X I t c ilgun is an extension the Meterpreter Ulows Arbitrary Loading >f DLLs is long as you know the >ath of the DLL, you can Lccess it's functions nee Windows API DLLs e always at known iths, we can always ad them Dynamic access to the entirety of the Windows API on the system By calling APIs from user processes, we can impersonate users Anything becomes possible kk kk kk June 2010 - Railgun submitted to Metasploit by Patrick HVE Sept 2010 - 64bit support added by Stephen Fewer Feb 201 1 - Chao-mu takes over Railgun support, resumes new feature work Fall 2011 - Chao-mu disappears Aug 20 12 -YOU start contributing to Railgun Dec 2012 - Mayans predict Railgun-related Apocalypse? ^^^^^^^^^^^^^^ def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_jpath J ApiConstants. manager) dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], ['PDWORD', 'Count', 'out'], ['PBLOB', 'Credentials', 'out']]) A look at Railgun Definitions If it quacks like a duck . . Pass as a Fixnum or Bignum String representation of constants can also be passed in Pointer to a DWORD Pass a Fixnum Pass the Content of the DWORD not the pointer If it is an OUT only paramter, pass a 4 (size of a DWORD) Pass nil for a NULL Pointer Pass as Ruby strings. Will be converted seamlessly If OUT only, pass fixnum of the size of the buffer (including null byte) Definition dll . add_function( 'CryptAcquireContextW, 'BOOL',[ [TDWORD*, phProv', 'out'], ['PWCHAR', 'pszContainer', 'in'] , ['PWCHAR' , 'pszProvider', 'in'], ['DWORD', 'dwProvType', *in*], ['DWORD', 'dwflags', 'in']]) Used in the SmartFTP password Recovery- Usage ms_enhanced_prov = "Microsoft Enhanced Cryptographic Provider v 1.0" prov_rsa_full = 1 crypt_verify_context = OxFOOOOOOO alg_md5 = 32771 alg_rc4 = 26625 advapi32 = client . railgun . advapi32 acquirecontext = advapi32 . CryptAcquireConte xtW( ,nil, ms_enhanced_jprov, prov_rsa_full, crypt_verify_context) Pass in Ruby True/False values exactly as expected Definition: dll.add_function( IsDebuggerPresenf, ? BOOL f ,[]) Usage: > > client . railgun. ker nel32 . IsDebuggerPresent () => {"GetLastError"=>0, "return" =>false} Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length i Anything that's not a string or a DWORD Treated as a ruby string Railgun will not help you parse structures Definition dll . add_f unction ( 'WlanGetProfile', 'DWOED',[ ['DWORD', 'hClientHandle', 'in'], ['PBLOB', 'plnterfaceGuid', 'in'], ['PBLOB', 'strProfileName', 'in'], ['LPVOID', 'pReserved, 'in'], ['PDWORD', 'pstrProfileXML', 'out'] , ['PDWORD', 'pdwFlags', 'inout'], ['PDWORD', 'pdwGrantedAccess', •out']]) Used in the wlan_profile post module Usacre profile ['name'] = @host_process . memory . re ad(ppointer, 512) ppointer = (ppointer + 516) rprofile = @wlanapi.WlanGetProfile( wlan_handle,guid,profile [ ? n ame f ],nil,4,4,4) Pointers and Handles of any kind are really just numbers, so treat them as DWORDs If it can be treated as a number it's a DWORD Otherwise it's a PBLOB If neither works, add support for it yourself =) 5)