Metasploit mailing list archives
Re: Wmic through the windows api
From: egypt () metasploit com
Date: Fri, 17 May 2013 16:27:27 -0500
Extensions should be submitted as a pull request in the meterpreter repo: https://github.com/rapid7/meterpreter If you have already written the ruby side, that should be a pull request on the framework repo, with a link to the meterpreter pull request in the description. Thanks! egypt On Thu, Mar 21, 2013 at 8:38 AM, Brian Seel <brian.seel () gmail com> wrote:
I finally was able to finish my extension that will allow anyone to do with calls from the windows api. There are a few finishing touches I need to do before I release it, but I am wondering what the best way to integrate this is. Obviously the rail gun route would have been better, but I couldn't get that to work. From what I see from the way other extensions are done, it looks like I should make a ruby wrapper to allow this to be called elsewhere in meterpreter. And then I just put the dll with all of the other extensions. Basically, my question is what considerations should I make before submitting a new extension. I understand that writing extensions is not the normal way of adding functionality.On Tue, Mar 3, 2013 at 3:56 PM, Brian Seel <brian.seel () gmail com> wrote: Ok... I dug into this a bit more. But I am having some confusion (with little and big endian for some reason). I am trying to implement this line in Railgun: CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc); I know that CLSID_WbemLocator has to be 4590F811-1D3A-11D0-891F-00AA004B2E24 and IID_IWbemLocator has to be dc12a687-737f-11cf-884d-00aa004b2e24. I have figured out that I need to allocate memory, and write the GUID structure directly. However, I used Immunity Debugger to see what it should look like on the stack, and saw the following: http://i.imgur.com/zB1pDGi.jpg It looks like the 4590F811, 1D3A, and 11D0 is big endian. But then 891F and 00AA004B2E24 are little endian. How is something like that possible in a single struct?? Brian On Tue, Feb 19, 2013 at 7:56 PM, Brian Seel <brian.seel () gmail com> wrote:I tweeted this question to David Maloney, and then remembered about this list... I am trying to write something that will do WMI queries through Railgun (similar to what Carlos Perez wrote... but with the Windows API). However, I am running into issues when I have to use a custom structures Basically, I have created a definitions file for ole32.dll in Railgun and then call the following: CoInitializeEx(0, COINIT_MULTITHREADED); CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc); The last line has two non standard datatypes, and I am not sure how to handle those. I wrote this all as an extension in C++, and CLSID_WbemLocator and IID_IWbemLocator were defined in a header file. TL;DR: How do I pass nonstandard data types from the windows API to a function with Railgun? MSDN reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspx Thanks Brian_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Wmic through the windows api Abuse 007 (May 16)
- <Possible follow-ups>
- Re: Wmic through the windows api egypt (May 17)