8X9PZ`PrRS}a`IhM=
zf3w8?B>`e~e)XqPMUh7;4T=+7zh*F&`{GjXK9vi(eCg<B_3CfoUE39^fD02{Zj-O;
z=YAKbhf0i!V~AUJ!IlzS&=@mEX!atB25)=5g6-!GX=lbgedUXT{eH1Hpkbv!ry0le
zI68)FMK$0YRa`Uj;^RgCPj%Ya$lZXx)pgw|Popsx`!f)2`Ot#@VsNv`+3{k-Sh2o;
z>}sJ1ONWjJZMD$nr2@w1t`55=OT68ErE+vtYPgo>mZkZRQv48L%NR8dCBq4f{Hn~B
zVkGFf<C+0>B`J@-V{SoqZ&3mG8*KcTn4lH<cLgOgTr$c9G`%?>O@n)(o(w`Y(pk5^
zfDB2L)!xP>1O5!|z;UO653bmo788QDo4SWzEdD|GpO$aeuC@4{68qHgGhUtl87}XX
z^WV;D&q=c~zXhs8Pb7y4%u4(?%fTGT18Hn2ahMNNX-Od3f)(3!L`k6YMn9vo-9s+t
zjq=?49t&z2q`}pyB}KqTPR|^&U&nAwswG3y@~!Q}<cS=VNY;wcx(pR?#}VcXOFU2C
ztcqKP;fK5$8eAVta=2FW;C8lHTjcpWKBBim>Aj&5x`l-X8KbbePO=xG?*hK_<;cBX
zmm)M_Z_9*bfT-4(I7geDB{37)5zX<dsz0>RhDKx5+>(mW*OFmox)n>I`dv2%sS}^Q
zV>S?%ZdB{kJFDOy6EX6USMC0JgQ~|J;&A@6w6ru~=qELoFGEy9q)x^Y*`g0<@i42D
z<#>B_8!8jkOqU9;DX&ASTmcx@T-p$o*z6$EJEk*D=(IW>mJ+qJm7fJ7chfngGkxT^
zBA)$;p?V^a8bNh1m16psb@ZZ$7OQIh+!>T4(&shGABnvAoX=B3@5TtUwKse)-=4#_
zASv1pnA_)+$)r}y!kX~Ft=>>TQZI?!fw$;z{B<^$I)w?<AUn=aNTRQTC@NeRU|eEF
zFJSKW3EQvba$g9`Wbp2Zh62Lu>7qFAn0-O5877s@=B>2%C+uf!<`g_JVfJ0)>RlLg
zf)A+A3!PR1>Z?QRV37A(ZZ*Ne=#CQt<_&w`YR;QR#Us4!PW##R&vdYhfv@)E#>b9V
zmw$gBE;oFeJwQ!sa0J(e;7&L1Dw*}^Jun855=5-P!~`3y%B*cJ3^zvmHXJlu{Afa)
zT<uPKVi&400+Fl>srqU<Dg#V4D61jE8J}n|lM?8(jG?GTax2Yc6${nUK0cu74`Jsy
za>B6k)p_W%-W<iCdOPtNXr2EI^-0P(f6mLqPE(`-M#iJpQIM3-IF|D7_-3N#@1@;t
z_o~1Eo+r>tPns#fKy7ffEe`xwWJ~Bo;j=@7LVE}*n|hxWRfNqetVs7mBYdH6IV$MU
z0@|hICi4ZJ!-YJdwN3|vheyT=r#kg0JVP>+-;bYg-JQ+Wne;8QB!t+X^YyrGXlQ`J
zzQ+TkKZ}Zjz>5aX>Xu2`xQ7ewYMWKgxaCCuC$ufD%w8t@9`s26Ev|O&Ur|HO=DY-5
z3qI+<rxnFyv&*m4FKL?I_WuOY3P<wKWAKGFEh|?$8pt|yfT@3H8?8%Hb9JE}DM8an
zzFP)3oCht{g}je&jrD@Of8dVDR8b(CVqI2Icr)_>iVC2slI=nTP}ga?-`wM|@QL0r
zz%_F~*Is=!iRO5@`$g9L-gwcG@^^l{tj55@bwrzU_i&gnACN}h72>CVtWLXu!mrs@
z7fR-)atkSQ?~G2W^!;fqcF)WyWoK54o`Y+YtHcFy=*W`s_b{c$wWHQlcT?8XbOtSx
zEYsHWoN-;_k{l#W(Q&fCt6QRN`Jov-S{TwBJPeX{F_Oe(tR;`V4vVrM4SkbT^5cZ|
z@;0f)b`sZk4rM^@YOID13PcIEs)^RL7iw{BIo#(Sxt*|bAAIM~?D-?GFFc<Q9fp#>
zQ+U6S88|EV>6Cj|eG;D+9(EAJEEMneQ>*a|y~aMKqWevKaBO{164}S`w?}FJp&K*P
zTN8u;F~%q#Trf=hPA{;pICgdZ(P@zpMz=(>TUX5O6TdFEI;CcTG5hrG<T9uCunu5#
zVX|RvQ*7pKOY)MqMq3gjo88K8ha%1{Nuc1gIGDTyZR979HsXbiwa*%3%t=l3<wI2l
zhPidXACoo#$)xlyGjvFz4{S2z!txa!?mc6M<Y&kjKVYX+3rKHd8E415C8}p3SH-3)
z<e+6H7yp{5>XM**X#IOnouYFbGnukQRDHHd{Ldz}^Md&CFR|z5iM%=((a3qRlKzdp
zrul5UB{idKMqe?OL-}&8IEVdxwDALT)|`3!q&6sq$O|$=#{@;I-lw;CfmN{>aw)Qh
zyeF$_HHX}Flo}HU4ilR$hyYWu8O~s|W0>$W5W3%du$B@h@g-TB0{5%J;V}szeW@?=
z7Qx#@LX<`I<-zL6RmjE8Qa!gu>_AqQCAKjg>_3yzSNQf7vk-%qwvxQRp+LTYT@tPv
zLLNyog>!}c&+OtqXHcH9nw_J<ioWX8#mRD<Fq{+qz`TOLedF!4uv@WSc4G8|&#+>H
zsz{`a|Mnb0xbT{cATD}N6JAerVi<49orV6bC{L!UN14?<WEN6QO4c+3TWK~@LG*YP
zx;mA#NLt$mNr3(lPU<|alij9t)xNlJZ>{jJ+Pnqx7~KstsoEEkU*C?xKJqw?p*22i
z$#DhnKA2C{Z9!xEB$`88UjE&0|D4?I&gf;LtZ5%epV}M4b+^?GkF)p2pqqdxls-qX
z5e}*}%pT`!?V?<unlCK0G|K0@OM7&>)%&AOjrJI{Kb7~F7AuSos}~b`-kFr3k_AMo
z{>Y)`6kHvYsljLNR$eoyH)Oawks%I^8fJG@7@~feZSOLmiM+;<$E<ji8OH+a+(*}A
zWk|4#N9)e0H0HUZpFaJ|G#g(ZW9g?v)ytbCNR7ruYFv<7^eEY5?in2k7Xz$bJ`+=a
z#iHvYL@noURD?!vO4;LNd@=N4@utf}>gPn>C{-h(nAte{`x*CUtfMUB+BQ$@mHY%r
zxQHSK=tlh_-#It-Z=K-PftlXv3g!IdFo$^JaxOj|7Yp>^J!>-O^w#KR43G(E?_6__
zPlHHM8%RIBc9MY7%;l6x;!>{{eM;;HC;de(iH8)!aZfK`E$S?Cu)tD1E+M$qi2epN
zU#@2=Ert5W00|W<+x_3^A|?vVxhHUb9TqZYu3Jfrc7(1s5!MWt2S;>Rq(c5T>RvTf
z&OTeTk+E1N=j&7#kr67%8aKoldXL6n3usu7n~_dPk?Wc%3|)$6OH|xaw(Tb3w!hp*
zgOy*n5OpQ^X2ZWHJk^eVU7OFDl3&68Jw-2bm+pfIay^H`>K@68P9=J1*R$$k@2iW8
zJrq1irQkZQa|i1r6%pJF<JbJFN2*1e<SL`<6SY~dlnmLX#M32Zs4%8$|AC_M)T1}R
zNv>=a+-P&Z6d-8+^@HpYt0#@YxK>^k#B5EY#K23?YzCtLxtqvcqj+sv*PI<pe4ZWr
zF$T;+TBqd(5<Qbth{{&uu@~?Z{NC<TVAjLA%pcgH{7|+p?%c;2CIifj;&Jaqk_gyt
z-q&uibF7d>>wZrZs_0;~!P>-YI13f_%A^_9Q|ox>4a$~^Yl0F+9vkR+JhBAPvIV)X
zHQ9VhqD1Z6gLQ?gULuB{cP-RKL#ajfhQ#|A$)9Kl@7zoD4NKY3#Bx>tjxfZ3tH1Qu
zpgz*p`eAJ`D6{3CVyKC$2VzJ2CCcq0C}vjAE4H0k#)%g1l*r;J=$vuJ5WgI>N~;{f
z)GFB6N>f=us!lO>wY2#C=<pABzMa$IoY^0xrCVO`Yf8VcHdcJ4dJR;fmNNMuvDn&;
zd;iOp{wDxJYW_n50nM)yF<QMe<N$Qni=c{gUde4U%CC4ckpE*2{&mCux7hz#`ZSxj
