Metasploit: The Penetration Tester’s Guide has this to say about Railgun:
You can interface with the Windows native API directly through a Metasploit add-on called Railgun.
[....]
Railgun gives you the same capabilities as a native Win32 application with full access to the Windows API.
Here’s Wiki on Native API:
The Native API (with capitalized N) is the mostly undocumented application programming interface (API) used internally by the Windows NT family of operating systems produced by Microsoft.[1] It is predominately used during system boot, when other components of Windows are unavailable, and by routines such as those in kernel32.dll that implement the Windows API. The program entry point is called DriverEntry(), the same as for a Windows device driver. However, the application runs in ring 3 the same as a regular Windows application. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.
While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process when the Windows API is not yet available.
Some malware make use of the Native API to hide their presence from malware detection software.
Railgun operates through an Interactive Ruby Shell within Meterpreter which is cool as I’m learning Ruby. I followed instructions given in the above book to create a pop-up on an exploited Windows machine which calls the user32.dll and MessageBoxA function.
Details of the exploited machine are:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
And in the terminal:
meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client>> client.railgun.user32.MessageBoxA(0,”hello”,”world”,”MB_OK”)
I took a screenshot from Meterpreter:
And you can see the pop-up box on the exploited machine. The above book describes the power and implication of Railgun as huge, but them covers no further details and suggests reading the Framework tutorial. I think this is something I will have to return to once I’ve learned the basics of Metasploit.
In the meantime, this video was informative: