[prev in list] [next in list] [prev in thread] [next in thread] 

List:       metasploit-framework
Subject:    [framework] Wmic through the windows api
From:       Brian Seel <brian.seel () gmail ! com>
Date:       2013-03-21 13:38:19
Message-ID: CADch=7=5s8vm21pBU6P1=FNpY2K1jsk-SXTDMp9KQchaVPNgBQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I finally was able to finish my extension that will allow anyone to do with
calls from the windows api. There are a few finishing touches I need to do
before I release it, but I am wondering what the best way to integrate this
is. Obviously the rail gun route would have been better, but I couldn't get
that to work.

From what I see from the way other extensions are done, it looks like I
should make a ruby wrapper to allow this to be called elsewhere in
meterpreter. And then I just put the dll with all of the other extensions.

Basically, my question is what considerations should I make before
submitting a new extension. I understand that writing extensions is not the
normal way of adding functionality.

> On Tue, Mar 3, 2013 at 3:56 PM, Brian Seel <brian.seel@gmail.com> wrote:
>Ok... I dug into this a bit more. But I am having some confusion (with
little and big endian for some reason).
>
> I am trying to implement this line in Railgun:
> CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *) &pLoc);
>
> I know that CLSID_WbemLocator has to
be 4590F811-1D3A-11D0-891F-00AA004B2E24 and IID_IWbemLocator has to
be dc12a687-737f-11cf-884d-00aa004b2e24. I have figured out that I need to
allocate memory, and write the GUID structure directly.
>
> However, I used Immunity Debugger to see what it should look like on the
stack, and saw the following:
>
> http://i.imgur.com/zB1pDGi.jpg
>
> It looks like the 4590F811, 1D3A, and 11D0 is big endian. But then 891F
and 00AA004B2E24 are little endian.
>
> How is something like that possible in a single struct??
>
> Brian
>
>
> On Tue, Feb 19, 2013 at 7:56 PM, Brian Seel <brian.seel@gmail.com> wrote:
>>
>> I tweeted this question to David Maloney, and then remembered about this
list...
>>
>> I am trying to write something that will do WMI queries through Railgun
(similar to what Carlos Perez wrote... but with the Windows API). However,
I am running into issues when I have to use a custom structures
>>
>> Basically, I have created a definitions file for ole32.dll in Railgun
and then call the following:
>>
>> CoInitializeEx(0, COINIT_MULTITHREADED);
>>
>> CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
>>
>> CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *) &pLoc);
>>
>> The last line has two non standard datatypes, and I am not sure how to
handle those. I wrote this all as an extension in C++, and
CLSID_WbemLocator and IID_IWbemLocator were defined in a header file.
>>
>> TL;DR: How do I pass nonstandard data types from the windows API to a
function with Railgun?
>>
>> MSDN reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspx
>>
>>
>> Thanks
>>
>> Brian
>
>

[Attachment #5 (text/html)]

<p dir="ltr">I finally was able to finish my extension that will allow anyone to do \
with calls from the windows api. There are a few finishing touches I need to do \
before I release it, but I am wondering what the best way to integrate this is. \
Obviously the rail gun route would have been better, but I couldn&#39;t get that to \
work. </p>

<p dir="ltr">From what I see from the way other extensions are done, it looks like I \
should make a ruby wrapper to allow this to be called elsewhere in meterpreter. And \
then I just put the dll with all of the other extensions. </p>

<p dir="ltr">Basically, my question is what considerations should I make before \
submitting a new extension. I understand that writing extensions is not the normal \
way of adding functionality. </p> <p dir="ltr">&gt; On Tue, Mar 3, 2013 at 3:56 PM, \
Brian Seel &lt;<a href="mailto:brian.seel@gmail.com">brian.seel@gmail.com</a>&gt; \
wrote:<br> &gt;Ok... I dug into this a bit more. But I am having some confusion (with \
little and big endian for some reason).<br> &gt;<br>
&gt; I am trying to implement this line in Railgun:<br>
&gt; CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, \
(LPVOID *) &amp;pLoc);<br> &gt;<br>
&gt; I know that CLSID_WbemLocator has to be 4590F811-1D3A-11D0-891F-00AA004B2E24 and \
IID_IWbemLocator has to be dc12a687-737f-11cf-884d-00aa004b2e24. I have figured out \
that I need to allocate memory, and write the GUID structure directly. <br>

&gt;<br>
&gt; However, I used Immunity Debugger to see what it should look like on the stack, \
and saw the following:<br> &gt;<br>
&gt; <a href="http://i.imgur.com/zB1pDGi.jpg">http://i.imgur.com/zB1pDGi.jpg</a><br>
&gt;<br>
&gt; It looks like the 4590F811, 1D3A, and 11D0 is big endian. But then 891F and \
00AA004B2E24 are little endian. <br> &gt;<br>
&gt; How is something like that possible in a single struct??<br>
&gt;<br>
&gt; Brian<br>
&gt;<br>
&gt;<br>
&gt; On Tue, Feb 19, 2013 at 7:56 PM, Brian Seel &lt;<a \
href="mailto:brian.seel@gmail.com">brian.seel@gmail.com</a>&gt; wrote:<br> \
&gt;&gt;<br> &gt;&gt; I tweeted this question to David Maloney, and then remembered \
about this list...<br> &gt;&gt;<br>
&gt;&gt; I am trying to write something that will do WMI queries through Railgun \
(similar to what Carlos Perez wrote... but with the Windows API). However, I am \
running into issues when I have to use a custom structures<br>

&gt;&gt;<br>
&gt;&gt; Basically, I have created a definitions file for ole32.dll in Railgun and \
then call the following:<br> &gt;&gt;<br>
&gt;&gt; CoInitializeEx(0, COINIT_MULTITHREADED); <br>
&gt;&gt;<br>
&gt;&gt; CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, \
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); <br> &gt;&gt;<br>
&gt;&gt; CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, \
IID_IWbemLocator, (LPVOID *) &amp;pLoc);<br> &gt;&gt;<br>
&gt;&gt; The last line has two non standard datatypes, and I am not sure how to \
handle those. I wrote this all as an extension in C++, and CLSID_WbemLocator and \
IID_IWbemLocator were defined in a header file.<br> &gt;&gt;<br>
&gt;&gt; TL;DR: How do I pass nonstandard data types from the windows API to a \
function with Railgun? <br> &gt;&gt;<br>
&gt;&gt; MSDN reference: <a \
href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspx"> \
http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspx</a><br>
 &gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Thanks<br>
&gt;&gt;<br>
&gt;&gt; Brian<br>
&gt;<br>
&gt;<br>
</p>



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic