![]() Available: .co.uk/sciencetech/article-1338112/U-S-Navys-supergun–electromagnetic-rail-gun-obliterates-targets-100miles-away.html The gun that can destroy an enemy 100 miles away and fire bullets at eight times the speed of sound. Available: om/scitech/0/navy-railgun-shoots-bullets-electromagnet/ Navy Sets World Record With Incredible, Sci-Fi Weapon. Not Your Grandpa’s Shootin’ Iron: Rail Guns. Adams, Naval rail guns are revolutionary United States Naval Institute. Freedman, Magnetic Field and Magnetic Forces in University Physics, 12th ed. >}>Īs you can see, the new allocation is at address 5898240 (or 0x005A0000 in hex). For example, like we mentioned before, if you’re not sure what DLLs are loaded, you can call the known_dll_names method: Fortunately, there are some handy tricks to help us to figure things out. If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it’s a little unfriendly to read because there’s so much data. This Meterpreter session object gives you API access to the target machine, including the Railgun object Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun. Note that when you’re running a post module or in irb, you always have a client or session object to work with, both point to same thing, which in this case is Msf::Sessions::Meterpreter_x86_Win. The 'client' variable holds the meterpreter client You can inspect the return hash for the modified value like an “out” parameter.Ī quick way to define a new function at runtime can be done like the following example: Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash.Īn “inout” parameter serves as an input to the called function, but can be potentially modified by it. You can simply pass a Ruby string to it, and Railgun handles the rest, it’s all pretty straight forward.Īn “out” parameter will always be of a pointer datatype. When you pass a value to an “in” parameter,įor example, MessageBoxA has a “in” parameter named lpText, and is of type PCHAR. ![]() There are four parameter/buffer directions: in, out, inout, and return. In function definitions, Railgun supports these datatypes: VOID, BOOL, DWORD, WORD, BYTE, LPVOID, HANDLE, PDWORD, PWCHAR, PCHAR, PBLOB. # 2nd argument = Return value's data typeĭll.add_function('SomeFunction', 'DWORD',[ The following template should demonstrate how a DLL is actually defined:ĭef self.create_dll(dll_path = 'somedll')ĭll = DLL.new(dll_path, ApiConstants.manager) The same list of built-in DLLs can also be retrieved by using the known_dll_names method.Īll DLL definitions are found in the “def” directory, where they are defined as classes. These built-in DLLs are: kernel32, ntdll, user32, ws2_32, iphlpapi, advapi32, shell32, netapi32, crypt32, wlanapi, wldap32, version. The Windows API is quite large with a number of documented and undocumented calls, so by default Railgun only comes with a handful of pre-defined DLLsĪnd functions that are commonly used for building a Windows program. If you’re a penetration tester, obviously post exploitation is an important skill to have, but if you don’t know Railgun, Window Management Framework (“PowerShell”) 5.1 provides: ![]() Note: We state Windows 10 before version 1703, as 1703 introduced a number of security improvements that detect Railgun: It can even be used to bypass Anti-Virus by calling functions directly from DLLs How to use Railgun for Windows post exploitationįor the purpose of this post, we will assume you have successfully launched a meterpreter torjan on a test vm, or exploited a vulnerable vmĪnd have a meterpreter session on a Windows(XP/7/10(<1703)) target. It allows you to have complete control of your target machine’s Windows API, or you can use whatever DLL you find and do even more creative stuff with it. Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter.
0 Comments
Leave a Reply. |