2012-06-05 16:36:45 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2012-06-05 18:53:11 +00:00
|
|
|
# http://metasploit.com/framework/
|
2012-06-05 16:36:45 +00:00
|
|
|
##
|
|
|
|
|
2012-05-29 18:34:33 +00:00
|
|
|
require 'msf/core'
|
2012-06-05 16:47:44 +00:00
|
|
|
|
2012-05-29 18:34:33 +00:00
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2012-06-05 16:47:44 +00:00
|
|
|
|
2012-05-29 18:34:33 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
2012-06-05 16:47:44 +00:00
|
|
|
|
2012-05-29 18:34:33 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Modbus Version Scanner',
|
2012-06-05 16:47:44 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module detects the Modbus service, tested on a SAIA PCD1.M2 system.
|
2012-06-05 20:32:41 +00:00
|
|
|
Modbus is a clear text protocol used in common SCADA systems, developed
|
2012-06-05 16:47:44 +00:00
|
|
|
originally as a serial-line (RS232) async protocol, and later transformed to IP,
|
2012-06-05 20:32:41 +00:00
|
|
|
which is called ModbusTCP.
|
2012-06-05 16:47:44 +00:00
|
|
|
},
|
2012-05-29 18:34:33 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2012-06-05 16:47:44 +00:00
|
|
|
[ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ],
|
2012-06-05 20:32:41 +00:00
|
|
|
[ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ]
|
2012-05-29 18:34:33 +00:00
|
|
|
],
|
|
|
|
'Author' => [ 'EsMnemon <esm[at]mnemonic.no>' ],
|
|
|
|
'DisclosureDate' => 'Nov 1 2011',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2012-06-05 16:47:44 +00:00
|
|
|
|
2012-05-29 18:34:33 +00:00
|
|
|
register_options(
|
2012-06-05 16:47:44 +00:00
|
|
|
[
|
|
|
|
Opt::RPORT(502),
|
|
|
|
OptInt.new('TIMEOUT', [true, 'Timeout for the network probe', 10])
|
|
|
|
], self.class)
|
2012-05-29 18:34:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
2012-06-05 16:47:44 +00:00
|
|
|
#read input register=func:04, register 1
|
|
|
|
sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00"
|
|
|
|
connect()
|
|
|
|
sock.put(sploit)
|
|
|
|
data = sock.recv(12)
|
|
|
|
|
|
|
|
# Theory: Whene sending a modbus request of some sort, the endpoint will return
|
|
|
|
# with at least the same transaction-id, and protocol-id
|
|
|
|
if data[0,4] == "\x21\x00\x00\x00"
|
|
|
|
print_status("Received: correct MODBUS/TCP header from #{ip}")
|
|
|
|
else
|
|
|
|
print_status("Received: incorrect data from #{ip} (not modbus/tcp?)")
|
|
|
|
end
|
|
|
|
|
|
|
|
disconnect()
|
2012-05-29 18:34:33 +00:00
|
|
|
end
|
|
|
|
end
|