The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This Metasploit module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This Metasploit module is based on the original ethernetip-multi.rb Basecamp module from DigitalBond.
887d7ca941da90893389c8d56d690e8e44325dff76f8eba61e9b105f62a0c3e5The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic. Two modes are supported: "SEND" and "RECV," which behave as one might expect -- use set mode ACTIONAME to use either mode of operation. In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, modicon_ladder.apx is a blank ladder logic file which can be used for testing. This Metasploit module is based on the original modiconstux.rb Basecamp module from DigitalBond.
e5568f7609da41c1b5a99aaa7d319bbcc02872f0370b9fe227d271b21a9b5d97The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This Metasploit module is based on the original modiconstop.rb Basecamp module from DigitalBond.
b1ab2b6cc51066fbc4e2694146c089e9ffe0bd212d9fdf2475b47cf4afabb543The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/write community strings to be retrieved without authentication. This Metasploit module is the work of Patrick DeSantis of Cisco Talos and K. Reid Wightman. Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5, and NPort 5110 firmware 2.6.
993fe76383658c80bcdb06cee32dc9d065dae5ecbd2b15061a1c670b3fa96e6dThe Schneider Modicon Quantum series of Ethernet cards store usernames and passwords for the system in files that may be retrieved via backdoor access. This Metasploit module is based on the original modiconpass.rb Basecamp module from DigitalBond.
c8e98263aef5c597ea77667625a93e2b0b4a28b1287956030c4b4e2bdb3f8294By sending a malformed TFTP request to the GE D20ME, it is possible to crash the device. This Metasploit module is based on the original d20ftpbo.rb Basecamp module from DigitalBond.
ca58c1bbbb8f5ddb041eee1e2d0d87e47344b7203d89cc7501f919e5d92499fe
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed