Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Wmic through the windows api
From: Abuse 007 <abuse007 () gmail com>
Date: Fri, 17 May 2013 02:59:03 +1000

Hi Brian,

Perhaps you need to allocate some memory in a process, write your custom
data structure there, and then make the call with a pointer/reference to
the custom data structure in the memory you allocated for it.

Cheers,
B


On Fri, Mar 22, 2013 at 12:38 AM, Brian Seel <brian.seel () gmail com> wrote:

I finally was able to finish my extension that will allow anyone to do
with calls from the windows api. There are a few finishing touches I need
to do before I release it, but I am wondering what the best way to
integrate this is. Obviously the rail gun route would have been better, but
I couldn't get that to work.

From what I see from the way other extensions are done, it looks like I
should make a ruby wrapper to allow this to be called elsewhere in
meterpreter. And then I just put the dll with all of the other extensions.

Basically, my question is what considerations should I make before
submitting a new extension. I understand that writing extensions is not the
normal way of adding functionality.

On Tue, Mar 3, 2013 at 3:56 PM, Brian Seel <brian.seel () gmail com> wrote:
Ok... I dug into this a bit more. But I am having some confusion (with
little and big endian for some reason).

I am trying to implement this line in Railgun:
CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *) &pLoc);

I know that CLSID_WbemLocator has to
be 4590F811-1D3A-11D0-891F-00AA004B2E24 and IID_IWbemLocator has to
be dc12a687-737f-11cf-884d-00aa004b2e24. I have figured out that I need to
allocate memory, and write the GUID structure directly.

However, I used Immunity Debugger to see what it should look like on the
stack, and saw the following:

http://i.imgur.com/zB1pDGi.jpg

It looks like the 4590F811, 1D3A, and 11D0 is big endian. But then 891F
and 00AA004B2E24 are little endian.

How is something like that possible in a single struct??

Brian


On Tue, Feb 19, 2013 at 7:56 PM, Brian Seel <brian.seel () gmail com>
wrote:

I tweeted this question to David Maloney, and then remembered about
this list...

I am trying to write something that will do WMI queries through Railgun
(similar to what Carlos Perez wrote... but with the Windows API). However,
I am running into issues when I have to use a custom structures

Basically, I have created a definitions file for ole32.dll in Railgun
and then call the following:

CoInitializeEx(0, COINIT_MULTITHREADED);

CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *) &pLoc);

The last line has two non standard datatypes, and I am not sure how to
handle those. I wrote this all as an extension in C++, and
CLSID_WbemLocator and IID_IWbemLocator were defined in a header file.

TL;DR: How do I pass nonstandard data types from the windows API to a
function with Railgun?

MSDN reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspx


Thanks

Brian



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault