New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New module pcomclient #11219

Open
wants to merge 5 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@lmrosa
Copy link

lmrosa commented Jan 9, 2019

PCOM client module that allows unauthenticated
read and write different types of operands of Unitronics PLCs.

See https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use scanner/scada/pcomclient
  • set RHOST IP
  • run
  • Verify the thing does what it should
  • Verify the thing does not do what it should not
  • Document the thing and how it works

@bcoles bcoles added module docs labels Jan 9, 2019


class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Rex::Socket::Tcp

This comment has been minimized.

@wchen-r7

wchen-r7 Jan 15, 2019

Contributor

IIRC the Rex library is already loaded somewhere by Framework, so you don't actually need to include Rex::Socket::Tcp and Rex::Text. Try to remove them and see if it still works :-)

This comment has been minimized.

@lmrosa
else
print_error("Unknown action #{action.name}")
end
disconnect

This comment has been minimized.

@wchen-r7

wchen-r7 Jan 15, 2019

Contributor

Good practice on the cleanup with disconnect! However this is actually automatically taken care of in the Msf::Exploit::Remote::Tcp minx. So you can remove this line safely and just let the mixin do its thing :-)

This comment has been minimized.

@lmrosa
OptInt.new('ADDRESS', [true, "PCOM memory address (0 - 65535)", 0]),
OptInt.new('LENGTH', [true, "Number of values to read (1 - 255) (read only)", 3]),
OptString.new('VALUES', [false, "Values to write (0 - 65535 each) (comma separated) (write only)"]),
OptEnum.new("OPERAND", [true, 'Operand type', "MI", ["Input", "Output", "SB", "MB", "MI", "SI", "ML", "SL"]]),

This comment has been minimized.

@wchen-r7

wchen-r7 Jan 15, 2019

Contributor

Very small detail, but that extra , isn't needed :-)

This comment has been minimized.

@lmrosa
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 15, 2019

Pretty well written module I'd say. Since this is a PLC, it would be difficult for us to test, @lmrosa do you still have this PLC? If so could you please provide a PCAP that demonstrates this module works? Thanks.

lmrosa added some commits Jan 9, 2019

@lmrosa

This comment has been minimized.

Copy link

lmrosa commented Jan 16, 2019

Pretty well written module I'd say. Since this is a PLC, it would be difficult for us to test, @lmrosa do you still have this PLC? If so could you please provide a PCAP that demonstrates this module works? Thanks.

Thank you for the comments. Please refer to pcaps to a list of PCOM samples I'm collecting.

@lmrosa

This comment has been minimized.

Copy link

lmrosa commented Jan 22, 2019

@wchen-r7 am I missing something? Do you know why Travis CI build is failing? Is something related with imports I removed as you suggested ?

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 22, 2019

It's unrelated to your changes. Something to do with data/ysoserial_payloads.json, which is from a different PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment