The ExCraft SCADA Pack PROFESSIONAL

[0day] and public exploits for SCADA and Industrial Control Systems designed for Core Impact Pro™

The “ExCraft SCADA Pack PRO” is a SCADA and ICS focused exploitation package, developed and maintained by security experts from Cyprus based infosec company ExCraft Labs. The package is specially designed to be used with Core Impact Pro

We conduct our own research to find [0days], plus carefully scan the web for public SCADA vulns. Additionally, the pack is powered by vulnerabilities sharing programs! 

ExCraft SCADA Pack PRO features:

  • Additional and most valuable exploits!
  • 2-3 times more powerful than SCADA Standard
  • Network equipment addons 

 

Exploit List- 2020

1.10 – March 2020:

  • Inductive Automation Ignition 8.0.7 Arbitrary File Upload. [0day]
  • UCanCode Visualization Suite 2020 ActiveX File Overwrite Vulnerability. [0day]

1.9 – February 2020:

  • Oracle GlassFish Server <= 4.1 Directory Traversal Vulnerability. Public
  • InduSoft Webstudio Directory Traversal and file disclosure. Public

1.8 – January 2020:

  • ClearScada 2010 R1 Denial of Service. Public
  • Honeywell PowerNet Twin Client <= 8.9 (RFSync 1.0.0.1) Remote Denial of Service. Public
  • ClearSCADA Remote Authentication Bypass Exploit. Public 

 

Exploit List - 2019

1.7 – December 2019:

  • InTouch Edge HMI v8.1 MobileAccessTask Denial Of Service. [0day]
  • ABB MicroSCADA Remote Code Execution. Public
  • ThingsBoard 2.4.1 RCE. similar to CVE-2018-17191
  • OpenAPC 5.7.1 Remote Code Execution. Public

1.6 – November 2019:

  • MajorDoMo 1.2.0b Blind SQL Injection [0day]
  • HomeGenie 1.3 Remote Code Execution [0day]
  • MajorDoMo 1.2.0b Remote Code Execution [0day]

1.5 – October 2019:

  • Black Diamond RCE - [0day]
  • FANUC Robotics Virtual Robot Controller Directory Traversal Vulnerability. Public
  • XiongMai ip camera Directory Traversal Vulnerability [0day]

1.4 – September 2019:

  • Remote VxWorks 6.8 Denial of Service. CVE-2019-12255
  • Black Diamond SCADA wshom.ocx Remote Code Execution weakness. [0day]

1.3 – August 2019:

  • scadalts_1_1_rce2.py - ScadaLTS 1.1 Remote Code Execution PoC. [0day]
  • point_of_view_rce.py - Point Of View 8.0 Remote Code Execution. [0day]
  • cogent_datahub_bsqli.py - Cogent DataHub Blind SQL Injection. Public

1.2 – July 2019:

  • ScadaLTS 1.1 RCE Schneider Electric U.Motion SQL Query Execution
  • IntegraXor 8 Stable SCADA Remote DoS Iobroker 1.4.2 Command Injection.
  • XISOM X-Scada DoS WellinTech KingSCADA PoC
  • OSHMI Remote Shutdown., and more

1.1 – June 2019:

  • XISOM_XScada_Directory_Traversal.py - XISOM X-Scada Directory Traversal Vulnerability [0day]
  • WellinTech_KingScada_AlarmServer_DoS.py - WellinTech KingSCADA 3.7.0.0.1 and earlier BoF. PoC and DoS. [0day]
  • Seagate_Media_Server_Path_Traversal.py - Seagate Media Server NAS. pub Advantech_WebAccess_ProjectName_ActiveX.py - Advantech WebAccess ActiveX ProjectName() Remote Overflow. [0day]
  • AxxonSoft_Axxon_Next_Directory_Traversal.py - AxxonSoft Axxon Next - AxxonSoft Client Directory Traversal Vulnerability. [0day]
  • Loytec_Path_Traversal.py - Loytec LGATE-902 gateway for CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus protos. Path Traversal Vulnerability. pub oshmi_dos.py - open source HMI - OSHMI Remote Shutdown. [0day]

1.0 – May 2019:

[0day] status = researched by our team or by partners team (and no same looking vuln found in public as of the date of research)

  • chipkin_bacnet_object_monitor_0_204_rce.py - Chipkin BACnet Object Monitor 0.204 Remote Code Execution. [0day] 
  • chipkin_bacnet_object_monitor_dir_list_file_delete.py - Chipkin BACnet Object Monitor Info Disclosure/File delete. [0day] 
  • cybrotech_cybrohttpserver_dirtrav.py - Cybrotech CyBroHttpServer Directory Traversal. [0day] 
  • delta_mcis_upsentry2012_id.py - Delta MCIS Upsentry 2012 Info Disclosure. [0day]
  • Domat_Control_System_RcWare_DoS.py - Remote Denial of Service Domat Control System RcWare. [0day]
  • eaton_elcsoft_elcsimulator_bof.py - Eaton ELCSoft ELCSimulator Buffer Overflow 2. [0day]
  • eisbaer_scada_dirtrav.py - Eisbaer Scada 2.1 Directory Traversal. [0day]
  • elipse_e3_e3server_dos.py - Elipse E3 E3Server Denial of Service. [0day]
  • elipse_mobile_server_dt.py - Elipse Mobile Server Directory Traversal. [0day]
  • esa_automation_everyware_laquila_hmi_rce.py - ESA Automation Everyware Laquila HMI Remote Code Execution. [0day]
  • FESTO_Robotino_DoS_PoC.py - Remote Denial Of Service in FESTO Robotino View Version service. [0day]
  • gp_pro_ex_wingp_runtime_afd.py - GP PRO EX WinGP Runtime Arbitrary File Download using hardcoded creds. [0day]
  • gp_pro_ex_wingp_runtime_afu.py - GP PRO EX WinGP Runtime Arbitrary File Upload and code exec. [0day]
  • indigo_scada_id.py - Indigo Scada Information Disclosure. [0day]
  • loytec_l_studio_3_0_afu_rce.py - Loytec L-Studio 3.0 Remote Code Execution. [0day]
  • MOXA_AWK_Search_Utility_DoS.py - Remote Denial Of Service in MOXA AWK Search Utility. [0day]
  • opensource_erp_sqli.py - Open Source ERP Arbitrary SQL Query Execution. [0day]
  • open_source_erp_dirtrav.py - Open Source ERP Directory Traversal. [0day]
  • QuickHMI_Directory_Traversal. - QuickHMI Directory Traversal Vulnerability. [0day]
  • scadabr_1_0_rce.py - ScadaBR 1.0 Remote Code Execution. [0day]
  • ultidev_cassini_webserver_fd.py - Ultidev Cassini Webserver Arbitrary File Download. [0day]
  • winplc7_webserver_id.py - WinPLC7 WebServer Info Disclosure. [0day]

public or pub = both CVE listed or found in public sources

  • ICONICS_Dialog_Wrapper_Module_ActiveX.py - ICONICS Dialog Wrapper Module ActiveX control vulnerable to buffer overflow. pub
  • Labview_6_DoS.py - Labview 6 Web server DoS. pub
  • laquis_scada_4_1_dirtrav.py - Laquis Scada 4.1 Directory Traversal. pub
  • Moxa_MXview_DoS.py - Moxa MXview 2.8 Denial of Service. pub
  • Moxa_MXview_Private_Key_Disclosure.py - Remote Moxa MXview 2.8 - Private Key Disclosure. pub
  • RSLogix5000_Denial_of_Service.py - RSLogix5000 RsvcHost.exe 19 (2.30.0.23) Denial of Service. pub
  • SCADA_AspicManager_BufferOverflow.py - SCADA AspicManager Stack-based buffer overflow DoS/PoC. pub
  • winproladder_bof.py - WinProladder 3.25.19327 Buffer Overflow. pub