Intro to RailGun: WIN API for Meterpreter

Thursday, August 19, 2010

Contributed By:
Rob Fuller

Back on June 13th, “Patrick HVE” released RAILGUN:

http://mail.metasploit.com/pipermail/framework/2010-June/006382.html

And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712

Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:

    * iphlpapi
    * ws2_32
    * kernel32
    * ntdll
    * user32
    * advapi32

(You can find out exactly what functions are available by default in the api.rb file)

It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:

./external/source/meterpreter/source/extensions/railgun/railgun_manual.pdf

Here are two examples where this comes in very handy:
List Drives:

The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.

    * net use – Shows you what Network drives are connected, but not physical ones
    * fsutil fsinfo drives – You must be an administrator to ride this train
    * fdisk /status – Only on OLD versions of DOS, not sure when this disappeared

But railgun solves this problem with a really short script:

    # Load the Railgun plugin
    client.core.use("railgun")
    # Make the API call to enum drive letters
    a = client.railgun.kernel32.GetLogicalDrives()["return"]
    # Math magic to convert the binary to letters
    drives = []
    letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    (0..25).each do |i|
        test = letters[i,1]
        rem = a % (2**(i+1))
        if rem > 0
            drives << test
            a = a - rem
        end
    end
    print_line("Drives Available = #{drives.inspect}")

Output:
Drives Available = ["A", "C", "D", “P”, “X”]

Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).

Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…

Cross-posted from Room362

Share This! |

Views:	3573
Categories:	Webappsec->General
Tags:	Web Application Security

Post Rating I Like this!

Comments:

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"installment loan"

Student Pleads Guilty to Counterfeiting Coup... on 06-18-2013

"Counterfeiting is against the law. So it is bad to sell and buy products such as bogus.There is nothing brand new about counterfeiting...."

Student Pleads Guilty to Counterfeiting Coup... on 06-18-2013

"Can you tell mo more about how to keep clean mess from PC anywhere can you elaborate. http://www.chemdryrapiddry.com.au/carpet-cleanin..."

Starting to Clean Up the Mess from PCAnywher... Peggy Patterson on 06-18-2013

"Have you ever dreamed that your 90′s cyberpunk movies goes real? Well, we almost there, meet the Deep Web. The Deep Web (also called ..."

What is the Deep Web? A Trip into the Abyss.... Smukke Smukke on 06-13-2013