Skip to content

sourceincite/randy

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
src
 
 
 
 
 
 
 
 
 
 

Randy

What

This is a pre-authenticated RCE exploit for Inductive Automation Ignition that impacts versions <= 8.1.16. We failed to exploit the bugs at Pwn2Own Miami 2022 because we had a sloppy exploit and no debug environment, but since then we have found the time and energy to improve it!

Authors

Chris Anastasio and Steven Seeley (mr_me) of Incite Team

Build

  1. Build with mvn clean compile assembly:single -DskipTests

Tested

The exploit was tested against 8.1.16 using the Windows 64-bit Installer which you can download here (SHA1: f135d32228793c73c4cdd88561cdbdb44b19290c) but it has known to work against other older versions as well.

Notes

  • At the time of release, no CVE's were assigned to the bugs

  • This exploit takes advantage of two vulnerabilities that have been patched:

  • The exploit requires an admin user to be logged into the gateway. During testing it was found that sessions live forever unless a user explicitly logs out.

  • The exploit should be ran from a Windows host (due to the SecureRandom seed prediction attack).

  • The exploit targets Ignition deployed under Windows, since SecureRandom is not so secure under that environment.

  • The exploit was tested with Java v11.0.11.

Run

Run the exploit with java -cp target/randy-0.0.1-SNAPSHOT.jar com.srcincite.ia.exploit.Poc

Example

Running Randy

About

A pre-authenticated RCE exploit for Inductive Automation Ignition

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published