If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks.
For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine.
After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information.
Get the user ID
This is a small post regarding egg hunting on x86 Linux systems. I’d highly recommend you to read skape’s paper “Safely Searching Process Virtual Address Space” . He has described his techniques for Linux and Windows systems. I will be using one of his implementations. I will use the access system call which is 33 for IA-32.
#define __NR_access 33
The access system call can be used the check whether the calling process can access the file.
#include <unistd.h> int access(const char *pathname, int mode);
This is the x86 assembly implementation of the hunger code. It will search the virtual address space for our tag “AAAA” and begin execution of our shellcode. I am not going to explain this implementation. You can refer to skape’s document in higher detail.
This is a bug I found in flickr.
The owner had disabled the download option to users.
There is a login page and our goal is to extract all the usernames and passwords from the database.
If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.
After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.