metasploit-framework/modules/auxiliary/scanner/scada/modbusdetect.rb

65 lines
2.0 KiB
Ruby
Raw Normal View History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
2012-06-05 16:47:44 +00:00
class Metasploit3 < Msf::Auxiliary
2012-06-05 16:47:44 +00:00
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
2012-06-05 16:47:44 +00:00
def initialize
super(
'Name' => 'Modbus Version Scanner',
2012-06-05 16:47:44 +00:00
'Description' => %q{
This module detects the Modbus service, tested on a SAIA PCD1.M2 system.
2012-06-05 20:32:41 +00:00
Modbus is a clear text protocol used in common SCADA systems, developed
2012-06-05 16:47:44 +00:00
originally as a serial-line (RS232) async protocol, and later transformed to IP,
2012-06-05 20:32:41 +00:00
which is called ModbusTCP.
2012-06-05 16:47:44 +00:00
},
'References' =>
[
2012-06-05 16:47:44 +00:00
[ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ],
2012-06-05 20:32:41 +00:00
[ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ]
],
'Author' => [ 'EsMnemon <esm[at]mnemonic.no>' ],
'DisclosureDate' => 'Nov 1 2011',
'License' => MSF_LICENSE
)
2012-06-05 16:47:44 +00:00
register_options(
2012-06-05 16:47:44 +00:00
[
Opt::RPORT(502),
OptInt.new('UNIT_ID', [true, "ModBus Unit Identifier, 1..255, most often 1 ", 1]),
2012-06-05 16:47:44 +00:00
OptInt.new('TIMEOUT', [true, 'Timeout for the network probe', 10])
], self.class)
end
def run_host(ip)
2012-06-05 16:47:44 +00:00
#read input register=func:04, register 1
sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00"
sploit[6] = [datastore['UNIT_ID']].pack("C")
2012-06-05 16:47:44 +00:00
connect()
sock.put(sploit)
2012-06-05 20:40:20 +00:00
data = sock.get_once
2012-06-05 16:47:44 +00:00
# Theory: When sending a modbus request of some sort, the endpoint will return
2012-06-05 16:47:44 +00:00
# with at least the same transaction-id, and protocol-id
if data
2012-06-13 18:58:48 +00:00
if data[0,4] == "\x21\x00\x00\x00"
print_good("#{ip}:#{rport} - MODBUS - received correct MODBUS/TCP header (unit-ID: #{datastore['UNIT_ID']})")
else
2012-06-13 18:58:48 +00:00
print_error("#{ip}:#{rport} - MODBUS - received incorrect data #{data[0,4].inspect} (not modbus/tcp?)")
end
2012-06-05 16:47:44 +00:00
else
2012-06-13 18:58:48 +00:00
vprint_status("#{ip}:#{rport} - MODBUS - did not receive data.")
2012-06-05 16:47:44 +00:00
end
disconnect()
end
end