Vulnerability & Exploit Database

Back to search

Schneider Modicon Ladder Logic Upload/Download

The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic. Two modes are supported: "SEND" and "RECV," which behave as one might expect -- use 'set mode ACTIONAME' to use either mode of operation. In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, 'modicon_ladder.apx' is a blank ladder logic file which can be used for testing. This module is based on the original 'modiconstux.rb' Basecamp module from DigitalBond.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • K. Reid Wightman <wightman [at]>
  • todb <todb [at]>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/scada/modicon_stux_transfer msf auxiliary(modicon_stux_transfer) > show actions ...actions... msf auxiliary(modicon_stux_transfer) > set ACTION <action-name> msf auxiliary(modicon_stux_transfer) > show options and set options... msf auxiliary(modicon_stux_transfer) > run