module

Schneider Modicon Ladder Logic Upload/Download

Disclosed
Apr 5, 2012
Created
May 30, 2018

Description

The Schneider Modicon with Unity series of PLCs use Modbus function
code 90 (0x5a) to send and receive ladder logic. The protocol is
unauthenticated, and allows a rogue host to retrieve the existing
logic and to upload new logic.

Two modes are supported: "SEND" and "RECV," which behave as one might
expect -- use 'set mode ACTIONAME' to use either mode of operation.

In either mode, FILENAME must be set to a valid path to an existing
file (for SENDing) or a new file (for RECVing), and the directory must
already exist. The default, 'modicon_ladder.apx' is a blank
ladder logic file which can be used for testing.

This module is based on the original 'modiconstux.rb' Basecamp module from
DigitalBond.

Authors

K. Reid Wightman wightman@digitalbond.com
todb todb@metasploit.com

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use auxiliary/admin/scada/modicon_stux_transfer
msf auxiliary(modicon_stux_transfer) > show actions
...actions...
msf auxiliary(modicon_stux_transfer) > set ACTION < action-name >
msf auxiliary(modicon_stux_transfer) > show options
...show and set options...
msf auxiliary(modicon_stux_transfer) > run

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.