Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Presenting Meterpreter extension: RAILGUN
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Sun, 13 Jun 2010 08:32:55 -0400

This looks very promising indeed, I would create mixins and abstract most of the common uses like:

Account enumeration
Service Management
Power (shutdown, restart..etc)

We could even have a look at seeing if standard api could inherit from this so as to make the paylod even smaller. I 
really like this concept.

Cheers,
Carlos


On Jun 13, 2010, at 5:25 AM, Patrick HVE wrote:

Railgun is an extension for Meterpreter Ruby.
It allows you to use the complete Windows API on the meterpreter-controlled
system.
You can call any function of any DLL you may find or upload to the target
system.

See it in action:


#######################################
irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

client.core.use("railgun")
=> true

client.railgun.kernel32.CreateFileA ("test.txt", "GENERIC_READ",
"FILE_SHARE_READ", nil, "OPEN_EXISTING", 0, 0)
=> {"GetLastError"=>0,  "return"=>448}

client.railgun.kernel32.ReadFile(448,10,10,4,nil)
=> {"GetLastError"=>0,  "return"=>true,  "lpBuffer"=>"blahblahbl",
"lpNumberOfBytesRead"=>10}

client.railgun.kernel32.CloseHandle(448)         
=> {"GetLastError"=>0,  "return"=>true}
#######################################



Railgun knows > 1000 functions and you can easily define new ones. For
example:

client.railgun.add_dll('user32','user32.dll')

client.railgun.add_function( 'user32', 'MessageBoxA', 'DWORD',[
      ["DWORD","hWnd","in"],
      ["PCHAR","lpText","in"],
      ["PCHAR","lpCaption","in"],
      ["DWORD","uType","in"],
      ])

client.railgun.user32.MessageBoxA(0,"Hello","world","MB_OK")
((((((and after you click OK on the target system)))))
=> {"GetLastError"=>0, "return"=>1}



What is the purpose of railgun?
-------------------------------------
-  We all love writing meterpreter ruby scripts. Just look at
darkoperator.com. Now we can get even more creative. It's easy. 
For example just add the line:
###
client.railgun.kernel32.SetThreadExecutionState("ES_CONTINUOUS |
ES_SYSTEM_REQUIRED")
###
and the target system will not go into sleep mode during your presentation
;-)


- Do really complex stuff on specific targets


- Rapid prototyping of future extensions



Where can you download it?
--------------------------
http://rapidshare.com/files/398485119/railgun.zip.html
(paid account, no waiting)



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]