Metasploit mailing list archives
Anti-Virus Issues
From: hdm at metasploit.com (H D Moore)
Date: Thu, 26 Jun 2008 16:39:49 -0500
On Thursday 26 June 2008, Stewart Fey wrote:
Does anyone have a suggestion for evadating anti-virus on target machines.? Specifically McAfee's ability to deny executables from running in SYSTEM ROOT or SYSTEM32 or temp directories.? I am testing out SMB_Relay and all attempts to get a shell fail.? When the exploit runs, the victim system thows an application error for all payloads I have tested.? The exception was the add_user payload, which sucessfully added a user to the victims box.
You could modify the smb_relay code to store the executable elsewhere, but it would depend on another writable share (C$,etc). The Admin$ share is always accessible at least. Maybe we can store the EXE in a subdirectory of System32 to evade it?
2nd part of this, if I'm using SMB_Relay, I shouldn't need to upload any payload to get a shell since all I'm doing to connecting back to the victim or relaying credentials to a 3rd system.
The smb_relay module creates an EXE containing the payload you specified and uploads it to the target machine that you are relaying credentials too. This is required for "psexec" style remote code execution, since we use the Service Control Manager to get the payload to run. In short, you do need it when using the existing smb_relay module. In the future, I would like to implement an auxiliary version that drops you to a "smbclient"-like command shell for manipulating the compromised system. The delay there is implementing a lot more of the SMB API. -HD
Current thread:
- Anti-Virus Issues Stewart Fey (Jun 26)
- Anti-Virus Issues H D Moore (Jun 26)
- Anti-Virus Issues cg (Jun 27)