The ExCraft SCADA Pack [0day] and public exploits for SCADA and Industrial Control Systems designed for Core Impact Pro ™ The "ExCraft SCADA Pack" is SCADA and ICS focused exploits package, developed and maintained by security experts from Cyprus based infosec company ExCraft Labs. The package is specially designed to be used with Core Impact Pro. We conduct our own research to find [0days], plus carefully scan the web for public SCADA vulns. Additionally, the pack is powered by vulnerabilities sharing programs! ExCraft SCADA Pack features: ● Reach set of ICS exploits and constantly growing! ● Greatly increase SCADA pentesting capabilities of Core Impact Pro ● Powered by external knowledge received from sharing programs. ● about 2 to 6 fresh and interesting new modules in each monthly update Current version contains >100 modules. 1.33 Jan 19, 2017 IGSS_Arbitrary_File_Disclosure - Specially crafted tcp package allows to IGSS v12 read arbitrary file content. 0-Day Cogent_Datahub_7_3_x_DoS - This module causes the Datahub to stop. 0-Day Ecava_IntegraXor_Information_Disclosure - This module exploits a remote vulnerability to get information about running project. 0-Day 1.32 Dec 24, 2016
Transcript
The ExCraft SCADA Pack
[0day] and public exploits for SCADA and
Industrial Control Systems
designed for Core Impact Pro ™ The "ExCraft SCADA Pack" is SCADA and ICS focused exploits package, developed and maintained by security experts from Cyprus based infosec company ExCraft Labs. The package is specially designed to be used with Core Impact Pro. We conduct our own research to find [0days], plus carefully scan the web for public SCADA vulns. Additionally, the pack is powered by vulnerabilities sharing programs! ExCraft SCADA Pack features:
● Reach set of ICS exploits and constantly growing!
● Greatly increase SCADA pentesting capabilities of Core Impact Pro
● Powered by external knowledge received from sharing programs.
● about 2 to 6 fresh and interesting new modules in each monthly update Current version contains >100 modules. 1.33 Jan 19, 2017 IGSS_Arbitrary_File_Disclosure - Specially crafted tcp package allows to IGSS v12 read arbitrary file content. 0-Day Cogent_Datahub_7_3_x_DoS - This module causes the Datahub to stop. 0-Day Ecava_IntegraXor_Information_Disclosure - This module exploits a remote vulnerability to get information about running project. 0-Day 1.32 Dec 24, 2016
Siemens_Sicam_Pas_Hardcode_RCE - Siemens Sicam PAS prior to 8.0 Hardcode RCE 0-Day VISU_RCE - Visu+ 2.42 TCPUploadServer Remote Code Execution Vulnerability. 0-Day 1.31 Nov 24, 2016 MyScada_MyPRO_Hardcode_RCE - MyScada MyPRO uses hardcode credentials to deploy projects over ftp 0-Day Ecava_IntegraXor_Remote_Project_Management - This module remote stops all tasks of project 0-Day 1.30 Oct 24, 2016 Citect_Scada_7_2_DoS - Specially crafted TCP package to Citect Scada services ports cause DoS. 0-Day Axilog_FB_Buffer_Overflow_RCE - Axilog Firebird Buffer Overflow RCE 0-Day DBSWIN_FB_Buffer_Overflow_RCE - DBSWIN Firebird Buffer Overflow RCE 0-Day 1.29 September 22, 2016 EasyBuilder_Pro_com_e30_DoS - Weintek EasyBuilder Pro com_e30 DoS 0-Day EasyBuilder_Pro_com_e30_DoS_1 - Weintek EasyBuilder Pro HMI Data Server com_e30 DoS 0-Day AspicMP_Project_Manager_Remote_Control - AspicMP Project Manager Remote Control 0-Day 1.28 August 26, 2016 Cimon_Scada_HttpSvr_DoS - Cimon Scada HttpSvr Remote Denial of Service Vulnerability 0-Day EisBaer_Scada_Webserver_Directory_Traversal - EisBaer Scada Webserver Directory Traversal 0-Day GX_IEC_Developer_Activex_AFD - GX IEC Developer 5.02 ActiveX Arbitrary File Delete Exploit 0-Day 1.27 July 30, 2016 Rapid_Scada_Arbitrary_File_Download - Vulnerability allows authenticated user gets content of files by sending specially crafted TCP package to Scada-Server service 0-Day AutoBase_NetServer_DoS - Remote Denial Of Service in AutoBase Network Server 10.2.6.1 0-Day CenturyStar_DoS - Century Star Denial Of Service Vulnerability 0-Day Modules list: 1.26 June 20, 2016 Iconix_Activex_0day - ICONICS Scada ActiveX control AWXRep32.ocx is vulnerable. Iconix_Activex_0day_2 - ICONICS Scada ActiveX control TreeExplorer.ocx is vulnerable. Iconix_Activex_0day_3 - ICONICS Scada ActiveX control DBMining.ocx is vulnerable. Cogent_Datahub_DoS - Cogent Datahub version 7.3.10 Denial Of Service Exploit 1.25 May 26, 2016 Lutron_Grafik_Eye_Designer_activex.py - Lutron Grafik Eye Designer activex commands execution Lutron_HomeWorks_Interactive_activex_2.py - Lutron HomeWorks Interactive activex arbitrary files overwrite advantech_webaccess_8_1_dashboardViewer_afd.py - Advantech WebAccess(8.1) Dashboard Viewer arbitrary file deletion advantech_webaccess_8_0_dashboardViewer_afd.py - Advantech WebAccess(8.0) Dashboard Viewer arbitrary file upload or deletion leveraged to code exec
Lutron_HomeWorks_Interactive_activex.py - another Lutron HomeWorks Interactive activex arbitrary file delete 1.24 April 29, 2016 Yaskawa_SigmaWin_Plus_Activex_AFD.py - Yaskawa SigmaWin Plus ActiveX Arbitrary File Delete Exploit. public MOXA_Mass_Configurator_Tool_DoS.py - Remote Denial Of Service in MOXA Mass Configuration Tool 1.0.0.1 . public ISGA_Carlo_Gavazzi_DoS.py - Carlo Gavazzi ISGA Smart MPPT Inverter DoS 0-Day 1.23 Yokogawa_Centum_DoS.py - Remote Denial Of Service in Yokogawa CENTUM CS3000 R3.08.50 CVE-2014-0781 SearchBlox_Directory_Traversal.py - SearchBlox v8.3 Unauthenticated Config Rewrite Vulnerability. ICSA-15-337-01 Advantech_WebAccess_webvrpcs_DoS.py - Remote Denial Of Service in Advantech WebAccess. 0-Day 1.22 January 26, 2016 QuickHMI_Server_v3_DoS.py - QuickHMI Server v3 Antelope Denial of Service. 0-day Reliance_4_Control_Server_SCADA_DoS.py - Reliance 4 Control Server Denial of Service. 0-day Iocomp_Software_activex.py - Iocomp Software ActiveX Control Remote Code Execution Vulnerability. 0-day 1.21 December 19, 2015 Codesys_Webserver_DoS_0day.py - Codesys webserver DoS. 0-Day MOXA_VPort_SDK_activex.py - MOXA VPort SDK ActiveX control exploit. ICSA-15-097-01. CVE-2015-0986 phoenix_contact_afu.py - Phoenix Contact Arbitrary file upload clientside. 0-Day 1.20 November 16, 2015 SpiderControl_SCADA_Editor_DoS.py - SpiderControl SCADA Editor Denial Of Service Exploit 0-day SpiderControl_SCADA_Editor_Directory_Traversal.py - SpiderControl SCADA Editor Directory Traversal Vulnerability 0-day ABB_Microscada_ActiveX - Abb Microscada ActiveX Control Buffer Overflow Exploit 0-day 1.19 September 3, 2015 DataNet_OPC_Webserver_Directory_Traversal.py - DataNet OPC Webserver Directory Traversal Vulnerability 0-day MOXA_SoftCMS_Webserver_DoS.py - MOXA SoftCMS AspWebServer Denial Of Service Exploit 0-Day TwinCAT_CodeMeter_DoS_PoC.py - TwinCAT PLC Control CodeMeter Remote Denial of Service 0-Day 1.18 July 29, 2015 IPESOFT_D2000_SCADA_Directory_Traversal.py - Directory traversal vulnerability in the WildFly HTTP Server use as default in IPESOFT D2000 SCADA 0-day
