Thursday, July 14, 2011

Release notes for revision 13181.

"Committed revision 13181...."

Improvements to testing
  • Railgun::UnitTest now has tests for .const, .method_missing, .get_dll, in addition to the new known_dll_names
  • ApiConstants::UnitTest now has a test for the new get_manager function
  • DLLHelper::UnitTest is now ruby 1.8.6 compatible
  • DLL::UnitTest became cleaner after adjusting for the changes to DLL
  • DLLWrapper::UnitTest was added to test the newly added class DLLWrapper.
  • railgun.rb.ts.rb contains tests that should have but weren't added
Performance Tweaks
  • DLLs with definition classes (railgun/def/Def_*) are loaded once and shared across instances (railgun.add_function makes a local copy so you can still thread-safely make changes to just that instance)
  • No calculations are performed when the railgun instance initializes. All loading is done lazily.
Changes that affect you
  • Support for dlls with a corresponding Def_ class is added by adding the DLL's name to BUILTIN_DLLS instead of editing code in get_dll
  • Def classes load dlls by creating them explicitly (as in and then adding functions directly instead of going through the railgun instance like before.
  • Def classes now have the ability to control what WinConstManager a given DLL will contain. Will be important later.
  • Documentation scattered throughout railgun.rb
  • Styling in railgun.rb was redone to match my target style for railgun
  • Removed some code silliness from various places
  • ApiConstants now has a class-scoped WinConstManager that is accessible through ApiConstants.get_manager and is lazily loaded.
  • Added method to display the names of dlls available to be loaded. (This was needed in areas that wanted to show what was available, but instead only showed what had been loaded so far)
  • method_missing now returns a wrapper class that acts as an interface to the underlying Railgun::DLL instance. This helped remove Railgun::DLL's dependence on Client

New way to add DLLs to railgun

If you are reading this, I probably submitted to the Metasploit repository directly for the first time! That's right, I have commit rights now. My first round of changes closed bug #3073 "Railgun DLL cache/definition loader needs a rewrite." This lead me to rewrite large chunks of code including how DLLs are defined and handled behind the scenes. This tutorial is a complement to those changes.

And here we go.

If the DLL you want to access is shipped with Windows and its API remains somewhat consistent, then you should NEVER load the DLL/Functions on the fly. Instead, benefit everyone and expand Railgun itself by adding support at a framework-level. This practice leads to better performance (the DLLs/Functions will be cached), cleaner code (the definitions will have their own place), and greater accessibility (the DLLs will be accessible wherever you can type client.railgun). In this blog post, I will show you how.

In our example we will be adding support for the DLL ws2_32.

1. Create a file to contain your definition class

DLL definition classes can be found in lib/rex/post/meterpreter/extensions/stdapi/railgun/def. The file name should be "def_" followed by your DLL's name. In our example, our file would be lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb

2. Declare the definition class

The class name should start with Def_ followed by your DLL name (case sensitive, underscores). In our case we would end up with thhe following code:
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Railgun
module Def
class Def_ws2_32
end; end; end; end; end; end; end
3. Add the create_dll method

The create_dll class method is responsible for returning a fully functional DLL. Within it, we will have the oppertunity to specify the DLL's path, what constants should be defined, and what functions will be available.

3.1 declare the method
def self.create_dll(dll_path = 'ws2_32')
3.2 Instantiate the DLL
dll =, ApiConstants.manager)
3.3 Add some functions
dll.add_function('WSACleanup', 'DWORD',[])
3.5 Love it!
def self.create_dll(dll_path = 'ws2_32')
dll =, ApiConstants.manager)
dll.add_function('WSACleanup', 'DWORD',[])
return dll
4. Make the DLL available

Making the DLL available to be used (client.railgun.my_dll_name) is straightforward. Open railgun.rb and add the name of your dll to BUILTIN_DLLS. Be sure to read the comment.

5. Enjoy!

Yep, that was it.

Monday, July 11, 2011

Urban Dictionary Wordlist

EDIT: Unfortunately my VPS went down and took with it the list. If you have a backup PLEASE let me know.

Hello all!

I have built a wordlist that includes all terms defined on I have already tweeted a link to it and almost 1500 have downloaded so far, with the rate of downloads increasing exponentially. I am now posting about it on my blog so that I can both bring it to a wider audience and get feedback from those downloading it.

Was it useful? What did you use it for? Discover anything interesting? Run some kind of statistical analyses? If used for cracking, what word mangling rules did you find useful with it? Etc? If I get enough interesting comments, I will hurry up and post some of my other lists/scripts/rules as I develop them.

Find it here: 

I dedicate this wordlist to the great folks at SkullSpace and to iagox86 who is kind enough to share even coolor wordlists with us.

NOTE: There may be a slight flaw in the word list. Due to a bug, perhaps two or three of the lines are garbage, consisting of half of the next line. To be honest though, this is trivial considering how big the collection is. With the possibility of that tiny exception, it should be rock solid.

Happy hacking friends!
chao-mu@blog:~$ logout