1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Merge pull request #2 from jhart-r7/pr/fixup-6197

Cleanup enum_av_excluded
This commit is contained in:
Andrew Smith 2015-12-03 21:18:37 -05:00
commit fbe2e3412a

View File

@ -7,37 +7,50 @@ require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
def initialize(info={})
super( update_info( info,
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Antivirus Excluded Locations Enumeration',
'Description' => %q{ This module will enumerate all excluded directories within supported AV products },
'Description' => 'This module will enumerate all excluded directories within supported AV products',
'License' => MSF_LICENSE,
'Author' => [ 'Andrew Smith'],
'Author' => [
'Andrew Smith', # original metasploit module
'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
)
)
register_options(
[
OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defener', true]),
OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials', true]),
OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true])
]
)
end
def enum_mssec
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Microsoft Antimalware")
print_status "MS Security Essentials Identified"
return true
print_status "MS Security Essentials Identified"
return true
else
return false
return false
end
rescue
return false
end
def enum_defender
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Windows Defender")
print_status "Windows Defender Identified"
return true
print_status "Windows Defender Identified"
return true
else
return false
return false
end
rescue
return false
@ -45,89 +58,91 @@ class Metasploit3 < Msf::Post
def enum_sep
if registry_enumkeys("HKLM\\SOFTWARE\\Symantec").include?("Symantec Endpoint Protection")
print_status "SEP Identified"
return true
print_status "SEP Identified"
return true
else
return false
return false
end
rescue
return false
end
def excluded_sep
print_status "Excluded Locations:"
keyadm = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Admin"
keycli = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client"
found_keysadm = registry_enumkeys(keyadm)
if found_keysadm
found_keysadm.each do |vals|
full = keyadm + "\\" + vals
values = registry_getvaldata(full, "DirectoryName")
print_good "#{values}"
end
else
print_error "No Admin Locations Found"
end
found_keyscli = registry_enumkeys(keycli)
if found_keyscli
found_keyscli.each do |vals|
full = keycli + "\\" + vals
values = registry_getvaldata(full, "DirectoryName")
print_good "#{values}"
end
else
print_error "No Client Locations Found"
end
end
def excluded_mssec
print_status "Excluded Locations:"
keyms = "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\\"
found = registry_enumvals(keyms)
if found
found.each do |num|
print_good "#{num}"
end
if (found_keysadm = registry_enumkeys(keyadm))
found_keysadm.each do |vals|
full = keyadm + "\\" + vals
values = registry_getvaldata(full, "DirectoryName")
print_good "#{values}"
end
else
print_error "No Excluded Locations Found"
print_error "No Admin Locations Found"
end
keycli = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client"
if (found_keyscli = registry_enumkeys(keycli))
found_keyscli.each do |vals|
full = keycli + "\\" + vals
values = registry_getvaldata(full, "DirectoryName")
print_good "#{values}"
end
else
print_error "No Client Locations Found"
end
end
def excluded_mssec
print_status "Excluded Locations:"
keyms = "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\\"
if (found = registry_enumvals(keyms))
found.each do |num|
print_good "#{num}"
end
else
print_error "No Excluded Locations Found"
end
end
def excluded_defender
print_status "Excluded Locations:"
keyms = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\"
found = registry_enumvals(keyms)
if found
found.each do |num|
print_good "#{num}"
end
keyms = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\"
if (found = registry_enumvals(keyms))
found.each do |num|
print_good "#{num}"
end
else
print_error "No Excluded Locations Found"
print_error "No Excluded Locations Found"
end
end
def setup
unless datastore['DEFENDER'] || datastore['ESSENTIALS'] || datastore['SEP']
fail_with(Failure::BadConfig, 'Must set one or more of DEFENDER, ESSENTIALS or SEP to true')
end
end
def run
arch2 = sysinfo['Architecture']
if arch2 =~ /WOW64/
print_error "You are running this module from a 32-bit process on a 64-bit machine. Migrate to a 64-bit process and try again"
return
else
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
if enum_sep
excluded_sep
else
nosep = true
end
if enum_mssec
excluded_mssec
else
nomssec = true
end
if enum_defender
excluded_defender
else
nodefend = true
end
if nomssec and nodefend and nosep == true
print_error "No supported AV identified"
end
if sysinfo['Architecture'] =~ /WOW64/
print_error "You are running this module from a 32-bit process on a 64-bit machine. Migrate to a 64-bit process and try again"
return
end
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
found = false
if datastore['DEFENDER'] && enum_defender
found = true
excluded_defender
end
if datastore['ESSENTIALS'] && enum_mssec
found = true
excluded_mssec
end
if datastore['SEP'] && enum_sep
found = true
excluded_sep
end
print_error "No supported AV identified" unless found
end
end