## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Modbus Version Scanner', 'Description' => %q{ This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP. }, 'References' => [ [ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ], [ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ] ], 'Author' => [ 'EsMnemon ' ], 'DisclosureDate' => 'Nov 1 2011', 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(502), OptInt.new('TIMEOUT', [true, 'Timeout for the network probe', 10]) ], self.class) end def run_host(ip) #read input register=func:04, register 1 sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00" connect() sock.put(sploit) data = sock.recv(12) # Theory: Whene sending a modbus request of some sort, the endpoint will return # with at least the same transaction-id, and protocol-id if data[0,4] == "\x21\x00\x00\x00" print_status("Received: correct MODBUS/TCP header from #{ip}") else print_status("Received: incorrect data from #{ip} (not modbus/tcp?)") end disconnect() end end