What is the difference between SRVHOST and LHOST in metasploit?

Question

What is the difference between SRVHOST and LHOST in Metasploit. I am testing an exploit in my virtual lab of which I had to set both options. LHOST was an option for the payload selected, while SRVHOST was included among the options to be set for the exploit. I believe SRVHOST and LHOST should be the address of my computer. I then tried giving SRVHOST a wrong IP-address and LHOST the right IP address, and the connection back to my computer was successful; but if I gave LHOST a wrong IP-address and SRVHOST the right IP-address, the reverse connection failed.

Why then do I need the option SRVHOST since LHOST performs the same function in my payload? and Practically, how can SRVHOST be used?

Answer 1

SRVHOST is generally the option that you set when you are serving a exploit on a web server and LHOST is the option you would set if you were using a exploit that is not going to be served on a web server.

Answer 2

In case of staged payload, i.e. we actually send payload in 2 steps. At first the stager is sent to perform initial work (suppose, to disable AMSI, ETW, etc. for windows)/ download payload from attacker machine to perform in-memory execution in the victim machine, in order to bypass defenders, AMSI, ETW, etc. Then after performing the work, stager downloads the 2nd bulk payload (called staged payload) from host(attacker) from srvhost:srvport address (Webserver, where payload was hosted) and then passes execution to staged payload. Now after the execution of the downloaded staged payload, our listening C2 Server (lhost and lport) gets a connection back from the victim machine to build a reverse-shell connection (in most cases), offering us (attacker) a remote shell.

Now, if you have noticed carefully, then you can see this thing,at the end:

[*] Server stopped.

This is the established connection which our stager created, but now we don't need this, as it's work is done. So it is stopped.

See this post in reddit: reddit