Top
Search n00bz.net
  • South Florida Security Resources
    • HackMiami.org
      HackMiami is made up of information security professionals, hardware engineers, network administrators, students, and those who simply enjoy technology.
    • South Florida ISSA
      The Information Systems Security Association is, "the pre-eminent trusted global information security community".
  • PenTest Solutions
    • Rapid7 Metasploit Express
      Metasploit Express is an affordable, easy-to-use penetration testing solution that provides full network penetration testing capabilities, backed by the world’s largest, fully tested and integrated public database of exploits.
    • Core Impact PRO
      Core Impact is designed to evaluate the whole of the security in an office ecosystem. It allows the user to probe for and exploit security vulnerabilities in computer networks, endpoints and web applications.

Entries in Symantec (2)

Tuesday
Jan042011

Killing AV when it just will not Die!

DateTuesday, January 4, 2011 at 11:13AM

So we get a shell/meterpreter session and we escalate to system.  As NT AUTHORITY\SYSTEM we should be able to remove those pesky AV/HIPS products that prevent us from completing our penetration test.

Metasploit has an awesome script called killav which will defeat many AV products.  Sometimes however, AV just will not die.

Looking at the processes running we see all the processes running.  Once again, I am picking on McAfee but Symantec and friends has the same type of setup. 

Killing the pid also doesn't work since the application is running as a service.

However.......  If one were to run the following:

net stop “McAfee Framework Service"

net stop "McAfee McShield"

net stop "McAfee Engine Service"

Running the process list again shows McShield and his band of brothers are McGone!

It should be noted that we leave McTray.exe allowed to run so that the user will still see the shield running in the task bar and will not be aware that we have disabled the protection of AV entirely. 

The attacker is now able to infect the machine with any payload they see fit.  Go Zeus?

Authorn00bz Network | CommentPost a Comment | Reference6 References |
tagged , in ,
Monday
Oct182010

AntiVirus Vulnerability- Detection after Execution

DateMonday, October 18, 2010 at 1:43PM

http://www.n00bz.net/antivirus-cve/

Presented at HackerHalted... This proof of concepts walks through a method of attack that AV products detect only after a known malicious payload is executed.  It is one attack that happens to work against multiple vendors; and it's not a Windows problem, it's that each vendor product allows the execution of a program before detecting the malware, by leveraging an unusual behavior of Help and Support Center through the hcp:// protocol handler.

The exploit used to trigger this behavior is CVE-2010-1885 (HelpCenter) released by Tavis Ormandy.  While this exploit is used, this is NOT a rehash of the Microsoft Helpcenter Exploit.  The purpose of this write up is to walk though the discovery and document the method used to effectively bypass AntiVirus and execute a malicious payload on a victims machine.

Authorn00bz Network | CommentPost a Comment |
tagged , , in , , , ,