The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/write community strings to be retrieved without authentication. This Metasploit module is the work of Patrick DeSantis of Cisco Talos and K. Reid Wightman. Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5, and NPort 5110 firmware 2.6.
993fe76383658c80bcdb06cee32dc9d065dae5ecbd2b15061a1c670b3fa96e6d
The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. A discovery packet compels a Moxa device to respond to the sender with some basic device information that is needed for more advanced functions. The discovery data is 8 bytes in length and is the most basic example of the Moxa protocol. It may be sent out as a broadcast (destination 255.255.255.255) or to an individual device. Devices that respond to this query may be vulnerable to serious information disclosure vulnerabilities, such as CVE-2016-9361. The module is the work of Patrick DeSantis of Cisco Talos and is derived from original work by K. Reid Wightman. Tested and validated on a Moxa NPort 6250 with firmware versions 1.13 and 1.15.
98b6bc9ac986f9cabba0156932ffefd60159a96b8107e1d9b3448bedd300ff36
Moxa EDR-810 suffers from command injection and information disclosure vulnerabilities.
93e38fc3569bee3955b056de09b84048ae4fb87e813b1c03a73b32bcd0449b36
Moxa AWK-3121 version 1.14 devices suffer from authentication bypass, code execution, cross site scripting, and information leakage vulnerabilities.
138332a80edebbd2e6c16300ef7d9715536cc1c8845977bb687fcc2fccfa023d
Moxa NPort W2x50A products with firmware version 2.1 Build_17112017 or lower are vulnerable to several authenticated OS command injection vulnerabilities.
0f86dde8e1c44108d2214acb30772974903fb5e2efa4f23d272a62cd0ca53b09
Moxa MX-AOPC UA server version 1.5 suffers from an XML external entity injection vulnerability.
fddbaa2065c62aecad0a07d6e23c2ad0e44f16c3227860ed21d602dfbc005faa
Moxa MXView version 2.8 suffers from a denial of service vulnerability.
ee15ff8c93b9a8b1fad8541acf0ff16c7a615ec4a3eed39ac5fac990068aed38
Moxa MXview version 2.8 suffers from a remote private key disclosure vulnerability.
5986ef93e2d09ab2475fbda2fb170751a1e9f4689785e02af7f737e55b418d01
This Metasploit module exploits a stack overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.
d1dd4e7fce98d32b48eac6791f3f78990a4253f063ff4c36a0b84dd00ca14a1c
This Metasploit module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) an attacker may be able to execute arbitrary code.
8d58101301699b9610ca5cc307d8e19bf06cb96680ddcbd521729cf3f02609d3