Anti-Virus Issues

[hdm at metasploit.com (H D Moore)]

On Thursday 26 June 2008, Stewart Fey wrote:
> Does anyone have a suggestion for evadating anti-virus on target
> machines.? Specifically McAfee's ability to deny executables from
> running in SYSTEM ROOT or SYSTEM32 or temp directories.? I am testing
> out SMB_Relay and all attempts to get a shell fail.? When the exploit
> runs, the victim system thows an application error for all payloads I
> have tested.? The exception was the add_user payload, which sucessfully
> added a user to the victims box. 

You could modify the smb_relay code to store the executable elsewhere, but 
it would depend on another writable share (C$,etc). The Admin$ share is 
always accessible at least. Maybe we can store the EXE in a subdirectory 
of System32 to evade it? 

> 2nd part of this, if I'm using SMB_Relay, I shouldn't need to upload
> any payload to get a shell since all I'm doing to connecting back to
> the victim or relaying credentials to a 3rd system.

The smb_relay module creates an EXE containing the payload you specified 
and uploads it to the target machine that you are relaying credentials 
too. This is required for "psexec" style remote code execution, since we 
use the Service Control Manager to get the payload to run. In short, you 
do need it when using the existing smb_relay module. In the future, I 
would like to implement an auxiliary version that drops you to 
a "smbclient"-like command shell for manipulating the compromised system. 
The delay there is implementing a lot more of the SMB API.

-HD