Lanmisoft_automation_Directory_Traversal.py - Lanmisoft Directory Traversal 0-day 1.17 June 09, 2015 BBElectronics_Vlinx_ConnectPro_Manager_DoS.py - BB Electronics Vlinx ConnectPro Manager DoS 0-Day xarrow_dos.py - SCADA xArrow Software v.5.5 - Denial of Service. 0Day Reliance_4_DoS.py - Remote Denial Of Service in Reliance 4 Control Server. 0Day 1.16 April 17, 2015 deltaeremote_dos.py - ELTA IA HMI DOP Patch eRemote V2.00.11 - Denial of Service 0-day infilink_dos.py - Infilink HMI v5.00.34 DoS 0-day modbus_directory_traversal.py - Modbus SCADA (WLC Systems) v2.1.2 Build Jun 14 2014 - Directory Traversal 0-day 1.15 March 25, 2015 ag_peakhmi_buffer_overflow.py - PeakHMI Runtime <= v.7.11.0.0 - Buffer Overflow. 0-day ag_events_reveals_sensitive_info.py - Events SCADA HMI <= v.8.58 - reveals sensitive info. 0-day ag_adamview_buffer_overflow.py - Advantech ADAMView <= v.4.3 - Buffer Overflow. CVE_Name 2014-8386 1.14 Feb 13, 2015 ag_mango_file_upload.py - SCADA Mango Automation file upload DuerrDental_Firebird_DoS.py - DuerrDental Firebird DoS Panasonic_Configurator_DL_DoS_PoC.py - Panasonic Configurator DL DoS PoC AzeoTech_DAQFactory_DoS.py - AzeoTech DAQFactory DoS/PoC 1.13 Dec 20, 2014 PeakHMI_Webserver_Directory_Traversal.py - PeakHMI Webserver Directory Traversal Vulnerability 0-day PROMOTIC_Remote_Code_Execution_Exploit.py - Promotic SCADA ActiveX Control Remote Code Execution Vulnerability WS10_Data_Server_DoS.py - WS10 Data Server SCADA Remote DoS 1.12 Nov 17, 2014 EATON_LanSafe_DoS.py - EATON LanSafe Denial Of Service Exploit Embedthis_Goahead_DoS.py
- Embedthis Goahead Webserver Remote DoS NOVUS_NConfig_DoS.py - NOVUS NConfig 0-Day DoS/PoC NOTE: Fixed missing modules names in changelog 1.11 Oct 12, 2014 FANUC_OlpcPRO_Directory_Traversal.py - FANUC OlpcPRO Directory Traversal Vulnerability 0-day Schneider_Electric_PLC_ETY_DoS.py - Schneider Electric PLC ETY Series Ethernet Controller Denial of Service ZScada_Net_2_0_DoS.py - Z-Scada Net 2.0 0-Day DoS/PoC 1.10 Aug 25, 2014 Advantech_WebAccess_activex_Exploit_0Day.py - Advantech WebAccess ActiveX ProjectName() Remote Overflow 0-day Emerson_ROCLINK800.py - Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability 1.9 May 26, 2014 ScadaMobile_DirTrav_0day.py ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability 0day Siemens_License_Manager_activex.py Siemens Automation License Manager Remote Arbitrary File Overwrite Siemens_License_Manager_DoS.py Siemens Automation License Manager Service Remote Denial of Service 0Day 1.8 March 25, 2014 CoDeSys_Gateway_Server_DoS.py CoDeSys Gateway Server Remote Denial of Service 0Day Delta_Electronics_simulator_SEH_Overflow_PoC.py Delta Electronics simulator SEH Overflow PoC DoS
Ecava_IntegraXor_DoS.py Ecava IntegraXor Denial of Service 1.7 February 25, 2014 ABB_Test_Signal_Viewer_Remote_Code_Execution.py ABB Test Signal Viewer ActiveX Control Remote Code Execution Vulnerability CodeMeter_DoS.py CodeMeter WIBUSYSTEMS AG Remote Denial of Service 0Day 1.6 January 24, 2014 Eaton_Network_Shutdown_Module_DoS.py Remote Denial Of Service in Eaton Network [0Day] EATON_VURemote_DoS.py EATON VURemote [0Day] DoS Ignition_Gateway_OPC_UA_Server_DoS.py Ignition Gateway OPCUA Server Denial Of Service [0day] RuggedDirector_DoS.py RuggedDirector Remote Denial of Service [0Day] Tri_PLC_DoS.py Remote Denial Of Service in TriPLC Nano10 r81. CVE20132784 1.5 December 4, 2013 Mitsubishi_Electric_Automation_MC_WorX_File_Execution.py Mitsubishi Electric Automation MCWorX File Execution Exploit. no CVE, but public. Mitsubishi_Electric_Automation_MC_WorX_Remote_File_Delete_0day.py Mitsubishi Electric Automation MCWorX Remote File Delete [0Day] Exploit Modbus_SCADA_DirTrav_0day.py Modbus SCADA Directory Traversal Vulnerability [0day] Moore_Industries_NCS_Config.py
Moore Industries NCS Configuration [0Day] DoS Siemens_WinCC_TIA_Portal_remote_DoS_0Day.py Siemens WinCC TIA Portal miniweb.exe remote dos [0Day] 1.4 November 6, 2013 Proface ProServer_EX_DoS.py Remote Denial Of Service in Proface ProServer EX. public, noCVE.
Galil_RIO_DoS.py Remote Denial Of Service in GalilRIO Rio47100. CVE20130699 National_Instruments_Remote_Code_Execution.py National Instruments ActiveX LabWindows/CVI, LabVIEW Remote Code Execution. CVE20135022 National_Instruments_Remote_Code_Execution_2.py National Instruments LabWindows/CVI, LabVIEW ActiveX Remote Code Execution. CVE20135025 1.3 October 3, 2013 UCanCode_HMI_ActiveX_Remote_File_Replace.py UCanCode HMI Control ActiveX Remote File Replace Exploit. [0Day] MetaDraw_ActiveX_Remote_File_Replace.py MetaDraw ActiveX Remote File Replace Exploit. [0Day] Mitsubishi_MX_ActiveX_Component_Exploit.py Mitsubishi MX ActiveX Component Exploit. NoCVE, public vuln. QNX_FTPD_DoS.py QNX FTPD Remote DoS. NoCVE, public. Siemens_WinCC_TIA_Portal_Miniweb_Dos.py Remote Denial Of Service in Siemens WinCC TIA Portal miniweb.exe server. [0Day] 1.2 September 4, 2013 Siemens_Simatic_HMI_Pro_Tool_DoS.py Siemens SIMATIC ProTool/Pro Configuration (CS) 0Day DoS Clorius_Controls_ICS_SCADA_Information_Disclosure.py Clorius Controls ICS SCADA Information Disclosure
Honeywell_UniSim_ShadowPlant_Bridge_DoS.py Honeywell UniSim ShadowPlant Bridge Remote DoS 0Day Intellicom_Netbiter_WebSCADA_Directory_Traversal.py Intellicom Netbiter WebSCADA Directory Traversal v 1.1 updates list: August 19, 2013 Sunway_Webserver_Remote_Command_Execution
Sunway Webserver Remote Command Execution. no CVE, but public. Cogent_Datahub_Buffer_Overflow_Remote_Exploit Cogent Datahub Buffer Overflow Remote Exploit. CVE20113493 Honeywell_UniSim_DoS.py Honeywell_UniSim_DoS
Honeywell UniSim SimStation Remote DoS. 0Day
Schneider_Electric_Accutech_Manager_Server_DoS.py Schneider Electric Accutech Manager Server Denial Of Service. CVE20130658 Schneider_Electric_PLC_Simulator_Dos Schneider Electric PLC Simulator 'sim.exe' Remote denialofservice. 0Day Schneider_Electric_Web_Designer_Server_Simulator_Dos Schneider Electric Web Designer Server Simulator Remote denialofservice. 0Day v 1.0 list: 1. Trace_Mode_Remote_Do
s 0day.
This module exploits a vulnerability in the TraceMode Runtime Monitor service by sending a malformed packet to the 772/TCP port to crash the application.
2. Trace_Mode_Remote_UDP_Dos
0day.
This module exploits a vulnerability in the TraceMode Runtime Monitor service by sending a malformed packet to the 260/UDP port to crash the application.
Directory traversal vulnerability via ..\ sequence through the HTTP request. 4. Atvise_webMI2ADS_Remote_Shutdown
CVE20114882
This module exploits a vulnerability in the Atvise webMI2ADS server by sending special command via http request to shutdown the application.
5. Atvise_webMI2ADS_Null_Pointer_Remote_Dos
CVE20114881
The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 does not properly check return values from functions, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted HTTP request.
This module exploits a vulnerability in the Atvise webMI2ADS server by sending a malformed http request to crash the application.
Directory traversal vulnerability in the web server in Certec atvise webMI2ADS (aka webMI) before
2.0.2 allows remote attackers to read arbitrary files via a crafted HTTP request.
7. TraceMode_DataCenter_Directory_Traversal
CVE20115087
The module exploits directory traversal vulnerability in AdAstrA TRACE MODE Data Center that allowing remote attackers to read arbitrary files via http request to the publiher server (port 81) and to the document server (port 80).
8. Kaskad Daserver Remote Code
Execution 0day This module exploits a remote memory (heap) corruption in the Kaskad Daserver.exe by sending a specially crafted UDP packet to the 25923 server.
Directory traversal vulnerability in substitute.bcl in the WebView CimWeb subsystem in GE Intelligent Platforms Proficy HMI/SCADA CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to read arbitrary files via a crafted packet.
11.Ge_Fanuc_Cimplicity_Webserver_Dos
0day
This module exploits a vulnerability in the Cimplicity webserver by sending a malformed http request to crash the application.
12. OPCSystems_Service_Dos
CVE20114871
This module exploits a vulnerability in the OPCSystems server by sending a malformed tcp packet to the application. Successfull exploitation may lead to the consuming of the CPU resources.
13.Advantech WebAccess Change Password Exploit
CVE20120239
The uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a passwordchange request.
13. Advantech_WebAccess_SQLInjection_Exploit 0day
Advantech/BroadWin WebAccess 7.0 does not properly validate the input parameters 'proj' and 'node' in the
http request to the bwview.asp. That leads to the Double Blind SQLInjection vulnerability.The vulnerability may
be one of CVE20121234, CVE20120244, CVE20120234, CVE20114521.
This module exploits a vulnerability in the bwocxrun.ocx module included in the Advanteh WebAccess. The exploit is triggered when the CreateProcess() method processes a malformed argument resulting in a stackbased buffer overflow. There are also unsafe methods in this library that also may be exploitable: WriteTextData(); URLEncode(); OpenUrlToFileTimeout(); OpenUrlToBufferTimeout(); OcxSpool(); CreateProcess();
15.Advantech_WebAccess_Multiple_Activex_Exploit
0day
The default installation of WebAccess7.0 contains a few activex’s http://broadwin.com/Drivers/Video.htm. Some of them are vulnerable to stack based buffer overflows. Vulnerable are: NVCTRLMEDIA.dll, camviewlc.ocx, dvs.ocx, NVLive.ocx, epochmaking.dll, webeyeaudio.ocx.
16. QNX_shutdown
QNX version <=6.5.0 with QCONN version 1.4.207944 suffers from a remote command execution vulnerability.
17. QNX_FTPD_DoS
Denial of service going to the FTP server base system QNX 18. QNX_phrelay_DoS
Bufferoverflow affecting phrelay in the handling of the device file specified by the client as existing Photon session.
19. InterSystems_Cache_DoS_1
Remote Denial Of Service in InterSystems Cache. 20. InterSystems_Cache_DoS_2
Remote Denial Of Service in InterSystems Cache. 21. SpecViewDirectoryTraversal
SpecView SCADA web server directory traversal vulnerability could occur when a specially
crafted request is passed to the web server running on Port 80\TCP. Successful exploitation could result in data leakage.
22. Progea_Movicon_11_DoS
Remote Denial Of Service in Progea Movicon 11 23. ICPDAS_EZ_Data_Logger_DoS 0day
This module causes a Denial of Service in ICPDAS EZ Data Logger.
24. advantech_web_DoS
Remote Denial Of Service in Advantech Studio Web server. 25. IPC_chip_Directory_Traversal
This module exploits a directory traversal vulnerability in BECK IPC GMBH IPC CHIP. An Attacker could read files from an arbitrary directory without authorization by http request. A successful attack may result in data leakage.
26. IPC_chip_DoS
Remote Denial Of Service in BECK IPC CHIP. This exploit will leave the service unavailable. 27. C3ILEX_EOScada_DoS
Remote Denial Of Service in C3ilex Scada 28. RuggedComDevicesBackdoorAccess
An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®).
The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address.
29. Elipse_ActiveReports_Remote_File_Delete
Using ActiveX error can delete any file in the computer of the victim. 30. PlantVisor_CarelDataServer_Directory_Traversal
CVE20113487
This module exploits a directory traversal vulnerability in Carel PlantVisor CaewlDataServer.exe service. Directory traversal vulnerability in CarelDataServer.exe in Carel PlantVisor 2.4.4 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request.
31.PlantVisor_Remote_Code_Execution.py
0day
This module exploits a directory traversal vulnerability that leads to command execution.This module exploits a directory traversal vulnerability in the PlantVisor web server in order to upload and launch the trojan.
32. Carel_PlantVisorPro_SQLInjection_Exploit.py
0day
This module exploits SQLInjection vulnerability in Carel PlantVisorPro 2.0. Carel PlantVisorPro does not validate the input parameters 'param0' in the http request to the DispatcherError.jsp and DispatcherClear.jsp. That vulnerbility leads to critical information steal and to code execution.
33.Carel_PlantVisorPro_Hardcoded_Password.py
0day
This module exploits hardcoded password vulnerability in Carel PlantVisorPro 2.0. Hardcoded credentials was founded in the DBCommander.jsp, RCmdComm2.jsp, RCmdComm.jsp. The attacker can use username = debug and password = pvprod3bug for accessing the scada's database. Sucessfull exploitation may lead to critical info disclosure and to code execution.
34. Advantech_Studio_Directory_Traversal
This module exploits a directory traversal vulnerability in Advantech Studio. 35. Carel_PlantVisorPro_Local_File_Inclusion_Exploit.py
0day
This module exploits a local file inclusion vulnerability in the Carel PlantVisorPro 2.0 (demo) web interface. Attacker can steal critical information from configuration files by using LogReader.jsp and LogsReader.jsp. A successful attack may result in data leakage. This module downloads an arbitrary files: postgres authorization file, scada scheduler conf file, postgres sql conf file, bootpro password file, tomcat server conf file.
36.Siemens_WinCC_Flexible_Hmiload_Dos
CVE20114875
Remote Denial Of Service in Siemens WinCC Flexible hmiload.exe server. 37. Siemens_WinCC_Flexible_Miniweb_Dos
CVE20114879 Remote Denial Of Service in Siemens WinCC Flexible miniweb.exe server.
This module exploits a directory traversal vulnerability that leads to command execution. 40. Ge_Fanuc_Real_Time_Portal_Unauthorized_Remote_File_Access
CVE20120232
The rifsrvd.exe service is affected by directory traversal vulnerability via specially crafted tcp packet which
sent to the application on port 5159. Sucessfull exploitation may lead to creating ini files.
41.NetBiterConfig_and_Anybus_IPconfig_DoS
CVE20094462
Stackbased buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICPprotocol UDP packet.
42. Adroit_SCADA_Intelligence_Server_DoS
Multiple sending specially crafted TCP is sending crash Adroit Intelligence Server 43. Ge_Fanuc_Real_Time_Portal_Information_Disclosure
CVE20080175 This module exploits a sensitive information disclosure vulnerability in the Ge Fanuc Real Time Portal.
An Attacker could read files from an arbitrary directory without authorization by http request. A successful attack may result in data leakage. This module downloads an arbitrary file in order to disclose sensitive information.
45.Schneider_Electric_Vijeo_Web_Gate_Server_DoS
0day
This exploit will crash the Schneider Electric Vijeo Web Gate Server by sending a long string to the application on the tcp port 80.
46. Sielco Sistemi Winlog Buffer Overflow Remote
Exploit CVE20123815 This module exploits a buffer overflow vulnerability in the Runtime.exe service that can be triggered by sending a specially crafted request to port 46824.
Exploit CVE20122598 The DiagAgent Web server is used for remote diagnostic purposes and is disabled by default. If the service is enabled, it does not sanitize user input correctly. Specially crafted input can crash (or execute code) the DiagAgent, disabling the remote diagnostic service.
Heapbased buffer overflow in RFManagerService.exe in Schneider Electric Accutech Manager 2.00.1 and earlier allows remote attackers to execute arbitrary code via a crafted HTTP request.
52.Schneider_Electric_ModbusDrv_Dos
Schneider Electric Multiple Products (Unity PRO XL ) 'ModbusDrv.exe' Remote denialofservice
