The Python Meterpreter has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated in the output of the sysinfo command. This makes it easier to identify and work with international systems.

The largest change to the Python Meterpreter is the addition of Railgun functionality. Railgun - in the context of the Metasploit Framework - refers to a set of features available in the standard API (stdapi) extension of Meterpreter. The intention of the feature set is to allow the Metasploit side to call functions in native libraries on the compromised host. This has some very practical applications when it comes to post exploitation, but is also used in some older local exploit modules. The functionality has been around since 2010, but until recently was only supported by the native Windows Meterpreter.

Recent additions to Metasploit are expanding the scope of this functionality to support non-Windows platforms. Specifically, the Python Meterpreter has received support for these Railgun API functions when on the Windows and Linux platforms. Bringing this functionality to the Linux platform will increase what Metasploit users can do with their sessions.

To demonstrate the functionality, one of the newest Linux post-exploit modules uses Railgun to call functions in as the current user. This is then used to enumerate and extract all plaintext passwords that it holds for the user - all without having to write any files to disk.

Without Railgun, a common practice to call a native library code would be to upload a precompiled binary to perform the necessary tasks, or upload the source to compile one. Most penetration testers want to avoid writing things to disk for obvious reasons. With expanded Railgun support, uploading files such as these isn't necessary.

For more technical details on how the new Python Meterpreter Railgun implementation works, check out this War Room blog post.