Metasploit vs. Windows 7

For these tests I'll be using Windows 7 SP1, 32-bit, with all current updates applied. Initial exploits will be via the Firefox XPI social engineering attack. (Just pretend it's a zero-day. )

For now I'm just doing Immunet Protect, because I'm curious whether it's really that bad or just has problems on Windows XP.

Edit: Immunet can't even start on Win7. Oops! Anyway look forward to some actual tests here.

 

Strange, Immunet worked fine on Windows 7 64-bit SP1 for me even with Avast running. Actually, why are you testing 32-bit?

 

Because I don't have a copy of 64-bit.

 

At home I use Immunet Plus on my Windows 7 x64 box without any problem.

 

Hmm... I'll try again I guess. Let's see if I can get this working.

 

It worked the second time... strange.

Immunet Protect 3.0
Setup:
- Blocking mode on
- ClamAV engine and updates on
- Point Firefox to the fake extension page and click okay

Results:
- Exploit succeeds
- Injection into other processes succeeds
- UAC bypass fails (Immunet blocks a required executable image )
- User persistence succeeeds
- getsystem fails (no permissions)
- Creating fake services fails (no permissions)
- Service-for-user persistence succeeds
- Can't steal tokens (but that's because of UAC)
- All kernel exploits fail (but that's because we're up to date)
- Keylogging and screenshots work
- Persistence (as user) is established on reboot

Comments:
Immunet still seems to be almost an afterthought here. Even the UAC bypass can be blocked by setting UAC to maximum; as far as I can tell, Immunet is no improvement at all on a properly configured Windows 7 system.

 

You know you can get all Windows 7 ISO's for free and use them as a 30 day trial? You don't need to enter a key to update them fully.

 

Very interesting, thanks.
Did you try this with the latest MSE too? (v4.4.304 updated yesterday)

Thanks again!
François

 

I did just now. MSE blocks the XPI exploit completely. I can't say anything further because there are no working vulnerabilities in the database for an up to date Win7 system.

 

You would probably have some exploits if you only installed Win7 with SP1 with no additional updates. I believe you used similar setup with WinXp (sp3 with no additional updates)?

 

Which is why I keep saying that updates really do matter. The recent updates to Windows 7 make far more difference than the AV (or any other security software). Security software can contain the fallout an exploit (sometimes) but patches are the only thing that can make the exploit go away.

Edit: I may use an outdated Win7 SP1 VM for future tests of stuff like EMET though. We'll see.

 

Can you test if there any benefit of EMET on updated Windows 7?

 

same here when I tried to test on my win 7 32bit vm.

 

I'm trying to do a comparison right now of Privatefirewall on XP (really bad) vs. 7 (hopefully better), but 7's native defenses are really skewing things. 20+ different browser exploits tried so far, including recent Java exploits, and not one of them has worked. I'll probably have to deliberately install something outdated to get this done.