The ExCraft SCADA Pack STANDARD

[0day] and public exploits for SCADA and Industrial Control Systems designed for Core Impact Pro™

The "ExCraft SCADA Pack STANDARD" is a SCADA and ICS focused exploitation package, developed and maintained by security experts from Cyprus based infosec company ExCraft Labs. The package is specially designed to be used with Core Impact Pro. We conduct our own research to find [0days], plus carefully scan the web for public SCADA vulns. Additionally, the pack is powered by vulnerabilities sharing programs! ExCraft SCADA Pack STANDARD features: Rich set of ICS exploits and constantly growing! Greatly increase SCADA pentesting capabilities of Core Impact Pro Powered by external knowledge received from sharing programs About 2-6 fresh and interesting new modules in each monthly update.

Exploit List - 2020

1.71 – March 2020:

  • Atvise Authorization webMI2ADS 1.0 denial of service
  • Atvise webMI2ADS 1.0 denial of service
  • Zurich Instruments LabOne Denial of Service. 0day

1.70 – February 2020:

  • Indusoft Web Studio 7 Denial of Service.
  • 7T Interactive Graphical SCADA System DataServer 9.x Denial of Service.
  • FrameFlow Server Monitor v6.8.5 Build 3476 Denial of Service. 

1.69 – January 2020:

  • Beckhoff TwinCAT ENI Server ver 1.1.6.0 Buffer Overflow Exploit. Public
  • IBM SPSS SamplePower ActiveX Control Remote Code Execution Vulnerability. Public
  • CoDeSys ENI Server Buffer Overflow Exploit. CVE-2019-16265 

 

Exploit List - 2019

1.68 – December 2019: 

  • Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC. (no public info found by now) 
  • ANT Studio Denial of Service. public
  • Advantech NVS VideoDAQ ActiveX Remote Arbitrary File Owerwrite. Public 

1.67 – November 2019:

  • HomeGenie 1.3 Arbitrary File Download. 0-Day 
  • Advantech Studio Manager buffer overflow Denial of Service. public. noCVE
  • Advantech Domain Focused Configuration Tool DoS. public. noCVE. 

1.66 – October 2019:

  • MAPLE Computer WBT SNMP Administrator 2.0.195.15 Denial of Service. Public
  • Remote Denial Of Service in Xitami Web Server. Public 

1.65 – September 2019:

  • Remote BACnet Stack 0.8.6 Denial of Service. CVE-2019-12480
  • SEIG SCADA IGSS System 9 Remote Denial Of Service. Public 

1.64 – August 2019: 

  • promotic_scada_dos.py - Promotic SCADA Denial of Service. [0day] 

1.63 – July 2019: 

  • iobroker_1_4_2_dirtrav.py - Iobroker 1.4.2 Directory Traversal vector 1. [0day] 
  • iobroker_1_4_2_dirtrav2.py - Iobroker 1.4.2 Directory Traversal vector 2. [0day] 
  • scadalts_1_1_sqli.py - Scada LTS 1.1 SQL Injection. [0day] 

1.62 – June 2019: 

  • inductive_automation_ignition_7_6_4_designer_xxe - Ignition 7.6.4 Designer XXE. [0day] 
  • kingscada_aeserver_dos.py - KingSCADA AEServer Alarm Service Denial of Sevice. [0day]
  • inductive_automation_ignition_7_5_4_bsqli.py - Inductive Automation Ignition 7.5.4 Timebased Blind SQL Injection. [0day] 

1.61 – May 2019: 

  • AGG_Web_Server_Plugin_Directory_Traversal.py - AGG Software Web Server Plugin Directory Traversal Vulnerability. [0day]
  • scadalts_1_1_xss2.py - The Graphical Views editor embed HTML codeinto the page, which results in XSS injection. [0day]
  • inductive_automation_ignition_7_5_4_xxe.py - Inductive Automation Ignition 7.5.4 XXE File Disclosure. [0day] 

1.60 – April 2019: 

  • Newport_Electronics_iDRN_iDRX_Signal_Conditioners.py - Newport Electronics iDRN-iDRX Signal Conditioners ActiveX Control Remote File Overwrite Vulnerability. [0day] 
  • Newport_Electronics_ActiveX.py - Newport Electronics iDRX ActiveX 1.3 Control Remote File Overwrite Vulnerability. [0day]
  • AGG_Software_OPC_HTTP_Gateway_Directory_Traversal.py - AGG Software OPC HTTP Gateway Premium Directory Traversal. [0day] 
  • AGG_Software_OPC_Scada_Viewer_Directory_Traversal.py - AGG Software OPC Scada Viewer Directory Traversal. [0day] 

1.59 – March 2019: 

  • Cogent_DataHub_8x_DoS.py - Remote Denial Of Service in Cogent Datahub 8.0.x. [0day]
  • SchneiderElectric_SEIG_ModBus_DoS.py - Remote Denial Of Service in Schneider Electric SEIG 
  • Modbus driver. oldCVE - Somehow missed that vuln earlier in our pack 
  • LSIS_XPServiceController_DoS.py - Remote Denial Of Service in LSIS XP-Server XPServiceController. [0day]
  • WAGO_PFC200_PLC_series_DoS.py - Remote Denial Of Service in WAGO PFC200 PLC. CVE-2018-8836 
  • Simple_SCADA_Directory_Traversal.py - Simple-Scada Directory Traversal and file Delete Vulnerability. [0day] 

1.58 – February 2019: 

  • LeCroy_EasyScope_ActiveX.py - LeCroy EasyScope ActiveX ExportStyle Method Remote Code Execution. [0day]
  • Tibbo_AggreGate_Denial_of_Service.py - Tibbo aggregate 5.51.10 DoS. [0day] 
  • advantech_webaccess_8_3_2_dashboard_bsqli.py - Advantech Webaccess 8.3.2 Dashboard Time-based Blind SQL Injection. [0day] 

1.57 – January 2019:

  • advantech_webaccess_8_3_2_dashboardconfig_afd2.py - Advantech Webaccess 8.3.2 Dashboard Config Arbitrary File Download. [0day] 
  • advantech_webaccess_8_3_2_dashboardeditor_afu_rce.py - Advantech Webaccess 8.3.2 Dashboard Editor AFU (ArbitraryFileUpload) RCE. [0day] 
  • advantech_webaccess_8_3_2_dashboardconfig_afu_rce.py - Advantech Webaccess 8.3.2 Dashboard Config AFU RCE. [0day] 

 

Exploit List - 2018

1.56 – December 2018: 

  • advantech_webaccess_8_3_2_dashboardeditor_afd.py - Advantech WebAccess 8.3.2 Dashboard Editor Arbitrary Folder Download. [0day] 
  • DataRate_Project_Code_Execution.py - DataRate SCADA v4.1 Code Execution via fake project. [0day] 
  • ICPDAS_eLogger_Arbitrary_File_Upload.py - vulnerability in ICPDAS eLogger RuntimeXP allows for file upload. [0day]
  • OpenAPC_BeamServer_DoS.py - OpenAPC BeamServer Denial of Service. [0day] 

1.55 – November 2018:

  • BLUE_Open_Studio_8_0_RCE - arbitrary built-in command execution vuln. [0day]
  • Delta_Industrial_Automation_Robot_DRAStudio_Arbitrary_File_Disclosure.py - Directory Traversal leads to files Disclosure. [0day]
  • Delta_Industrial_Automation_Robot_DRAStudio_Arbitrary_File_Upload.py - Directory Traversal. leads to files upload. [0day]
  • VBASE_VOKSERVER_Info_Disclosure.py - Directory Traversal. leads to files Disclosure. [0day] 

1.54 – October 2018: 

  • Atvise_3_2_Arbitrary_File_Upload.py - Atvise 3.2.1 Arbitrary File Upload. [0day] 
  • Atvise_3_2_Info_Disclosure.py - Atvise 3.2.1 Info Disclosure. [0day] 
  • DoMore_Designer_Arbitrary_File_Disclosure.py - Do-more Simulator allows remote attacker to read OS files. [0day] 
  • DoMore_Designer_Arbitrary_File_Upload.py - attacker can upload arbitrary files to arbitrary dirs. tested with Do-more Designer 2.3.2. [0day] 
  • Atvise_3_2_Arbitrary_File_Disclosure.py - Atvise OPC UA service allows remote attacker to disclose arbitrary files. [0day] 

1.53 – September 2018

  • CyBroHttpServer_directory_traversal.py - Vulnerability in CyBroHttpServer allows remote attackers to disclose files. Authentication is not required. [0day]
  • LSIS_wXP_Arbitrary_File_Download.py - Vulnerability in LSIS wXP allows remote attackers to disclose arbitrary files. Also password protection can be bypassed. [0day]
  • KOYO_C_more_Programming_DoS.py - KOYO C-more Programming Software Emulator Denial of Service. [0day] 
  • Do_more_Designer_DoS.py - Do-more Designer Programming Software Emulator Denial of Service. [0day]

1.52 – August 2018:

  • Dream_Report_Blind_RCE.py - Dream Report Blind RCE. [0day]
  • Reliance4_Control_Server_DoS.py - Reliance4 SCADA Control Server Denial of Service. [0day]

1.51 – July 2018:

  • logi_cals_logi_RTS_Privilege_Escalation.py - logi cals Privilege_Escalation. [0day]
  • LSIS_wXP_DoS.py - LSIS wXP DoS.py [0day]
  • Loytec_LWEB_900_Directory_Traversal.py - Loytec LWEB-900 Directory Traversal. [0day]
  • WinTr_Scada_Hardcoded_Credentials_Directory_Traversal.py - WinTr Scada infodisclosure using Hardcoded Credentials. [0day]

1.50 – June 2018:

  • Advantech_WebAccess_webvrpcs_Arbitrary_File_Disclosure - Advantech WebAccess webvrpcs Arbitrary File Disclosure. [0day]
  • ESA_Automation_Crew_Webserver_Directory_Traveral - ESA-Automation Crew Webserver Directory Traversal [0day]
  • LSIS_XP_Manager_DoS - LSIS XP-Manager V2.03 DoS [0day]
  • Moxa_Mx_AOPC_UA_Server_File_Corrupt_Or_Dos - Moxa MX AOPC UA Server File Corruption or DoS [0day]
  • WinTr_Project_Code_Execution - WinTr v.5.52 trojan project generation, which adds admin user to the OS. [0day]

1.49 – May 2018:

  • Dream_Report_Arbitrary_File_Upload_RCE - Dream Report Arbitrary File Upload RCE [0day]
  • Atvise_Remote_Project_Management - Atvise Remote Project Management [0day]
  • logi_cals_logi_RTS_RTShttpd_DoS - logi.cals logi.RTS RTShttpd DoS [0day]

1.48 – April 2018:

  • Advantech_WebAccess_8_3_Dashboard_Viewer_File_Delete - Advantech WebAccess(8.3) Dashboard Viewer File Delete [0day]
  • LSIS_wXP_Arbitrary_File_Upload_RCE - LSIS wXP Arbitrary File Upload RCE [0day]
  • ESA_Automation_Crew_Webserver_Info_Disclosure - ESA-Automation Crew Webserver Info Disclosure [0day]

1.47 – March 2018: 

  • Advantech_WebAccess_8_3_Dashboard_Viewer_Directory_Traversal - Advantech WebAccess(8.3) Dashboard Viewer Directory Traversal [0day]
  • Brodersen_Worksuite_DoS - Brodersen Worksuite DoS [0day]
  • Lansafe_Web_Grafical_Interface_DoS - Lansafe Web Grafical Interface DoS [0day] 

1.46 – February 2018: 

  • Elipse_Scada_Project_Code_Execution - Elipse Scada Code Execution [0day] IGSS_Remote_Project_Injector - Interactive Graphical SCADA System Remote Project Injector [0day] Advantech_WebAccess_8_3_Dashboard_Viewer_Arbitrary_File_Upload - Advantech WebAccess(8.3) Dashboard Viewer Arbitrary File Upload [0day] 

1.45 – January 2018: 

  • ESA_Elettronica_CREW_Directory_Traversal - ESA Elettronica CREW Directory Traversal Vulnerability [0day] 
  • UPSMON_Pro_Path_Traversal - UPSMON PRO for Windows Path Traversal Vulnerability [0day] 
  • Productivity_Suite_Programming_Software_Code_Execution - AutomationDirect Productivity Suite Programming Software Code Execution [0day] 

 

Exploit List - 2017

1.44 – December 2017:

  • PASvisu_DoS - Pilz GmbH PASvisu Denial of Service [0day]
  • Webport_Directory_Traversal - WebPort SCADA HMI system Directory Traversal [0day]
  • Webport_BSQLi_Privilege_Escalation - WebPort SCADA HMI system Blind SQL Injection Privilege Escalation [0day] •

1.43 – November 2017:

  • PASvisu_Arbitrary_File_Upload - Pilz GmbH PASvisu allows to upload arbitrary file to remote machine. Authentication is not required [0day]
  • PcVue_Project_Code_Execution - PcVue v. 9.0 Remote Code Execution Vulnerability [0day]
  • LabView_Project_Code_Execution - National Instruments LabView all version Remote Code Execution Vulnerability [0day] 

1.42 – October 2017:

  • MasterScada_Project_Code_Execution - Russian SCADA - MasterScada v.3.8 Code Execution Vulnerability [0day]
  • Delta_DIAEnergy_File_Upload_RCE - Delta DIAEnergie File Upload Remote Code Execution Exploit [0day] o Trend_Micro_Data_Loss_Prevention_Path_Traersal - Trend Micro Data Loss Prevention Virtual Appliance Path Traversal Vulnerability

1.41 – September 2017:

  • Delta_DIAEnergy_info_disclosure - Delta DIAEnergie Information Disclosure [0day]
  • Reliance_Scada_Directory_Traversal - Reliance SCADA 4.7.3 Update 2 Directory Traversal [0day] 
  • KingView_7_5_Directory_Traversal - KingView SCADA 7.5 Directory Traversal [0day]

1.40 – August 2017:

  • Mango_Automation_File_Upload_RCE - Mango Automation 3.2.0 File Upload Remote Code Execution Exploit [0day] 
  • UCanCode_ActiveX_rfd_TKDrawCAD - UCanCode TKDRAWCADLib ActiveX Control Remote File Replace Exploit [0day] 
  • UCanCode_ActiveX_rfd_UCCPrint - UCanCode UCCPrint ActiveX Control Remote File Replace Exploit [0day]

1.39 – July 2017:

  • UCanCode_ActiveX_rfd_1 - UCanCode UCCDRAWLib ActiveX Control Remote File Replace Exploit [0day]
  • Festo_robotino_DoS - FESTO Robotino Denial of Service [0day]
  • sap_xmii_Directory_Traversal - SAP xMII 15.0 Directory Traversal Vulnerability CVE-2016-2389

1.38 – June 2017:

  • Brodersen_Worksuite_DoS - Brodersen Worksuite Remote Denial of Service [0day]
  • Lansafe_Web_Graphical_Interface_DoS - This module crushes the Lansafe Web Graphical Interface [0day]
  • Procyon_Scada_DoS - This module causes the Procyon SCADA to stop [0day]

1.37 – May 2017:

  • CIRCUTOR_PowerStudio_Scada_DoS - CIRCUTOR PowerStudio SCADA Denial of Service [0day]
  • Dino_Lite_Activex_1 - Dino Lite GpsGridParameters Remote Arbitrary File Overwrite [0day]
  • Dino_Lite_Activex_2 - Dino Lite GpsDatumParameters Remote Arbitrary File Overwrite [0day] 

1.36 – April 2017:

  • Aktakom_Osciloscope_DoS - Aktakom oscilloscope with Ethernet interface Denial of Service [0day]
  • Point_of_view_Directory_Traversal - AutomationDirect Point Of View Directory Traversal Vulnerability [0day]
  • KingView_HistorySvr_DoS - KingView HistorySvr Remote Denial Of Service Vulnerability [0day]

1.35 – March 2017:

  • Phoenix_Contact_WebVisit_DoS - Phoenix Contact WebVisit Denial of Service [0day]
  • Phoenix_Contact_ThinkNDo - Phoenix Contact ThinkNDo ISSymbol ActiveX Control Buffer Overflow Vulnerabilities [0day]
  • ReginControls_Tool_Remote_File_Delete_0day - ReginControls REGIO Tool Remote File Delete [0day] Exploit [0day] 

1.34 – February 2017: 

  • Point_of_View_SCADA_Activex_[0day] - Point of View SCADA v8.0 Remote Code Execution Vulnerability. [0day]
  • Ecava_IntegraXor_Config_Corruption - Ecava IntegraXor Remote Config Corruption. [0day]
  • Cogent_Datahub_Log_Poison_RCE - Cogent Datahub Log Poison Remote Code Execution Vulnerability. [0day]

1.33 – January 2017: 

  • IGSS_Arbitrary_File_Disclosure - Specially crafted tcp package allows to IGSS v12 read arbitrary file content. [0day]
  • Cogent_Datahub_7_3_x_DoS - This module causes the Datahub to stop. [0day]
  • Ecava_IntegraXor_Information_Disclosure - This module exploits a remote vulnerability to get information about running project. [0day] 

 

Exploit List - 2016

1.32 – December 2016: 

  • Siemens_Sicam_Pas_Hardcode_RCE - Siemens Sicam PAS prior to 8.0 Hardcode RCE [0day]
  • VISU_RCE - Visu+ 2.42 TCPUploadServer Remote Code Execution Vulnerability. [0day]

1.31 – November 2016:

  • MyScada_MyPRO_Hardcode_RCE - MyScada MyPRO uses hardcode credentials to deploy projects over ftp [0day]
  • Ecava_IntegraXor_Remote_Project_Management - This module remote stops all tasks of project [0day]

1.30 – October 2016:

  • Citect_Scada_7_2_DoS - Specially crafted TCP package to Citect Scada services ports cause DoS. [0day]
  • Axilog_FB_Buffer_Overflow_RCE - Axilog Firebird Buffer Overflow RCE [0day]
  • DBSWIN_FB_Buffer_Overflow_RCE - DBSWIN Firebird Buffer Overflow RCE [0day]

1.29 – September 2016:

  • EasyBuilder_Pro_com_e30_DoS - Weintek EasyBuilder Pro com_e30 DoS [0day]
  • EasyBuilder_Pro_com_e30_DoS_1 - Weintek EasyBuilder Pro HMI Data Server com_e30 DoS [0day]
  • AspicMP_Project_Manager_Remote_Control - AspicMP Project Manager Remote Control [0day]

1.28 – August 2016:

  • Cimon_Scada_HttpSvr_DoS - Cimon Scada HttpSvr Remote Denial of Service Vulnerability [0day]
  • EisBaer_Scada_Webserver_Directory_Traversal - EisBaer Scada Webserver Directory Traversal [0day] 
  • GX_IEC_Developer_Activex_AFD - GX IEC Developer 5.02 ActiveX Arbitrary File Delete Exploit [0day]

1.27 – July 2016:

  • Rapid_Scada_Arbitrary_File_Download - Vulnerability allows authenticated user gets content of files by sending specially crafted TCP package to Scada-Server service [0day]
  • AutoBase_NetServer_DoS - Remote Denial Of Service in AutoBase Network Server 10.2.6.1 [0day]
  • CenturyStar_DoS - Century Star Denial Of Service Vulnerability [0day]

1.26 – June 2016:

  • Iconix_Activex_0day - ICONICS Scada ActiveX control AWXRep32.ocx is vulnerable.
  • Iconix_Activex_0day_2 - ICONICS Scada ActiveX control TreeExplorer.ocx is vulnerable.
  • Iconix_Activex_0day_3 - ICONICS Scada ActiveX control DBMining.ocx is vulnerable.
  • Cogent_Datahub_DoS - Cogent Datahub version 7.3.10 Denial Of Service Exploit

1.25 – May 2016:

  • Lutron_Grafik_Eye_Designer_activex.py - Lutron Grafik Eye Designer activex commands execution
  • Lutron_HomeWorks_Interactive_activex_2.py - Lutron HomeWorks Interactive activex arbitrary files overwrite
  • advantech_webaccess_8_1_dashboardViewer_afd.py - Advantech WebAccess(8.1) Dashboard Viewer arbitrary file deletion
  • advantech_webaccess_8_0_dashboardViewer_afd.py - Advantech WebAccess(8.0) Dashboard Viewer arbitrary file upload or deletion leveraged to code exec
  • Lutron_HomeWorks_Interactive_activex.py - another Lutron HomeWorks Interactive activex arbitrary file delete

1.24 – April 2016:

  • Yaskawa_SigmaWin_Plus_Activex_AFD.py - Yaskawa SigmaWin Plus ActiveX Arbitrary File Delete Exploit. Public
  • MOXA_Mass_Configurator_Tool_DoS.py - Remote Denial Of Service in MOXA Mass Configuration Tool 1.0.0.1 . public
  • ISGA_Carlo_Gavazzi_DoS.py - Carlo Gavazzi ISGA Smart MPPT Inverter DoS [0day]

1.23 – February – March 2016:

  • Yokogawa_Centum_DoS.py - Remote Denial Of Service in Yokogawa CENTUM CS3000 R3.08.50 CVE-2014-0781
  • SearchBlox_Directory_Traversal.py - SearchBlox v8.3 Unauthenticated Config Rewrite Vulnerability. ICSA-15-337-01
  • Advantech_WebAccess_webvrpcs_DoS.py - Remote Denial Of Service in Advantech WebAccess. [0day]

1.22 – January 2016:

  • QuickHMI_Server_v3_DoS.py - QuickHMI Server v3 Antelope Denial of Service. [0day] 
  • Reliance_4_Control_Server_SCADA_DoS.py - Reliance 4 Control Server Denial of Service. [0day]
  • Iocomp_Software_activex.py - Iocomp Software ActiveX Control Remote Code Execution Vulnerability. [0day] 

 

Exploit List - 2015

1.21 – December 2015:

  • Codesys_Webserver_DoS_0day.py - Codesys webserver DoS. [0day]
  • MOXA_VPort_SDK_activex.py - MOXA VPort SDK ActiveX control exploit. ICSA-15-097-01. CVE-2015-0986 phoenix_contact_afu.py - Phoenix Contact Arbitrary file upload clientside. [0day]

1.20 – November 2015:

  • SpiderControl_SCADA_Editor_DoS.py - SpiderControl SCADA Editor Denial Of Service Exploit [0day]
  • SpiderControl_SCADA_Editor_Directory_Traversal.py - SpiderControl SCADA Editor Directory Traversal Vulnerability [0day]
  • ABB_Microscada_ActiveX - Abb Microscada ActiveX Control Buffer Overflow Exploit [0day]

1.19 – September 2015:

  • DataNet_OPC_Webserver_Directory_Traversal.py - DataNet OPC Webserver Directory Traversal Vulnerability [0day]
  • MOXA_SoftCMS_Webserver_DoS.py - MOXA SoftCMS AspWebServer Denial Of Service Exploit [0day]
  • TwinCAT_CodeMeter_DoS_PoC.py - TwinCAT PLC Control CodeMeter Remote Denial of Service [0day]

1.18 – July 2015:

  • IPESOFT_D2000_SCADA_Directory_Traversal.py - Directory traversal vulnerability in the WildFly HTTP Server use as default in IPESOFT D2000 SCADA [0day]
  • Lanmisoft_automation_Directory_Traversal.py - Lanmisoft Directory Traversal [0day]

1.17 – June 2015:

  • BBElectronics_Vlinx_ConnectPro_Manager_DoS.py - BB Electronics Vlinx ConnectPro Manager DoS [0day] xarrow_dos.py - SCADA xArrow Software v.5.5 - Denial of Service. [0day]
  • Reliance_4_DoS.py - Remote Denial Of Service in Reliance 4 Control Server. [0day]

1.16 – April 2015:

  • deltaeremote_dos.py - ELTA IA HMI DOP Patch eRemote V2.00.11 - Denial of Service [0day]
  • infilink_dos.py - Infilink HMI v5.00.34 DoS [0day]
  • modbus_directory_traversal.py - Modbus SCADA (WLC Systems) v2.1.2 Build Jun 14 2014 - Directory Traversal [0day]

1.15 – March 2015:

  • ag_peakhmi_buffer_overflow.py - PeakHMI Runtime <= v.7.11.0.0 - Buffer Overflow. [0day]
  • ag_events_reveals_sensitive_info.py - Events SCADA HMI <= v.8.58 - reveals sensitive info. [0day]
  • ag_adamview_buffer_overflow.py - Advantech ADAMView <= v.4.3 - Buffer Overflow. CVE_Name 2014-8386

1.14 – February 2015:

  • ag_mango_file_upload.py- SCADA Mango Automation file upload
  • DuerrDental_Firebird_DoS.py- DuerrDental Firebird DoS
  • Panasonic_Configurator_DL_DoS_PoC.py- Panasonic Configurator DL DoS PoC
  • AzeoTech_DAQFactory_DoS.py- AzeoTech DAQFactory DoS/PoC 

 

Exploit List - 2014

1.13 – December 2014:

  • PeakHMI_Webserver_Directory_Traversal.py- PeakHMI Webserver Directory Traversal Vulnerability [0day]
  • PROMOTIC_Remote_Code_Execution_Exploit.py- Promotic SCADA ActiveX Control Remote Code Execution Vulnerability
  • WS10_Data_Server_DoS.py- WS10 Data Server SCADA Remote DoS

1.12 – November 2014:

  • EATON_LanSafe_DoS.py- EATON LanSafe Denial Of Service Exploit
  • Embedthis_Goahead_DoS.py- Embedthis Goahead Webserver Remote DoS
  • NOVUS_NConfig_DoS.py- NOVUS NConfig [0day] DoS/PoC

* NOTE: Fixed missing modules names in changelog 

1.11 – October 2014:

  • FANUC_OlpcPRO_Directory_Traversal.py- FANUC OlpcPRO Directory Traversal Vulnerability [0day]
  • Schneider_Electric_PLC_ETY_DoS.py- Schneider Electric PLC ETY Series Ethernet Controller Denial of Service
  • ZScada_Net_2_0_DoS.py- Z-Scada Net 2.0 [0day] DoS/PoC

1.10 – August 2014:

  • Advantech_WebAccess_activex_Exploit_0Day.py- Advantech WebAccess ActiveX ProjectName() Remote Overflow [0day]
  • Emerson_ROCLINK800.py- Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability 

1.9 – May 2014:

  • ScadaMobile_DirTrav_0day.py- ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability [0day]
  • Siemens_License_Manager_activex.py- Siemens Automation License Manager Remote Arbitrary File Overwrite
  • Siemens_License_Manager_DoS.py- Siemens Automation License Manager Service Remote Denial of Service [0day]

1.8 – March 2014:

  • CoDeSys_Gateway_Server_DoS.py- CoDeSys Gateway Server Remote Denial of Service 0Day
  • Delta_Electronics_simulator_SEH_Overflow_PoC.py- Delta Electronics simulator SEH Overflow PoC DoS

1.7 – February 2014:

  • ABB_Test_Signal_Viewer_Remote_Code_Execution.py- ABB Test Signal Viewer ActiveX Control Remote Code Execution Vulnerability
  • CodeMeter_DoS.py- CodeMeter WIBUSYSTEMS AG Remote Denial of Service 0Day

1.6 – January 2014:

  • Eaton_Network_Shutdown_Module_DoS.py- Remote Denial Of Service in Eaton Network [0day]
  • EATON_VURemote_DoS.py- EATON VURemote [0day] DoS
  • Ignition_Gateway_OPC_UA_Server_DoS.py- Ignition Gateway OPCUA Server Denial Of Service 0- Day
  • RuggedDirector_DoS.py- RuggedDirector Remote Denial of Service [0day]
  • Tri_PLC_DoS.py- Remote Denial Of Service in TriPLC Nano10 r81. CVE20132784 

 

Exploit List - 2013

1.5 – December 2013:

  • Mitsubishi_Electric_Automation_MC_WorX_File_Execution.py- Mitsubishi Electric Automation MCWorX File Execution Exploit. no CVE, but public
  • Mitsubishi_Electric_Automation_MC_WorX_Remote_File_Delete_0day.py- Mitsubishi Electric Automation MCWorX Remote File Delete [0day] Exploit
  • Modbus_SCADA_DirTrav_0day.py- Modbus SCADA Directory Traversal Vulnerability [0day]
  • Moore_Industries_NCS_Config.py- Moore Industries NCS Configuration [[0day]] DoS
  • Siemens_WinCC_TIA_Portal_remote_DoS_0Day.py- Siemens WinCC TIA Portal miniweb.exe remote DoS [0day]

1.4 – November 2013:

  • Proface ProServer_EX_DoS.py - Remote Denial Of Service in Proface ProServer EX. public, noCVE.
  • Galil_RIO_DoS.py- Remote Denial Of Service in GalilRIO Rio47100. CVE20130699
  • National_Instruments_Remote_Code_Execution.py- National Instruments ActiveX LabWindows/CVI, LabVIEW Remote Code Execution. CVE20135022
  • National_Instruments_Remote_Code_Execution_2.py- National Instruments LabWindows/CVI, LabVIEW ActiveX Remote Code Execution. CVE20135025

1.3 – October 2013:

  • UCanCode_HMI_ActiveX_Remote_File_Replace.py- UCanCode HMI Control ActiveX Remote File Replace Exploit. [0day]
  • MetaDraw_ActiveX_Remote_File_Replace.py- MetaDraw ActiveX Remote File Replace Exploit. [0Day]
  • Mitsubishi_MX_ActiveX_Component_Exploit.py- Mitsubishi MX ActiveX Component Exploit. NoCVE, public vuln.
  • QNX_FTPD_DoS.py- QNX FTPD Remote DoS. NoCVE, public.
  • Siemens_WinCC_TIA_Portal_Miniweb_Dos.py- Remote Denial Of Service in Siemens WinCC TIA Portal miniweb.exe server. [0Day]

1.2 – September 2013:

  • Siemens_Simatic_HMI_Pro_Tool_DoS.py- Siemens SIMATIC ProTool/Pro Configuration (CS) [0day] DoS
  • Clorius_Controls_ICS_SCADA_Information_Disclosure.py- Clorius Controls ICS SCADA Information Disclosure
  • Honeywell_UniSim_ShadowPlant_Bridge_DoS.py- Honeywell UniSim ShadowPlant Bridge Remote DoS [0day]
  • Intellicom_Netbiter_WebSCADA_Directory_Traversal.py- Intellicom Netbiter WebSCADA Directory Traversal

1.1 – August 2013:

  • Sunway_Webserver_Remote_Command_Execution- Sunway Webserver Remote Command Execution. No CVE, but public.
  • Cogent_Datahub_Buffer_Overflow_Remote_Exploit- Cogent Datahub Buffer Overflow Remote Exploit. CVE20113493
  • Honeywell_UniSim_DoS.py Honeywell_UniSim_DoS- Honeywell UniSim SimStation Remote DoS. [0day]
  • Schneider_Electric_Accutech_Manager_Server_DoS.py- Schneider Electric Accutech Manager Server Denial Of Service. CVE20130658
  • Schneider_Electric_PLC_Simulator_DoS- Schneider Electric PLC Simulator 'sim.exe' Remote DoS. [0day]
  • Schneider_Electric_Web_Designer_Server_Simulator_DoS- Schneider Electric Web Designer Server Simulator Remote DoS. [0day]

1.0 – July 2013:

  • Trace_Mode Remote DoS [0day]- This module exploits a vulnerability in the TraceMode Runtime Monitor service by sending a malformed packet to the 772/TCP port to crash the application.
  • Trace_Mode_Remote_UDP_DoS [0day]- This module exploits a vulnerability in the TraceMode Runtime Monitor service by sending a malformed packet to the 260/UDP port to crash the application.
  • Atvise_Webmitestserver_Directory_Traversal [0day]- Directory traversal vulnerability via ..\ sequence through the HTTP request.
  • Atvise_webMI2ADS_Remote_Shutdown CVE20114882- This module exploits a vulnerability in the Atvise webMI2ADS server by sending special command via http request to shutdown the application.
  • Atvise_webMI2ADS_Null_Pointer_Remote_Dos CVE20114881- The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 does not properly check return values from functions, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted HTTP request. This module exploits a vulnerability in the Atvise webMI2ADS server by sending a malformed http request to crash the application.
  • Atvise_webMI2ADS_Directory_Traversal CVE20114880- Directory traversal vulnerability in the web server in Certec atvise webMI2ADS (aka webMI) before. 2.0.2 allows remote attackers to read arbitrary files via a crafted HTTP request.
  • TraceMode_DataCenter_Directory_Traversal CVE20115087- The module exploits directory traversal vulnerability in AdAstrA TRACE MODE Data Center that allowing remote attackers to read arbitrary files via http request to the publiher server (port 81) and to the document server (port 80).
  • Kaskad Daserver Remote Code Execution [0day]- This module exploits a remote memory (heap) corruption in the Kaskad Daserver.exe by sending a specially crafted UDP packet to the 25923 server.
  • Ge_Fanuc_Cimplicity_Webserver_Remote_Command_Execution [0day]- This module exploits a directory traversal vulnerability in the Ge Fanuc Cimplicity cimwebserver.exe via http request on port 80. Successfull exploiattion leads to system command execution.
  • Ge_Fanuc_Cimplicity_Webserver_Directory_Traversal CVE20130653- Directory traversal vulnerability in substitute.bcl in the WebView CimWeb subsystem in GE Intelligent Platforms Proficy HMI/SCADA CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to read arbitrary files via a crafted packet.
  • Ge_Fanuc_Cimplicity_Webserver_Dos [0day]- This module exploits a vulnerability in the Cimplicity webserver by sending a malformed http request to crash the application.
  • OPCSystems_Service_Dos CVE20114871- This module exploits a vulnerability in the OPCSystems server by sending a malformed tcp packet to the application. Successfull exploitation may lead to the consuming of the CPU resources.
  • Advantech WebAccess Change Password Exploit CVE 20120239- The uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a passwordchange request.
  • Advantech_WebAccess_SQLInjection_Exploit [0day]- Advantech/BroadWin WebAccess 7.0 does not properly validate the input parameters 'proj' and 'node' in the http request to the bwview.asp. That leads to the Double Blind SQLInjection vulnerability.The vulnerability may be one of CVE20121234, CVE20120244, CVE20120234, CVE20114521.
  • Advantech_WebAccess_Bwocxrun_Activex_Buffer_Overflow_Exploit CVE20120243- This module exploits a vulnerability in the bwocxrun.ocx module included in the Advanteh WebAccess. The exploit is triggered when the CreateProcess() method processes a malformed argument resulting in a stackbased buffer overflow. There are also unsafe methods in this library that also may be exploitable: WriteTextData(); URLEncode(); OpenUrlToFileTimeout(); OpenUrlToBufferTimeout(); OcxSpool(); CreateProcess();
  • Advantech_WebAccess_Multiple_Activex_Exploit [0day]- The default installation of WebAccess7.0 contains a few activex’s http://broadwin.com/Drivers/Video.htm. Some of them are vulnerable to stack based buffer overflows. Vulnerable are: NVCTRLMEDIA.dll, camviewlc.ocx, dvs.ocx, NVLive.ocx, epochmaking.dll, webeyeaudio.ocx.
  • QNX_shutdown- QNX version <=6.5.0 with QCONN version 1.4.207944 suffers from a remote command execution vulnerability. o QNX_FTPD_DoS- Denial of service going to the FTP server base system QNX
  • QNX_phrelay_DoS- Bufferoverflow affecting phrelay in the handling of the device file specified by the client as existing Photon session.
  • InterSystems_Cache_DoS_1- Remote Denial Of Service in InterSystems Cache.