Description
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic.
Two modes are supported: "SEND" and "RECV," which behave as one might expect -- use 'set mode ACTIONAME' to use either mode of operation.
In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, 'modicon_ladder.apx' is a blank ladder logic file which can be used for testing.
This module is based on the original 'modiconstux.rb' Basecamp module from DigitalBond.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/scada/modicon_stux_transfermsf undefined(modicon_stux_transfer) > show actions ...actions...msf undefined(modicon_stux_transfer) > set ACTION < action-name >msf undefined(modicon_stux_transfer) > show options ...show and set options...msf undefined(modicon_stux_transfer) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub