the excraft scada pack standard - helpsystems...6 the excraft scada pack standard core security +1...
TRANSCRIPT
The ExCraft SCADA Pack STANDARD [0day] and public exploits for SCADA and Industrial Control Systems designed for Core Impact Pro™
2
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Copyright Information ©2019. by Core Security, A HelpSystems Company. All Rights Reserved.
For information on support for this module, contact your Core Security support or sales representative: Email: [email protected] Phone: +1.678.304.4500 Website: https://www.coresecurity.com/support https://www.coresecurity.com/contact
3
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Table of Contents
Introduction ................................................................................................................................................ 4
2020 Exploits ............................................................................................................................................... 4
2019 Exploits ............................................................................................................................................... 4
2018 Exploits ............................................................................................................................................... 6
2017 Exploits ............................................................................................................................................... 8
2016 Exploits ............................................................................................................................................. 10
2015 Exploits ............................................................................................................................................. 12
2014 Exploits ............................................................................................................................................. 13
2013 Exploits ............................................................................................................................................. 14
4
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
ExCraft SCADA Pack STANDARD The "ExCraft SCADA Pack STANDARD" is a SCADA and ICS focused exploitation package, developed and
maintained by security experts from Cyprus based infosec company ExCraft Labs. The package is specially
designed to be used with Core Impact Pro.
We conduct our own research to find [0days], plus carefully scan the web for public SCADA vulns. Additionally,
the pack is powered by vulnerabilities sharing programs!
ExCraft SCADA Pack STANDARD features:
Rich set of ICS exploits and constantly growing!
Greatly increase SCADA pentesting capabilities of Core Impact Pro
Powered by external knowledge received from sharing programs
About 2-6 fresh and interesting new modules in each monthly update
Exploit List: Currently more than 279 modules!
1.71 – March 2020: - Atvise Authorization webMI2ADS 1.0 denial of service - Atvise webMI2ADS 1.0 denial of service - Zurich Instruments LabOne Denial of Service. 0day
1.70 – February 2020: - Indusoft Web Studio 7 Denial of Service. - 7T Interactive Graphical SCADA System DataServer 9.x Denial of Service. - FrameFlow Server Monitor v6.8.5 Build 3476 Denial of Service.
1.69 – January 2020: - Beckhoff TwinCAT ENI Server ver 1.1.6.0 Buffer Overflow Exploit. Public
- IBM SPSS SamplePower ActiveX Control Remote Code Execution Vulnerability. Public
- CoDeSys ENI Server Buffer Overflow Exploit. CVE-2019-16265
1.68 – December 2019: - Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC. (no public
info found by now) - ANT Studio Denial of Service. public - Advantech NVS VideoDAQ ActiveX Remote Arbitrary File Owerwrite. Public
1.67 – November 2019: - HomeGenie 1.3 Arbitrary File Download. 0-Day
5
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
- Advantech Studio Manager buffer overflow Denial of Service. public. noCVE - Advantech Domain Focused Configuration Tool DoS. public. noCVE.
1.66 – October 2019: - MAPLE Computer WBT SNMP Administrator 2.0.195.15 Denial of Service. Public
- Remote Denial Of Service in Xitami Web Server. Public
1.65 – September 2019: - Remote BACnet Stack 0.8.6 Denial of Service. CVE-2019-12480 - SEIG SCADA IGSS System 9 Remote Denial Of Service. Public
1.64 – August 2019:
promotic_scada_dos.py - Promotic SCADA Denial of Service. [0day]
1.63 – July 2019: iobroker_1_4_2_dirtrav.py - Iobroker 1.4.2 Directory Traversal vector 1. [0day] iobroker_1_4_2_dirtrav2.py - Iobroker 1.4.2 Directory Traversal vector 2. [0day] scadalts_1_1_sqli.py - Scada LTS 1.1 SQL Injection. [0day]
1.62 – June 2019:
inductive_automation_ignition_7_6_4_designer_xxe - Ignition 7.6.4 Designer XXE. [0day] kingscada_aeserver_dos.py - KingSCADA AEServer Alarm Service Denial of Sevice. [0day] inductive_automation_ignition_7_5_4_bsqli.py - Inductive Automation Ignition 7.5.4 Time-
based Blind SQL Injection. [0day]
1.61 – May 2019: AGG_Web_Server_Plugin_Directory_Traversal.py - AGG Software Web Server Plugin
Directory Traversal Vulnerability. [0day] scadalts_1_1_xss2.py - The Graphical Views editor embed HTML codeinto the page, which
results in XSS injection. [0day] inductive_automation_ignition_7_5_4_xxe.py - Inductive Automation Ignition 7.5.4 XXE File
Disclosure. [0day]
1.60 – April 2019 Newport_Electronics_iDRN_iDRX_Signal_Conditioners.py - Newport Electronics iDRN-iDRX
Signal Conditioners ActiveX Control Remote File Overwrite Vulnerability. [0day] Newport_Electronics_ActiveX.py - Newport Electronics iDRX ActiveX 1.3 Control Remote File
Overwrite Vulnerability. [0day] AGG_Software_OPC_HTTP_Gateway_Directory_Traversal.py - AGG Software OPC HTTP
Gateway Premium Directory Traversal. [0day] AGG_Software_OPC_Scada_Viewer_Directory_Traversal.py - AGG Software OPC Scada
Viewer Directory Traversal. [0day]
1.59 – March 2019: Cogent_DataHub_8x_DoS.py - Remote Denial Of Service in Cogent Datahub 8.0.x.
[0day]
6
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
SchneiderElectric_SEIG_ModBus_DoS.py - Remote Denial Of Service in Schneider Electric SEIG
Modbus driver. oldCVE - Somehow missed that vuln earlier in our pack LSIS_XPServiceController_DoS.py - Remote Denial Of Service in LSIS XP-Server
XPServiceController. [0day] WAGO_PFC200_PLC_series_DoS.py - Remote Denial Of Service in WAGO PFC200 PLC.
CVE-2018-8836
Simple_SCADA_Directory_Traversal.py - Simple-Scada Directory Traversal and file Delete Vulnerability. [0day]
1.58 – February 2019:
LeCroy_EasyScope_ActiveX.py - LeCroy EasyScope ActiveX ExportStyle Method Remote Code Execution. [0day]
Tibbo_AggreGate_Denial_of_Service.py - Tibbo aggregate 5.51.10 DoS. [0day]
advantech_webaccess_8_3_2_dashboard_bsqli.py - Advantech Webaccess 8.3.2 Dashboard Time-based Blind SQL Injection. [0day]
1.57 – January 2019:
advantech_webaccess_8_3_2_dashboardconfig_afd2.py - Advantech Webaccess 8.3.2 Dashboard Config Arbitrary File Download. [0day]
advantech_webaccess_8_3_2_dashboardeditor_afu_rce.py - Advantech Webaccess 8.3.2 Dashboard Editor AFU (ArbitraryFileUpload) RCE. [0day]
advantech_webaccess_8_3_2_dashboardconfig_afu_rce.py - Advantech Webaccess 8.3.2 Dashboard Config AFU RCE. [0day]
1.56 – December 2018: advantech_webaccess_8_3_2_dashboardeditor_afd.py - Advantech WebAccess 8.3.2
Dashboard Editor Arbitrary Folder Download. [0day] DataRate_Project_Code_Execution.py - DataRate SCADA v4.1 Code Execution via fake
project. [0day]
ICPDAS_eLogger_Arbitrary_File_Upload.py - vulnerability in ICPDAS eLogger RuntimeXP allows for file upload. [0day]
OpenAPC_BeamServer_DoS.py - OpenAPC BeamServer Denial of Service. [0day]
1.55 – November 2018: BLUE_Open_Studio_8_0_RCE - arbitrary built-in command execution vuln. [0day]
Delta_Industrial_Automation_Robot_DRAStudio_Arbitrary_File_Disclosure.py - Directory Traversal leads to files Disclosure. [0day]
Delta_Industrial_Automation_Robot_DRAStudio_Arbitrary_File_Upload.py - Directory Traversal. leads to files upload. [0day]
VBASE_VOKSERVER_Info_Disclosure.py - Directory Traversal. leads to files Disclosure. [0day]
1.54 – October 2018:
Atvise_3_2_Arbitrary_File_Upload.py - Atvise 3.2.1 Arbitrary File Upload. [0day]
7
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Atvise_3_2_Info_Disclosure.py - Atvise 3.2.1 Info Disclosure. [0day] DoMore_Designer_Arbitrary_File_Disclosure.py - Do-more Simulator allows remote
attacker to read OS files. [0day] DoMore_Designer_Arbitrary_File_Upload.py - attacker can upload arbitrary files to
arbitrary dirs. tested with Do-more Designer 2.3.2. [0day] Atvise_3_2_Arbitrary_File_Disclosure.py - Atvise OPC UA service allows remote attacker
to disclose arbitrary files. [0day]
1.53 – September 2018
CyBroHttpServer_directory_traversal.py - Vulnerability in CyBroHttpServer allows remote attackers to disclose files. Authentication is not required. [0day]
LSIS_wXP_Arbitrary_File_Download.py - Vulnerability in LSIS wXP allows remote attackers to disclose arbitrary files. Also password protection can be bypassed.
[0day]
KOYO_C_more_Programming_DoS.py - KOYO C-more Programming Software Emulator Denial of Service. [0day]
Do_more_Designer_DoS.py - Do-more Designer Programming Software Emulator Denial of Service. [0day]
1.52 – August 2018:
Dream_Report_Blind_RCE.py - Dream Report Blind RCE. [0day] Reliance4_Control_Server_DoS.py - Reliance4 SCADA Control Server Denial of
Service. [0day]
1.51 – July 2018: logi_cals_logi_RTS_Privilege_Escalation.py - logi cals Privilege_Escalation. [0day]
LSIS_wXP_DoS.py - LSIS wXP DoS.py [0day] Loytec_LWEB_900_Directory_Traversal.py - Loytec LWEB-900 Directory Traversal.
[0day] WinTr_Scada_Hardcoded_Credentials_Directory_Traversal.py - WinTr Scada
infodisclosure using Hardcoded Credentials. [0day]
1.50 – June 2018: Advantech_WebAccess_webvrpcs_Arbitrary_File_Disclosure - Advantech WebAccess
webvrpcs Arbitrary File Disclosure. [0day] ESA_Automation_Crew_Webserver_Directory_Traveral - ESA-Automation Crew
Webserver Directory Traversal [0day] LSIS_XP_Manager_DoS - LSIS XP-Manager V2.03 DoS [0day] Moxa_Mx_AOPC_UA_Server_File_Corrupt_Or_Dos - Moxa MX AOPC UA Server File
Corruption or DoS [0day] WinTr_Project_Code_Execution - WinTr v.5.52 trojan project generation, which adds
admin user to the OS. [0day]
1.49 – May 2018: Dream_Report_Arbitrary_File_Upload_RCE - Dream Report Arbitrary File
8
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Upload RCE [0day] Atvise_Remote_Project_Management - Atvise Remote Project
Management [0day] logi_cals_logi_RTS_RTShttpd_DoS - logi.cals logi.RTS RTShttpd DoS [0day]
1.48 – April 2018:
Advantech_WebAccess_8_3_Dashboard_Viewer_File_Delete - Advantech WebAccess(8.3) Dashboard Viewer File Delete [0day]
LSIS_wXP_Arbitrary_File_Upload_RCE - LSIS wXP Arbitrary File Upload RCE [0day] ESA_Automation_Crew_Webserver_Info_Disclosure - ESA-Automation Crew Webserver Info
Disclosure [0day]
1.47 – March 2018: Advantech_WebAccess_8_3_Dashboard_Viewer_Directory_Traversal - Advantech
WebAccess(8.3) Dashboard Viewer Directory Traversal [0day] Brodersen_Worksuite_DoS - Brodersen Worksuite DoS [0day] Lansafe_Web_Grafical_Interface_DoS - Lansafe Web Grafical Interface DoS [0day]
1.46 – February 2018: Elipse_Scada_Project_Code_Execution - Elipse Scada Code Execution [0day]
IGSS_Remote_Project_Injector - Interactive Graphical SCADA System Remote Project Injector [0day] Advantech_WebAccess_8_3_Dashboard_Viewer_Arbitrary_File_Upload - Advantech WebAccess(8.3) Dashboard Viewer Arbitrary File Upload [0day]
1.45 – January 2018:
ESA_Elettronica_CREW_Directory_Traversal - ESA Elettronica CREW Directory Traversal Vulnerability [0day]
UPSMON_Pro_Path_Traversal - UPSMON PRO for Windows Path Traversal Vulnerability [0day] Productivity_Suite_Programming_Software_Code_Execution - AutomationDirect Productivity
Suite Programming Software Code Execution [0day]
1.44 – December 2017: PASvisu_DoS - Pilz GmbH PASvisu Denial of Service [0day] Webport_Directory_Traversal - WebPort SCADA HMI system Directory Traversal [0day] Webport_BSQLi_Privilege_Escalation - WebPort SCADA HMI system Blind SQL Injection Privilege
Escalation [0day]
1.43 – November 2017: PASvisu_Arbitrary_File_Upload - Pilz GmbH PASvisu allows to upload arbitrary file to remote
machine. Authentication is not required [0day] PcVue_Project_Code_Execution - PcVue v. 9.0 Remote Code Execution Vulnerability [0day] LabView_Project_Code_Execution - National Instruments LabView all version Remote Code
Execution Vulnerability [0day]
1.42 – October 2017: MasterScada_Project_Code_Execution - Russian SCADA - MasterScada v.3.8 Code Execution
9
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Vulnerability [0day] Delta_DIAEnergy_File_Upload_RCE - Delta DIAEnergie File Upload Remote Code Execution
Exploit [0day] Trend_Micro_Data_Loss_Prevention_Path_Traersal - Trend Micro Data Loss Prevention Virtual
Appliance Path Traversal Vulnerability
1.41 – September 2017: Delta_DIAEnergy_info_disclosure - Delta DIAEnergie Information Disclosure [0day] Reliance_Scada_Directory_Traversal - Reliance SCADA 4.7.3 Update 2 Directory Traversal [0day] KingView_7_5_Directory_Traversal - KingView SCADA 7.5 Directory Traversal [0day]
1.40 – August 2017:
Mango_Automation_File_Upload_RCE - Mango Automation 3.2.0 File Upload Remote Code Execution Exploit [0day]
UCanCode_ActiveX_rfd_TKDrawCAD - UCanCode TKDRAWCADLib ActiveX Control Remote File Replace Exploit [0day]
UCanCode_ActiveX_rfd_UCCPrint - UCanCode UCCPrint ActiveX Control Remote File Replace Exploit [0day]
1.39 – July 2017: UCanCode_ActiveX_rfd_1 - UCanCode UCCDRAWLib ActiveX Control Remote File Replace
Exploit [0day] Festo_robotino_DoS - FESTO Robotino Denial of Service [0day] sap_xmii_Directory_Traversal - SAP xMII 15.0 Directory Traversal Vulnerability
CVE-2016-2389
1.38 – June 2017: Brodersen_Worksuite_DoS - Brodersen Worksuite Remote Denial of Service
[0day] Lansafe_Web_Graphical_Interface_DoS - This module crushes the Lansafe Web
Graphical Interface [0day] Procyon_Scada_DoS - This module causes the Procyon SCADA to stop [0day]
1.37 – May 2017:
CIRCUTOR_PowerStudio_Scada_DoS - CIRCUTOR PowerStudio SCADA Denial of Service [0day]
Dino_Lite_Activex_1 - Dino Lite GpsGridParameters Remote Arbitrary File Overwrite [0day]
Dino_Lite_Activex_2 - Dino Lite GpsDatumParameters Remote Arbitrary File Overwrite [0day]
1.36 – April 2017:
Aktakom_Osciloscope_DoS - Aktakom oscilloscope with Ethernet interface Denial of Service [0day]
Point_of_view_Directory_Traversal - AutomationDirect Point Of View Directory Traversal Vulnerability [0day]
10
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
KingView_HistorySvr_DoS - KingView HistorySvr Remote Denial Of Service Vulnerability [0day]
1.35 – March 2017: Phoenix_Contact_WebVisit_DoS - Phoenix Contact WebVisit Denial of Service [0day] Phoenix_Contact_ThinkNDo - Phoenix Contact ThinkNDo ISSymbol ActiveX Control
Buffer Overflow Vulnerabilities [0day] ReginControls_Tool_Remote_File_Delete_0day - ReginControls REGIO Tool Remote
File Delete [0day] Exploit [0day]
1.34 – February 2017: Point_of_View_SCADA_Activex_[0day] - Point of View SCADA v8.0 Remote Code Execution
Vulnerability. [0day] Ecava_IntegraXor_Config_Corruption - Ecava IntegraXor Remote Config Corruption. [0day] Cogent_Datahub_Log_Poison_RCE - Cogent Datahub Log Poison Remote Code Execution
Vulnerability. [0day]
1.33 – January 2017: IGSS_Arbitrary_File_Disclosure - Specially crafted tcp package allows to IGSS v12 read arbitrary
file content. [0day] Cogent_Datahub_7_3_x_DoS - This module causes the Datahub to stop. [0day] Ecava_IntegraXor_Information_Disclosure - This module exploits a remote vulnerability to get
information about running project. [0day]
1.32 – December 2016: Siemens_Sicam_Pas_Hardcode_RCE - Siemens Sicam PAS prior to 8.0 Hardcode
RCE [0day] VISU_RCE - Visu+ 2.42 TCPUploadServer Remote Code Execution Vulnerability.
[0day]
1.31 – November 2016: MyScada_MyPRO_Hardcode_RCE - MyScada MyPRO uses hardcode credentials to deploy
projects over ftp [0day] Ecava_IntegraXor_Remote_Project_Management - This module remote stops all tasks of project
[0day]
1.30 – October 2016: Citect_Scada_7_2_DoS - Specially crafted TCP package to Citect Scada services ports cause
DoS. [0day] Axilog_FB_Buffer_Overflow_RCE - Axilog Firebird Buffer Overflow RCE [0day]
DBSWIN_FB_Buffer_Overflow_RCE - DBSWIN Firebird Buffer Overflow RCE [0day]
1.29 – September 2016:
EasyBuilder_Pro_com_e30_DoS - Weintek EasyBuilder Pro com_e30 DoS [0day] EasyBuilder_Pro_com_e30_DoS_1 - Weintek EasyBuilder Pro HMI Data Server
com_e30 DoS [0day]
11
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
AspicMP_Project_Manager_Remote_Control - AspicMP Project Manager Remote Control [0day]
1.28 – August 2016:
Cimon_Scada_HttpSvr_DoS - Cimon Scada HttpSvr Remote Denial of Service Vulnerability [0day]
EisBaer_Scada_Webserver_Directory_Traversal - EisBaer Scada Webserver Directory Traversal [0day]
GX_IEC_Developer_Activex_AFD - GX IEC Developer 5.02 ActiveX Arbitrary File Delete Exploit [0day]
1.27 – July 2016:
Rapid_Scada_Arbitrary_File_Download - Vulnerability allows authenticated user gets content of files by sending specially crafted TCP package to Scada-Server service [0day]
AutoBase_NetServer_DoS - Remote Denial Of Service in AutoBase Network Server 10.2.6.1 [0day]
CenturyStar_DoS - Century Star Denial Of Service Vulnerability [0day] 1.26 – June 2016:
Iconix_Activex_0day - ICONICS Scada ActiveX control AWXRep32.ocx is vulnerable. Iconix_Activex_0day_2 - ICONICS Scada ActiveX control TreeExplorer.ocx is vulnerable. Iconix_Activex_0day_3 - ICONICS Scada ActiveX control DBMining.ocx is vulnerable. Cogent_Datahub_DoS - Cogent Datahub version 7.3.10 Denial Of Service Exploit
1.25 – May 2016: Lutron_Grafik_Eye_Designer_activex.py - Lutron Grafik Eye Designer activex commands
execution Lutron_HomeWorks_Interactive_activex_2.py - Lutron HomeWorks Interactive activex
arbitrary files overwrite advantech_webaccess_8_1_dashboardViewer_afd.py - Advantech WebAccess(8.1) Dashboard
Viewer arbitrary file deletion advantech_webaccess_8_0_dashboardViewer_afd.py - Advantech WebAccess(8.0) Dashboard
Viewer arbitrary file upload or deletion leveraged to code exec Lutron_HomeWorks_Interactive_activex.py - another Lutron HomeWorks Interactive activex
arbitrary file delete
1.24 – April 2016:
Yaskawa_SigmaWin_Plus_Activex_AFD.py - Yaskawa SigmaWin Plus ActiveX Arbitrary File Delete Exploit. Public
MOXA_Mass_Configurator_Tool_DoS.py - Remote Denial Of Service in MOXA Mass Configuration Tool 1.0.0.1 . public
ISGA_Carlo_Gavazzi_DoS.py - Carlo Gavazzi ISGA Smart MPPT Inverter DoS [0day]
1.23 – February – March 2016:
12
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Yokogawa_Centum_DoS.py - Remote Denial Of Service in Yokogawa CENTUM CS3000 R3.08.50 CVE-2014-0781
SearchBlox_Directory_Traversal.py - SearchBlox v8.3 Unauthenticated Config Rewrite Vulnerability. ICSA-15-337-01
Advantech_WebAccess_webvrpcs_DoS.py - Remote Denial Of Service in Advantech WebAccess. [0day]
1.22 – January 2016:
QuickHMI_Server_v3_DoS.py - QuickHMI Server v3 Antelope Denial of Service. [0day] Reliance_4_Control_Server_SCADA_DoS.py - Reliance 4 Control Server Denial of Service.
[0day] Iocomp_Software_activex.py - Iocomp Software ActiveX Control Remote Code Execution
Vulnerability. [0day]
1.21 – December 2015: Codesys_Webserver_DoS_0day.py - Codesys webserver DoS. [0day] MOXA_VPort_SDK_activex.py - MOXA VPort SDK ActiveX control exploit. ICSA-15-097-01.
CVE-2015-0986 phoenix_contact_afu.py - Phoenix Contact Arbitrary file upload clientside. [0day]
1.20 – November 2015:
SpiderControl_SCADA_Editor_DoS.py - SpiderControl SCADA Editor Denial Of Service Exploit [0day]
SpiderControl_SCADA_Editor_Directory_Traversal.py - SpiderControl SCADA Editor Directory Traversal Vulnerability [0day]
ABB_Microscada_ActiveX - Abb Microscada ActiveX Control Buffer Overflow Exploit [0day]
1.19 – September 2015: DataNet_OPC_Webserver_Directory_Traversal.py - DataNet OPC Webserver Directory
Traversal Vulnerability [0day] MOXA_SoftCMS_Webserver_DoS.py - MOXA SoftCMS AspWebServer Denial Of Service Exploit
[0day] TwinCAT_CodeMeter_DoS_PoC.py - TwinCAT PLC Control CodeMeter Remote Denial of Service
[0day]
1.18 – July 2015: IPESOFT_D2000_SCADA_Directory_Traversal.py - Directory traversal vulnerability in the
WildFly HTTP Server use as default in IPESOFT D2000 SCADA [0day] Lanmisoft_automation_Directory_Traversal.py - Lanmisoft Directory Traversal [0day]
1.17 – June 2015:
BBElectronics_Vlinx_ConnectPro_Manager_DoS.py - BB Electronics Vlinx ConnectPro Manager DoS [0day] xarrow_dos.py - SCADA xArrow Software v.5.5 - Denial of Service. [0day]
Reliance_4_DoS.py - Remote Denial Of Service in Reliance 4 Control Server. [0day]
1.16 – April 2015:
13
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
deltaeremote_dos.py - ELTA IA HMI DOP Patch eRemote V2.00.11 - Denial of Service [0day] infilink_dos.py - Infilink HMI v5.00.34 DoS [0day] modbus_directory_traversal.py - Modbus SCADA (WLC Systems) v2.1.2 Build Jun 14 2014 -
Directory Traversal [0day]
1.15 – March 2015: ag_peakhmi_buffer_overflow.py - PeakHMI Runtime <= v.7.11.0.0 - Buffer Overflow. [0day] ag_events_reveals_sensitive_info.py - Events SCADA HMI <= v.8.58 - reveals sensitive info.
[0day] ag_adamview_buffer_overflow.py - Advantech ADAMView <= v.4.3 - Buffer Overflow.
CVE_Name 2014-8386
1.14 – February 2015: ag_mango_file_upload.py- SCADA Mango Automation file upload DuerrDental_Firebird_DoS.py- DuerrDental Firebird DoS Panasonic_Configurator_DL_DoS_PoC.py- Panasonic Configurator DL DoS PoC AzeoTech_DAQFactory_DoS.py- AzeoTech DAQFactory DoS/PoC
1.13 – December 2014 - January 2015:
PeakHMI_Webserver_Directory_Traversal.py- PeakHMI Webserver Directory Traversal Vulnerability [0day]
PROMOTIC_Remote_Code_Execution_Exploit.py- Promotic SCADA ActiveX Control Remote Code Execution Vulnerability
WS10_Data_Server_DoS.py- WS10 Data Server SCADA Remote DoS
1.12 – November 2014: EATON_LanSafe_DoS.py- EATON LanSafe Denial Of Service Exploit Embedthis_Goahead_DoS.py- Embedthis Goahead Webserver Remote DoS NOVUS_NConfig_DoS.py- NOVUS NConfig [0day] DoS/PoC
NOTE: Fixed missing modules names in changelog
1.11 – October 2014: FANUC_OlpcPRO_Directory_Traversal.py- FANUC OlpcPRO Directory Traversal Vulnerability
[0day] Schneider_Electric_PLC_ETY_DoS.py- Schneider Electric PLC ETY Series Ethernet Controller
Denial of Service ZScada_Net_2_0_DoS.py- Z-Scada Net 2.0 [0day] DoS/PoC
1.10 – August 2014:
Advantech_WebAccess_activex_Exploit_0Day.py- Advantech WebAccess ActiveX ProjectName() Remote Overflow [0day]
Emerson_ROCLINK800.py- Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability
1.9 – May 2014:
ScadaMobile_DirTrav_0day.py- ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability [0day]
14
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Siemens_License_Manager_activex.py- Siemens Automation License Manager Remote Arbitrary File Overwrite
Siemens_License_Manager_DoS.py- Siemens Automation License Manager Service Remote Denial of Service [0day]
1.8 – March 2014:
CoDeSys_Gateway_Server_DoS.py- CoDeSys Gateway Server Remote Denial of Service 0Day Delta_Electronics_simulator_SEH_Overflow_PoC.py- Delta Electronics simulator SEH Overflow
PoC DoS
1.7 – February 2014:
ABB_Test_Signal_Viewer_Remote_Code_Execution.py- ABB Test Signal Viewer ActiveX Control Remote Code Execution Vulnerability
CodeMeter_DoS.py- CodeMeter WIBUSYSTEMS AG Remote Denial of Service 0Day
1.6 – January 2014: Eaton_Network_Shutdown_Module_DoS.py- Remote Denial Of Service in Eaton Network [0day] EATON_VURemote_DoS.py- EATON VURemote [0day] DoS Ignition_Gateway_OPC_UA_Server_DoS.py- Ignition Gateway OPCUA Server Denial Of Service 0-
Day RuggedDirector_DoS.py- RuggedDirector Remote Denial of Service [0day] Tri_PLC_DoS.py- Remote Denial Of Service in TriPLC Nano10 r81. CVE20132784
1.5 – December 2013
Mitsubishi_Electric_Automation_MC_WorX_File_Execution.py- Mitsubishi Electric Automation MCWorX File Execution Exploit. no CVE, but public
Mitsubishi_Electric_Automation_MC_WorX_Remote_File_Delete_0day.py- Mitsubishi Electric Automation MCWorX Remote File Delete [0day] Exploit
Modbus_SCADA_DirTrav_0day.py- Modbus SCADA Directory Traversal Vulnerability [0day] Moore_Industries_NCS_Config.py- Moore Industries NCS Configuration [[0day]] DoS Siemens_WinCC_TIA_Portal_remote_DoS_0Day.py- Siemens WinCC TIA Portal miniweb.exe
remote DoS [0day]
1.4 – November 2013: Proface ProServer_EX_DoS.py - Remote Denial Of Service in Proface ProServer EX. public,
noCVE. Galil_RIO_DoS.py- Remote Denial Of Service in GalilRIO Rio47100. CVE20130699 National_Instruments_Remote_Code_Execution.py- National Instruments ActiveX
LabWindows/CVI, LabVIEW Remote Code Execution. CVE20135022 National_Instruments_Remote_Code_Execution_2.py- National Instruments LabWindows/CVI,
LabVIEW ActiveX Remote Code Execution. CVE20135025
1.3 – October 2013: UCanCode_HMI_ActiveX_Remote_File_Replace.py- UCanCode HMI Control ActiveX Remote File
Replace Exploit. [0day] MetaDraw_ActiveX_Remote_File_Replace.py- MetaDraw ActiveX Remote File Replace Exploit.
15
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
[0Day] Mitsubishi_MX_ActiveX_Component_Exploit.py- Mitsubishi MX ActiveX Component Exploit.
NoCVE, public vuln. QNX_FTPD_DoS.py- QNX FTPD Remote DoS. NoCVE, public. Siemens_WinCC_TIA_Portal_Miniweb_Dos.py- Remote Denial Of Service in Siemens WinCC TIA
Portal miniweb.exe server. [0Day]
1.2 – September 2013: Siemens_Simatic_HMI_Pro_Tool_DoS.py- Siemens SIMATIC ProTool/Pro Configuration (CS)
[0day] DoS Clorius_Controls_ICS_SCADA_Information_Disclosure.py- Clorius Controls ICS SCADA
Information Disclosure Honeywell_UniSim_ShadowPlant_Bridge_DoS.py- Honeywell UniSim ShadowPlant Bridge
Remote DoS [0day] Intellicom_Netbiter_WebSCADA_Directory_Traversal.py- Intellicom Netbiter WebSCADA
Directory Traversal
1.1 – August 2013: Sunway_Webserver_Remote_Command_Execution- Sunway Webserver Remote Command
Execution. No CVE, but public. Cogent_Datahub_Buffer_Overflow_Remote_Exploit- Cogent Datahub Buffer Overflow Remote
Exploit. CVE20113493 Honeywell_UniSim_DoS.py Honeywell_UniSim_DoS- Honeywell UniSim SimStation Remote DoS.
[0day] Schneider_Electric_Accutech_Manager_Server_DoS.py- Schneider Electric Accutech Manager
Server Denial Of Service. CVE20130658 Schneider_Electric_PLC_Simulator_DoS- Schneider Electric PLC Simulator 'sim.exe' Remote DoS.
[0day] Schneider_Electric_Web_Designer_Server_Simulator_DoS- Schneider Electric Web Designer
Server Simulator Remote DoS. [0day]
1.0 – July 2013: Trace_Mode Remote DoS [0day]- This module exploits a vulnerability in the TraceMode Runtime
Monitor service by sending a malformed packet to the 772/TCP port to crash the application. Trace_Mode_Remote_UDP_DoS [0day]- This module exploits a vulnerability in the TraceMode
Runtime Monitor service by sending a malformed packet to the 260/UDP port to crash the application.
