Redes Sociales

domingo, 19 de enero de 2020

Malmod

From the 1st of February of 2016 to 31st January 2017 I embarked in a exciting project at the university of Leon, in Spain, aimed to find vulnerabilities in the different devices we, the group, found in the industrial lab the university had prepared for us. There we found many many devices ready to be investigated:

  • Tofino firewalls
  • Scheneider Electric PLCs
  • Siemens PLCs
  • Opto22 PLCs
  • ...

I soon found I was using a PLC that didn't seem to be very safe. It was the Modicon M340 PLC. From that point, I started to try to understand how the communications of this device worked and how could I attack it.

For a couple of months this was my work. First I understood that Schneider Electric used a modified version of Modbus for communication named UMAS, that has been described in these series of posts (here, here, here, here and here).

Then I found a vulnerability related to this UMAS private protocol that is described here.

Some interesting reports were written (like this)

Even an academic paper was published partially explained what we had found. This one.

But some work from that year has not yet been published. And this is work are the scripts and libraries developed for testing the PLCs and trying the attacks.

This set of scripts were named MALMOD and a series of python script that uses scapy for communicating with the Modicon M340 PLC without the necessity of the official Unity libraries.

These scripts are a group of functions that try different "attacks" against del Modicon M340 PLC. Among the attacks that can be tried are:

  • Try default FTP passwords
  • Write blocks of rubbish in the PLCs memory
  • Obtain information of any kind
    • Get all system bits
    • Get all system words
    • Monitor all system bits
    • Extract general PLC information
    • Extract network information
    • Extract zlib blobs from snmp
  • Store file in holding registers
  • Recover file from holding registers
  • stop PLC remotely
  • delete backup strategy

Other additional non-malicious functions:

  • Upload strategy
  • Download strategy
  • Get Card Information
  • Check if PLC is running
  • start PLC
  • Set PLC Date
  • Set PLC Time
  • Get PLC Date and Time

This script are conformed by the following files:

  • malmod.py : Starting point. Will launch a screen menu based on CURSES that will allow do different operations against a PLC. The script can also be run without CURSES menu. The script options are:
                    usage: malmod.py [-h] [-v|-w] -m  [-u |-d |-i|-c|-a|-b|-x|-y|-k|-l|-L|-f|-n]
                                    -h: this help text
                                    -m : PLC IP address
                    MODIFIERS:
                                    -v | --verbose: verbose output
                                    -w | --very-verbose: very verbose output
                    ACTIONS:
                                    --upload-strategy | -u : ATX file to upload
                                    --download-strategy | -d : Path to ATX file to download strategy in
                                    --get-info | -i: Get Device Information
                                    -s: Get Card Information
                                    --store-file | -a : Store File in Holding registers
                                    --retrieve-file | -b : Retrieve File in Holding registers
                                    --command-file | -c : Command File (Only in listener mode)
                                    --listener-mode | -l: Listener Mode
                                    --ncurses | -n: use curses interface
                                    --restore-backup | -R: Restore strategy from backup
                                    --delete-backup | -D: Delete backup of strategy from card
                                    --backup | -B: Backup styrategy into card
                                    --start | -y: Start PLC
                                    -x: Check if PLC is Running (with -v)
                                    --stop | -z: Stop PLC
                                    --kill-plc | -k: Stop PLC
                                    -f: Try default FTP passwords
                                    --set-date=
    --set-time= --get-time: return time of PLC
  • umas.py : Includes a pseudo-library for interacting with the Modicon M-340 using the UMAS library
  • mal_functions.py: Includes a set of malicious functions that can be used against a Modicon M340 PLC
  • modbus.py: Very bad chosen name for a set of auxiliary functions used by the rest of scripts to work. This file include functions like ione that opens and maintain it open a port the PLC can interact with, among others
  • cliente_modbus.py: Python script for doing normal modbus requests against the modicon PLC. This does not use UMAS

The scripts are provided as they are. I don't even know if they work (I don't have a Modicon M340 at home and have not tested them), but I guess they should as they worked at the lab. Documentation is not very good either not to mention my style of coding which has improved very much since then.

There's only one attack that has NOT been added and it's the one that leveraged the vulnerability I found in the PLC.

Malmod can be found at https://github.com/mliras/malmod/. I hope you enjoy it.