z=5>qBhg@CsFUTDKIcn$@YZ_ity)l%dEH=-fStI)MnWFS;fI|@vg69XP&@93f$t)de
z#>_wv&SUU3O_V}B9bG(3{3JI@0@SWBq!WZ96pcM#6MZhBFGwr7Q@Xl)llbM4X@TEa
zJ8Bnk*K#&{kq0&gd-1F9PBNwv9S@Dc^Jtt+pHAmIvGclv+L-!S4&Ri+3PvXPX#Fl@
zDwp(-#`toI%zvi6oqYwb40F|s|A(eHNrUc<O@U~Qh!2#5eyyDpAuAVqq+g}aaUn0n
zYz>}ot&S9gcb}!Q`b=V<WP)gSm@Bqt8ofN9w_dXfWH<b??=?(+BhEKCaeN&V@#`i$
z&n)&Awf?nI)DZO>Mya&=<C@NHoQ32#vP!ofDho6Qj}!&nZO#!7AkEDV?~Y}2EtUvZ
z9HH7iU}0#u>c%OvoC0n1``ZLImoyq0urfeK&H?Z(0&Cv-u{N#t(@+ilC%B=0J^cg9
zt?|Y`+tI~l%P^{mByho9XBnk@Fw7Yd#WZm%=#>(Zy2xUb>?3KFt%869uPr_2Qr>3E
zz-a+9!y^IkdB6jDZ2qi*Et_Em-S1`S7%-EZ*!xxsuwdd|qDLTOFo`>#ppiHeKhB#%
z_vv~1DRH*Q+5{3!=1kx!dYe=hB*3=hD)`I*VVqoh%-525YDi);%)K|*)oQ+w{!ZP>
zq|#zO{BqZxtMC)lq!P+Y&nzU;7<)w8E$hU#DqyJ7gZzsu;ge7UJt2pL6#SG*xN~dU
z^{atEXs1FRPr>`rRHt#LMIP*@hSJWw$DDNb-hwmW@sflbuNdY6+nYknkP+G(*xEp?
z$McBX^AJ*rjmiNLTK*|y7PAu-4Q}5lo11ntg3SUBQJ?Qz&z{N06F--NSG)#yO3){r
zHh4gm?bjT-o_`(<u`?XI@x*2g5iTBV+hg(ouc3XrurPMDzgDE4Sm)NLfKB}X1+9M{
zE9);FW2pE%cMOy_nTxN$T<1WjQiwOuMnE^iz;b5JVaD5!^?smDws2A}I$d+HtdOQ$
z<|$S%43^v^3A279-K2Ke$)|Fbt51s+O6b8x)Of`Ah}^{68}C$jeo004!4CRszX4!w
zr=}*W71|m5>5*UGF_QJlqS#o9Eo-s{)4aGgCuH#*?5ZMqA?B|4>?w;L*)A}>g_c3J
z-=rSIZ-7l2KAV60a+!P9Gyb@{<Z+;LHQdC(g!1q%O!M~gckp9pP~5wF9Sw5E!(!hb
z4G-j}J>HKEaAK@}>TRB!MgDbIsV&-8@EKh-M{crWLuRLN_$~z_`U1aj#EL$SI=MJr
z{C%}nZA=&NE7?>|0-O^ll0IW7kn%xxRrvpmKF@H0FV&Zo3!FNF0`b$+SjRUzj2#z8
zvw<_;_VDYsSEmHT+71wNiT)yth8VUV1iAl5hHEu*nbP6Wdn~2l5fT|RWt7emGG`b*
tzoGmwP&<y-*Xp;@jhof~g=U@8G~IMZ2K4W^U4Lf+G}ZLrRjSru{|3dO7+?SZ

literal 0
HcmV?d00001

diff --git a/dev/documentation/devguide/developers_guide.tex b/dev/documentation/devguide/developers_guide.tex
index 01f7947c9f..0e37251663 100755
--- a/dev/documentation/devguide/developers_guide.tex
+++ b/dev/documentation/devguide/developers_guide.tex
@@ -2543,9 +2543,358 @@ find a valid NOP byte when generating the NOP sled.  The default is
 modules during sled generation.
 
     \section{Payload}
-        \subsection{Single}
-        \subsection{Stage}
-        \subsection{Stager}
+
+\par
+Payload modules provide the framework with code that can be executed
+after an exploit succeeds in getting control of execution flow.
+Payloads can be either command strings or raw instructions, but in
+the end they boil down into code that will be executed on the target
+machine.  To provide this feature-set, the framework offers the
+\texttt{Msf::Payload} base class that implements routines that are
+common to all payloads as well as providing some helpful attributes.
+
+\par
+One of the major differences between payload modules and other types
+of modules in the framework is that they are a composition of a few
+different mixins that lead to a complete payload feature set.
+Payloads are at their base an implementation of the
+\texttt{Msf::Payload} class.  However, they also include the support
+necessary to handle the client half of any connections that the
+payload might make through \textit{handlers}.  Handlers will be
+discussed in more detail later in this section.  Aside from
+handlers, payloads are also broken down into three separate payload
+types: singles, stagers, and stages.  These payload types will be
+discussed in more detail later in this chapter.
+
+\par
+Furthermore, unlike other framework modules, payload modules will
+not necessarily correspond one-to-one with the module names that can
+be used within the framework.  This is because the framework will
+automatically generate permutations of different module types so
+that they can be used in various combinations without having to be
+linked together statically.  This is especially useful for staged
+payloads because it is possible for stagers and stages to be
+automatically merged together at load time rather than having to
+statically build an association in the module files.  This is a
+major enhancement from the 2.x framework version.
+
+\par
+To better help with visualizing the payload hierarchy, the diagram
+in figure \ref{fig-img-payload} shows the class hierarchy of a
+particular type of payload known as a staged payload.
+
+\begin{figure}[h]
+\begin{center}
+\includegraphics[height=4.0in]{dev_guide_payload_hierarchy}
+\caption{Staged payload class hierarchy} \label{fig-img-payload}
+\end{center}
+\end{figure}
+
+        \subsection{Interface}
+
+\par
+The framework uses a well-defined, uniform interface to work with
+payload modules.  Like other modules, payload modules also have
+module-specific information hash elements.  The table shown in
+figure \ref{fig-table-payload-hash} shows the elements that are
+specific to payload module information hash and the accessors that
+can be used to access them.
+
+\begin{figure}[h]
+\begin{center}
+\begin{tabular}{|l|l|l|p{2.0in}|}
+\hline
+\textbf{Hash Element} & \textbf{Accessor} & \textbf{Type} & \textbf{Description} \\
+\hline
+BadChars & badchars & String & The string of bad characters for this payload, if any. \\
+\hline
+SaveRegisters & save\_registers & Array & An array of architecture specific registers that should be saved when using this payload. \\
+\hline
+Payload & module\_info['Payload'] & Hash & A hash of information specific to this payload. \\
+\hline
+Convention & convention & String & The staging convention used by this payload, if any. \\
+\hline
+SymbolLookup & symbol\_lookup & String & The method used to resolved symbols by this payload, if any. \\
+\hline
+Handler & handler\_klass & Msf::Handler::Xxx & The handler class to be used with this payload, or \texttt{Msf::Handler::None}. \\
+\hline
+Session & session & Msf::Session::Xxx & The session class to create when the payload succeeds. \\
+\hline
+\end{tabular}
+\caption{\texttt{Msf::Payload} information hash accessors}
+\label{fig-table-payload-hash}
+\end{center}
+\end{figure}
+
+\par
+Using the payload-specific information, the framework drives the
+payload class by using a specific set of methods.  These methods are
+described in detail below.
+
+            \subsubsection{compatible\_convention?}
+
+\par
+This method checks to see if the supplied staging convention is
+compatible with the current payload module's staging convention.  If
+the current payload's staging convention is undefined (as would be
+the case for a non-staged payload) or the conventions match, then
+true is returned.  Alternatively, if the current payload's type is
+that of a stager and the supplied convention is undefined, then true
+is also returned.  In every other case, false is returned.
+
+            \subsubsection{compatible\_encoders}
+
+\par
+This method returns an array of compatible encoders where each
+element in the array is an array with two elements that contains the
+reference name of the encoder and the encoder's module class.
+
+            \subsubsection{compatible\_nops}
+
+\par
+This method returns an array of compatible NOP generators where each
+element in the array is an array with two elements that contains the
+reference name of the NOP generator and the nop's module class.
+
+            \subsubsection{connection\_type}
+
+\par
+This method returns the type of connection being used for this
+payload as derived from the payload's handler.
+
+            \subsubsection{generate}
+
+\par
+This method causes the underlying payload to be generated.  This
+method works by calling the \texttt{payload} method on the payload
+module instance and creating a duplicate copy of it.  From there,
+any defined variables are substituted as conveyed through the
+\texttt{offsets} attribute.  The resultant substituted buffer is
+then returned to the caller.
+
+            \subsubsection{payload\_type}
+
+\par
+This method returns the type of the payload that is implemented by
+the derived class.  This can be one of
+\texttt{Msf::Payload::Type::Single},
+\texttt{Msf::Payload::Type::Stager}, or
+\texttt{Msf::Payload::Type::Stage}.
+
+            \subsubsection{size}
+
+\par
+This method returns the size of the payload as returned by a call to
+\texttt{generate}.
+
+            \subsubsection{staged?}
+
+\par
+This method returns true if the payload type is either
+\texttt{Stager} or \texttt{Stage}.
+
+            \subsubsection{substitute\_vars}
+
+\par
+This method substitutes variables using the \texttt{offsets} hash as
+a guide.  It also calls \texttt{replace\_var} prior to doing
+substitution which gives derived classes a chance to do custom
+variable substitution prior to using built-in facilities.
+
+            \subsubsection{validate}
+
+\par
+This method wraps the call to the payload's option container's
+validate method.
+
+        \subsection{Types}
+
+\par
+Framework payloads are broken down into three distinct payload
+types.  The first type of payload that can be implemented is
+referred to as a \textit{single} payload.  Single payloads are
+self-contained, single stage payloads that do no undergo a staging
+process.  An example of a typical single payload is one that
+connects back to an attacker and supplies them with a shell without
+any intermediate staging.  The second type of payload is referred to
+as a \textit{stager}.  Stages are responsible for connecting back to
+the attacker in some fashion and processing a second stage payload.
+The third type of payload is referred to as a \textit{stage} and it
+is what's executed by a stager payload.  These three payload types
+allow the framework to dynamically generated various combinations of
+payloads.
+
+            \subsubsection{Single}
+
+\par
+As described above, single payloads are self-contained, single-stage
+payloads that perform one logical task without requiring any
+secondary code.  Single payloads are the simplest of the three
+payload types because they correlate one-to-one with the payloads
+that end up being generated by the framework.
+
+\par
+For single payloads, the module information hash's \texttt{Payload}
+hash element will contain a sub-hash with a few key elements. The
+table shown in figure \ref{fig-table-single-payload-hash} describes
+the hash elements that are used by the framework and the accessors
+that are used to obtain them.
+
+\begin{figure}[h]
+\begin{center}
+\begin{tabular}{|l|l|l|p{2.0in}|}
+\hline
+\textbf{Hash Element} & \textbf{Accessor} & \textbf{Type} & \textbf{Description} \\
+\hline
+Payload & payload & String & The raw payload associated with this payload module. \\
+\hline
+Offsets & offsets & Hash & An array of variables that should be substituted at specific offsets based on the module's datastore. \\
+\hline
+\end{tabular}
+\caption{Payload information sub-hash accessors}
+\label{fig-table-single-payload-hash}
+\end{center}
+\end{figure}
+
+\par
+For single payloads, the \texttt{Payload} hash typically contains a
+\texttt{Payload} sub-hash element that actually contains the raw
+payload.  This is illustrated below:
+
+\begin{verbatim}
+    {
+        'Payload' =>
+            {
+                'Payload' => "\xcc\xcc\xcc",
+                'Offsets' => ...
+            }
+    }
+\end{verbatim}
+
+            \subsubsection{Stage}
+
+\par
+A stage payload is an implementation of a connection-independent
+task like spawning a command shell or running an arbitrary command.
+Stage payloads are combined with various framework stagers to
+produce a set of connection-oriented multi-stage payloads.  This is
+done automatically by the framework by associating stage payloads
+with stagers that have a compatible staging convention.  The staging
+convention describes the manner in which connection information is
+passed from the stager to the stage in terms of what register might
+hold a file descriptor, for instance.  Stages and stagers are also
+matched up by their symbol lookup convention if necessary so that
+stages can assume that certain locations in memory will hold
+routines that may be useful.
+
+\par
+Stage payloads convey their raw payload contents in relation to the
+\texttt{Stage} module information hash element.  The sub-hash
+elements are similar to the single-style payloads in that it has
+both a \texttt{Payload} and an \texttt{Offsets} element.
+
+\par
+Stage payloads are meaningless unless there is a compatible stager.
+
+            \subsubsection{Stager}
+
+\par
+A stager payload is an implementation of a payload that establishes
+some communication channel with the attacker to read in or otherwise
+obtain a second stage payload to execute.  For example, a stager
+might connection back to the attacker on a defined port and read in
+code to execute.
+
+\par
+Stagers convey their raw payload contents in relation to the
+\texttt{Stager} module information hash element.  The sub-hash
+elements are similar to single-style payloads in that it has both a
+\texttt{Payload} and an \texttt{Offsets} element.
+
+\par
+Furthermore, staged payloads have some extra accessor methods that
+single payloads do not.  For instance, the stager's payload and
+offsets can be obtained through the \texttt{payload} and
+\texttt{offsets} accessors.  The stage's payload and offsets can be
+obtained through the \texttt{stage\_payload} and
+\texttt{stage\_offsets} accessors.
+
+        \subsection{Handlers}
+
+\par
+Handles are one of the critical components of a payload.  They are
+responsible for handling the attacker's half of establishing a
+connection that might be created by the payload being transmitted
+via an exploit.  The different handlers will be discussed in detail
+later in this subsection.
+
+\par
+Handlers themselves act as mixins that get merged into an actual
+payload module class.  The framework interacts with handlers through
+a well-defined interface.  Prior to initiating an exploit, the
+framework will call into the payload handler's
+\texttt{setup\_handler} and \texttt{start\_handler} methods that
+will lead to the initialization of the handler in preparation for a
+payload connection.  When a connection arrives, the handler calls
+the \texttt{handle\_connection} method on the payload instance. This
+method is intended to be overridden as necessary by the payload to
+do custom tasks.  For instance, staged payloads will initiate the
+transfer of the second stage over the established connection and
+then call the default implementation which leads to the creation of
+a session for the connection.
+
+\par
+When an exploit has finished, the framework will call into the
+payload handlers \texttt{stop\_handler} and
+\texttt{cleanup\_handler} methods to stop it from listening for
+future connections.
+
+            \subsubsection{Bind TCP}
+
+\par
+The bind TCP handler is provided through
+\texttt{Msf::Handler::BindTcp}.  It will attempt to establish a
+connection to a target machine on a given port (specified in
+\texttt{LPORT}).  If a connection is established, a call is made
+into \texttt{handle\_connection} passing along the socket associated
+with the connection.
+
+            \subsubsection{Find port}
+
+\par
+The find port handler is provided by the
+\texttt{Msf::Handler::FindPort} class.  When an exploit calls the
+\texttt{handler} method with a socket connection, the find port
+handler will attempt to see if the socket has now been re-purposed
+for use by the payload.  The find port handler is meant to be used
+for payloads that search for a socket by comparing peer port names
+relative to the target machine.
+
+            \subsubsection{Find tag}
+
+\par
+The find port handler is provided by the
+\texttt{Msf::Handler::FindTag} class.  When an exploit calls the
+\texttt{handler} method with a socket connection, the find port
+handler will attempt to see if the socket has now been re-purposed
+for use by the payload.  The find tag handler is meant to be used
+for find socket style payloads that search for a socket based on the
+presence of a tag on the wire.
+
+            \subsubsection{None}
+
+\par
+If a payload does not establish a connection of any sort, the
+\texttt{Msf::Handler::None} handler is used.
+
+            \subsubsection{Reverse TCP}
+
+\par
+The reverse TCP handler is provided by the
+\texttt{Msf::Handler::ReverseTcp} class.  It will listen on a port
+for incoming connections and will make a call into
+\texttt{handle\_connection} with the client sockets as they do.
+
     \section{Recon}
 
 \par