Atvise_Webmitestserver_Directory_Traversal [0day]- Directory traversal vulnerability via ..\ sequence through the HTTP request.
Atvise_webMI2ADS_Remote_Shutdown CVE20114882- This module exploits a vulnerability in the Atvise webMI2ADS server by sending special command via http request to shutdown the application.
Atvise_webMI2ADS_Null_Pointer_Remote_Dos CVE20114881- The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 does not properly check return values from functions, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted HTTP request. This module exploits a vulnerability in the Atvise webMI2ADS server by
16
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
sending a malformed http request to crash the application. Atvise_webMI2ADS_Directory_Traversal CVE20114880- Directory traversal vulnerability in the
web server in Certec atvise webMI2ADS (aka webMI) before. 2.0.2 allows remote attackers to read arbitrary files via a crafted HTTP request.
TraceMode_DataCenter_Directory_Traversal CVE20115087- The module exploits directory traversal vulnerability in AdAstrA TRACE MODE Data Center that allowing remote attackers to read arbitrary files via http request to the publiher server (port 81) and to the document server (port 80).
Kaskad Daserver Remote Code Execution [0day]- This module exploits a remote memory (heap) corruption in the Kaskad Daserver.exe by sending a specially crafted UDP packet to the 25923 server.
Ge_Fanuc_Cimplicity_Webserver_Remote_Command_Execution [0day]- This module exploits a directory traversal vulnerability in the Ge Fanuc Cimplicity cimwebserver.exe via http request on port 80. Successfull exploiattion leads to system command execution.
Ge_Fanuc_Cimplicity_Webserver_Directory_Traversal CVE20130653- Directory traversal vulnerability in substitute.bcl in the WebView CimWeb subsystem in GE Intelligent Platforms Proficy HMI/SCADA CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to read arbitrary files via a crafted packet.
Ge_Fanuc_Cimplicity_Webserver_Dos [0day]- This module exploits a vulnerability in the Cimplicity webserver by sending a malformed http request to crash the application.
OPCSystems_Service_Dos CVE20114871- This module exploits a vulnerability in the OPCSystems server by sending a malformed tcp packet to the application. Successfull exploitation may lead to the consuming of the CPU resources.
Advantech WebAccess Change Password Exploit CVE 20120239- The uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a passwordchange request.
Advantech_WebAccess_SQLInjection_Exploit [0day]- Advantech/BroadWin WebAccess 7.0 does not properly validate the input parameters 'proj' and 'node' in the http request to the bwview.asp. That leads to the Double Blind SQLInjection vulnerability.The vulnerability may be one of CVE20121234, CVE20120244, CVE20120234, CVE20114521.
Advantech_WebAccess_Bwocxrun_Activex_Buffer_Overflow_Exploit CVE20120243- This module exploits a vulnerability in the bwocxrun.ocx module included in the Advanteh WebAccess. The exploit is triggered when the CreateProcess() method processes a malformed argument resulting in a stackbased buffer overflow. There are also unsafe methods in this library that also may be exploitable: WriteTextData(); URLEncode(); OpenUrlToFileTimeout(); OpenUrlToBufferTimeout(); OcxSpool(); CreateProcess();
Advantech_WebAccess_Multiple_Activex_Exploit [0day]- The default installation of WebAccess7.0 contains a few activex’s http://broadwin.com/Drivers/Video.htm. Some of them are vulnerable to stack based buffer overflows. Vulnerable are: NVCTRLMEDIA.dll, camviewlc.ocx, dvs.ocx, NVLive.ocx, epochmaking.dll, webeyeaudio.ocx.
QNX_shutdown- QNX version <=6.5.0 with QCONN version 1.4.207944 suffers from a remote command execution vulnerability.
QNX_FTPD_DoS- Denial of service going to the FTP server base system QNX QNX_phrelay_DoS- Bufferoverflow affecting phrelay in the handling of the device file specified
by the client as existing Photon session. InterSystems_Cache_DoS_1- Remote Denial Of Service in InterSystems Cache.
17
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
InterSystems_Cache_DoS_2- Remote Denial Of Service in InterSystems Cache. SpecViewDirectoryTraversal- SpecView SCADA web server directory traversal vulnerability could
occur when a specially crafted request is passed to the web server running on Port 80\TCP. Successful exploitation could result in data leakage.
Progea_Movicon_11_DoS- Remote Denial Of Service in Progea Movicon 11 ICPDAS_EZ_Data_Logger_DoS 0day- This module causes a Denial of Service in ICPDAS EZ Data
Logger. advantech_web_DoS- Remote Denial Of Service in Advantech Studio Web server. IPC_chip_Directory_Traversal- This module exploits a directory traversal vulnerability in BECK
IPC GMBH IPC CHIP. An Attacker could read files from an arbitrary directory without authorization by http request. A successful attack may result in data leakage.
IPC_chip_DoS- Remote Denial Of Service in BECK IPC CHIP. This exploit will leave the service unavailable.
C3ILEX_EOScada_DoS- Remote Denial Of Service in C3ilex Scada RuggedComDevicesBackdoorAccess- An undocumented backdoor account exists within all
released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address.
