Railgun API Extension

Quoting from Railgun presentation in DefCon20, Railgun is an extension to the Meterpreter stdapi, allows arbitrary loading of DLLs. Since Windows API DLLs are always at known paths, we can always load them.

The ultimate benefit of using Railgun is getting the ability of dynamically access to the entire windows API on the system. By calling APIs from user process, we can impersonate user, anything become possible.

Railgun is used as POST exploitation API so knowing it well opens a lot of new possibillities to the post exploitation phase.

Path

  • metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/railgun
  • All defined DLLs are located in metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/stdapi/railgun/def

As an extension, we’ll test it as the same as we were testing previous extensions, buy tripping the Meterpreter console to irb console. We’ll have instantiated object called client or session as we know previously.

  • To list all loaded DLL

    1. >> client.railgun.known_dll_names
    2. => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version", "psapi"]
  • To list all available function and its parameters for specific DLL (say user32)

    1. client.railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Params: #{v.params}"}

Now, let’s start using it,

  • Popping-up a message box
    1. client.railgun.user32.MessageBoxA(0, "Ruby goes evil!", "Rubyfu!", "MB_OK")

Results

Railgun API Extension - 图1

  • Lock Windows Screen
    1. >> client.railgun.user32.LockWorkStation()
    2. => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true}