mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Merge pull request #2 from jhart-r7/pr/fixup-6197
Cleanup enum_av_excluded
This commit is contained in:
commit
fbe2e3412a
@ -7,37 +7,50 @@ require 'msf/core'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Windows Antivirus Excluded Locations Enumeration',
|
||||
'Description' => %q{ This module will enumerate all excluded directories within supported AV products },
|
||||
'Description' => 'This module will enumerate all excluded directories within supported AV products',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Andrew Smith'],
|
||||
'Author' => [
|
||||
'Andrew Smith', # original metasploit module
|
||||
'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defener', true]),
|
||||
OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials', true]),
|
||||
OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def enum_mssec
|
||||
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Microsoft Antimalware")
|
||||
print_status "MS Security Essentials Identified"
|
||||
return true
|
||||
print_status "MS Security Essentials Identified"
|
||||
return true
|
||||
else
|
||||
return false
|
||||
return false
|
||||
end
|
||||
rescue
|
||||
return false
|
||||
end
|
||||
|
||||
def enum_defender
|
||||
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Windows Defender")
|
||||
print_status "Windows Defender Identified"
|
||||
return true
|
||||
print_status "Windows Defender Identified"
|
||||
return true
|
||||
else
|
||||
return false
|
||||
return false
|
||||
end
|
||||
rescue
|
||||
return false
|
||||
@ -45,89 +58,91 @@ class Metasploit3 < Msf::Post
|
||||
|
||||
def enum_sep
|
||||
if registry_enumkeys("HKLM\\SOFTWARE\\Symantec").include?("Symantec Endpoint Protection")
|
||||
print_status "SEP Identified"
|
||||
return true
|
||||
print_status "SEP Identified"
|
||||
return true
|
||||
else
|
||||
return false
|
||||
return false
|
||||
end
|
||||
rescue
|
||||
return false
|
||||
end
|
||||
|
||||
def excluded_sep
|
||||
print_status "Excluded Locations:"
|
||||
keyadm = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Admin"
|
||||
keycli = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client"
|
||||
found_keysadm = registry_enumkeys(keyadm)
|
||||
if found_keysadm
|
||||
found_keysadm.each do |vals|
|
||||
full = keyadm + "\\" + vals
|
||||
values = registry_getvaldata(full, "DirectoryName")
|
||||
print_good "#{values}"
|
||||
end
|
||||
else
|
||||
print_error "No Admin Locations Found"
|
||||
end
|
||||
found_keyscli = registry_enumkeys(keycli)
|
||||
if found_keyscli
|
||||
found_keyscli.each do |vals|
|
||||
full = keycli + "\\" + vals
|
||||
values = registry_getvaldata(full, "DirectoryName")
|
||||
print_good "#{values}"
|
||||
end
|
||||
else
|
||||
print_error "No Client Locations Found"
|
||||
end
|
||||
end
|
||||
def excluded_mssec
|
||||
print_status "Excluded Locations:"
|
||||
keyms = "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\\"
|
||||
found = registry_enumvals(keyms)
|
||||
if found
|
||||
found.each do |num|
|
||||
print_good "#{num}"
|
||||
end
|
||||
if (found_keysadm = registry_enumkeys(keyadm))
|
||||
found_keysadm.each do |vals|
|
||||
full = keyadm + "\\" + vals
|
||||
values = registry_getvaldata(full, "DirectoryName")
|
||||
print_good "#{values}"
|
||||
end
|
||||
else
|
||||
print_error "No Excluded Locations Found"
|
||||
print_error "No Admin Locations Found"
|
||||
end
|
||||
|
||||
keycli = "HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV\\Exclusions\\ScanningEngines\\Directory\\Client"
|
||||
if (found_keyscli = registry_enumkeys(keycli))
|
||||
found_keyscli.each do |vals|
|
||||
full = keycli + "\\" + vals
|
||||
values = registry_getvaldata(full, "DirectoryName")
|
||||
print_good "#{values}"
|
||||
end
|
||||
else
|
||||
print_error "No Client Locations Found"
|
||||
end
|
||||
end
|
||||
|
||||
def excluded_mssec
|
||||
print_status "Excluded Locations:"
|
||||
keyms = "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\\"
|
||||
if (found = registry_enumvals(keyms))
|
||||
found.each do |num|
|
||||
print_good "#{num}"
|
||||
end
|
||||
else
|
||||
print_error "No Excluded Locations Found"
|
||||
end
|
||||
end
|
||||
|
||||
def excluded_defender
|
||||
print_status "Excluded Locations:"
|
||||
keyms = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\"
|
||||
found = registry_enumvals(keyms)
|
||||
if found
|
||||
found.each do |num|
|
||||
print_good "#{num}"
|
||||
end
|
||||
keyms = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\"
|
||||
if (found = registry_enumvals(keyms))
|
||||
found.each do |num|
|
||||
print_good "#{num}"
|
||||
end
|
||||
else
|
||||
print_error "No Excluded Locations Found"
|
||||
print_error "No Excluded Locations Found"
|
||||
end
|
||||
end
|
||||
|
||||
def setup
|
||||
unless datastore['DEFENDER'] || datastore['ESSENTIALS'] || datastore['SEP']
|
||||
fail_with(Failure::BadConfig, 'Must set one or more of DEFENDER, ESSENTIALS or SEP to true')
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
arch2 = sysinfo['Architecture']
|
||||
if arch2 =~ /WOW64/
|
||||
print_error "You are running this module from a 32-bit process on a 64-bit machine. Migrate to a 64-bit process and try again"
|
||||
return
|
||||
else
|
||||
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
|
||||
if enum_sep
|
||||
excluded_sep
|
||||
else
|
||||
nosep = true
|
||||
end
|
||||
if enum_mssec
|
||||
excluded_mssec
|
||||
else
|
||||
nomssec = true
|
||||
end
|
||||
if enum_defender
|
||||
excluded_defender
|
||||
else
|
||||
nodefend = true
|
||||
end
|
||||
if nomssec and nodefend and nosep == true
|
||||
print_error "No supported AV identified"
|
||||
end
|
||||
if sysinfo['Architecture'] =~ /WOW64/
|
||||
print_error "You are running this module from a 32-bit process on a 64-bit machine. Migrate to a 64-bit process and try again"
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
|
||||
found = false
|
||||
if datastore['DEFENDER'] && enum_defender
|
||||
found = true
|
||||
excluded_defender
|
||||
end
|
||||
if datastore['ESSENTIALS'] && enum_mssec
|
||||
found = true
|
||||
excluded_mssec
|
||||
end
|
||||
if datastore['SEP'] && enum_sep
|
||||
found = true
|
||||
excluded_sep
|
||||
end
|
||||
|
||||
print_error "No supported AV identified" unless found
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user