Elipse_ActiveReports_Remote_File_Delete- Using ActiveX error can delete any file in the computer of the victim.
PlantVisor_CarelDataServer_Directory_Traversal CVE 20113487- This module exploits a directory traversal vulnerability in Carel PlantVisor CaewlDataServer.exe service. Directory traversal vulnerability in CarelDataServer.exe in Carel PlantVisor 2.4.4 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request.
PlantVisor_Remote_Code_Execution.py [0day]- This module exploits a directory traversal vulnerability that leads to command execution.This module exploits a directory traversal vulnerability in the PlantVisor web server in order to upload and launch the trojan.
Carel_PlantVisorPro_SQLInjection_Exploit.py- [0day]- This module exploits SQLInjection vulnerability in Carel PlantVisorPro 2.0. Carel PlantVisorPro does not validate the input parameters 'param0' in the http request to the DispatcherError.jsp and DispatcherClear.jsp. That vulnerbility leads to critical information steal and to code execution.
Carel_PlantVisorPro_Hardcoded_Password.py [0day]- This module exploits hardcoded password vulnerability in Carel PlantVisorPro 2.0. Hardcoded credentials was founded in the DBCommander.jsp, RCmdComm2.jsp, RCmdComm.jsp. The attacker can use username = debug and password = pvprod3bug for accessing the scada's database. Sucessfull exploitation may lead to critical info disclosure and to code execution.
Advantech_Studio_Directory_Traversal- This module exploits a directory traversal vulnerability in Advantech Studio.
Carel_PlantVisorPro_Local_File_Inclusion_Exploit.py [0day]- This module exploits a local file inclusion vulnerability in the Carel PlantVisorPro 2.0 (demo) web interface. Attacker can steal critical information from configuration files by using LogReader.jsp and LogsReader.jsp. A successful attack may result in data leakage. This module downloads an arbitrary files: postgres authorization file, scada scheduler conf file, postgres sql conf file, bootpro password file, tomcat server conf file.
Siemens_WinCC_Flexible_Hmiload_Dos CVE20114875- Remote Denial Of Service in Siemens WinCC Flexible hmiload.exe server.
18
The ExCraft SCADA Pack STANDARD
Core Security www.coresecurity.com +1 678-304-4500
Siemens_WinCC_Flexible_Miniweb_Dos CVE20114879- Remote Denial Of Service in Siemens WinCC Flexible miniweb.exe server.
Siemens_Wincc_Flexible_Miniweb_Directory_Traversal CVE20114878- This module exploits a directory traversal vulnerability in Siemens WinCC Flexible webserver (miniweb.exe).
Siemens_WinCC_Flexible_Hmiload_Remote_Code_Execution CVE20114876- This module exploits a directory traversal vulnerability that leads to command execution.
Ge_Fanuc_Real_Time_Portal_Unauthorized_Remote_File_Access CVE20120232- The rifsrvd.exe service is affected by directory traversal vulnerability via specially crafted tcp packet which sent to the application on port 5159. Sucessfull exploitation may lead to creating ini files.
NetBiterConfig_and_Anybus_IPconfig_DoS CVE20094462- Stackbased buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICPprotocol UDP packet.
Adroit_SCADA_Intelligence_Server_DoS- Multiple sending specially crafted TCP is sending crash Adroit Intelligence Server
Ge_Fanuc_Real_Time_Portal_Information_Disclosure CVE20080175- This module exploits a sensitive information disclosure vulnerability in the Ge Fanuc Real Time Portal.
Schneider_Electric_Vijeo_Web_Gate_Server_Directory_Traversal.py [0day]- An Attacker could read files from an arbitrary directory without authorization by http request. A successful attack may result in data leakage. This module downloads an arbitrary file in order to disclose sensitive information.
Schneider_Electric_Vijeo_Web_Gate_Server_DoS [0day]- This exploit will crash the Schneider Electric Vijeo Web Gate Server by sending a long string to the application on the tcp port 80.
Sielco Sistemi Winlog Buffer Overflow Remote CVE20123815- This module exploits a buffer overflow vulnerability in the Runtime.exe service that can be triggered by sending a specially crafted request to port 46824.
Simens WINCC DiagAgent Directory Traversal Vulnerability CVE20122597- This module exploits a directory traversal vulnerability in Siemens WINCC CCDiagAgent.exe web server.
Siemens WINCC DiagAgent Buffer Overflow Remote CVE20122598- The DiagAgent Web server is used for remote diagnostic purposes and is disabled by default. If the service is enabled, it does not sanitize user input correctly. Specially crafted input can crash (or execute code) the DiagAgent, disabling the remote diagnostic service.
Simens WINCC DiagAgent Multiple Directory Traversal Vulnerabilities Exploit [0day]- The web interface of the diagagent is prone to the directory traversal vulnerabilities which allowing attackers to read arbitrary files.
Ge_Fanuc_Cimplicity_Webserver_Dos(Bug).py CVE20124689 Schneider_Electric_Accutech_Manager_Server_DoS CVE20130658- Heapbased buffer overflow
in RFManagerService.exe in Schneider Electric Accutech Manager 2.00.1 and earlier allows remote attackers to execute arbitrary code via a crafted HTTP request.
Schneider_Electric_ModbusDrv_Dos- Schneider Electric Multiple Products (Unity PRO XL ) 'ModbusDrv.exe' Remote denialofservicea