Skip to content

v1.0.38 - Destructive writers nativos: Modbus/S7comm/IEC-104

Latest
Latest

Choose a tag to compare

View all tags
@mrhenrike mrhenrike released this 10 Jun 05:30
· 4 commits to master since this release
v1.0.38
579f890

New Destructive Protocol Writers (original implementations)

exploits/protocols/modbus/modbus_destructive_writer.py (PyPI)

Pure Python, no native binaries required.

  • FC05 Write Single Coil
  • FC06 Write Single Register
  • FC08 Diagnostic (restart comms, listen-only mode, clear counters)
  • FC15 Write Multiple Coils (batch)
  • FC16 Write Multiple Registers (batch)
  • FC21 Write File Record (firmware/config write on supported PLCs)
  • FC22 Mask Write Register (AND/OR bit manipulation)
  • FC23 Read/Write Multiple Registers (atomic)
  • Options: WRITE_VALUE, VALUES_LIST, AND_MASK, OR_MASK, DIAGNOSTIC_FN, WRITE_FILE

exploits/protocols/s7comm/s7_destructive_writer.py (PyPI)

Original TPKT/COTP/S7comm framing from scratch.

  • CPU STOP (PLCSTOP, FC 0x29)
  • CPU START warm/cold (FC 0x28)
  • DB Write (Data Block variable write, FC 0x05)
  • M Write (Merker memory write)
  • Q Write (Process output write)
  • Options: ACTION, DB_NUMBER, DB_OFFSET, WRITE_VALUE, WRITE_SIZE, WARM_START

exploits/protocols/iec104/iec104_command_injection.py (PyPI)

Original APCI/ASDU framing from IEC 60870-5-104 spec.

  • C_SC_NA_1 (TypeID 45) -- Single Command: trip/close breakers
  • C_DC_NA_1 (TypeID 46) -- Double Command
  • C_RC_NA_1 (TypeID 47) -- Regulating Step (raise/lower setpoint)
  • C_SE_NB_1 (TypeID 49) -- Set-point Scaled (integer)
  • C_IC_NA_1 (TypeID 100) -- General Interrogation
  • SELECT-BEFORE-OPERATE (SBO) mode supported
  • Options: COMMAND_TYPE, IOA, COMMON_ADDR, VALUE, SELECT_EXEC

contrib/native-payloads/modbus/ (GitHub clone only)

C implementation of Modbus TCP bulk write + FC8 restart.
Compiled in-memory at runtime via NativePayloadLoader + gcc.

  • modbus_write(): FC16 zero-all + FC8 restart
  • modbus_zero_all(): batch register zeroing

contrib/native-payloads/s7comm/ (GitHub clone only)

Manifest for S7comm C implementation (payload.c to be added).

Transport layer (ModbusTCPSocket additions)

  • write_multiple_coils() FC15
  • write_multiple_registers() FC16
  • mask_write_register() FC22
  • read_write_registers() FC23
  • diagnostic() FC08
  • get_com_event_counter() FC11
  • write_file_record() FC21
  • encapsulated_interface_transport() FC43 generic
Assets 2
Loading