Exploit for Unprotected Alternate Channel in Rockwellautomation Allen-Bradley Stratix 5200 Firmware CVE-2023-20198

Name: Exploit for Unprotected Alternate Channel in Rockwellautomation Allen-Bradley Stratix 5200 Firmware CVE-2023-20198
Rating: 5 (184 reviews)
2025-05-15 | CVSS 10.0
## https://sploitus.com/exploit?id=92E37CFA-C10B-54BF-827E-A612937630C7
# 🛡️ qub-network-security-cve-2023-20198

**Analysis, detection, and mitigation of CVE-2023-20198 exploitation in Cisco IOS XE**  
📘 _Queen’s University Belfast – CSC3064 Network Security Assessment_

---

## 📋 Assessment Overview

This project involves analyzing PCAP files provided by Fox-IT to:
- Identify Indicators of Compromise (IOCs)
- Demonstrate exploitation using custom-crafted packets
- Apply Snort IDS/IPS and iptables-based network security countermeasures

---

## 📁 Repository Structure

- `Slides/` – Presentation slides used in the video submission
- `IOC Summary/` – Detailed breakdown of all network-level Indicators of Compromise
- `Snort Rules/` – Alert and drop rules implemented in Snort, with visual proof
- `Assessment PDF/` – Official CSC3064 assessment instructions from QUB
- `Video/` – Demo presentation video (uploaded separately and linked below)

---

## Final IOC Summary

| **IOC Type**      | **IOC Observed**                                                          | **What It Confirms**                                    |
|-------------------|---------------------------------------------------------------------------|----------------------------------------------------------|
| **IP Patterns**   | Attacker: `10.10.1.1`, `10.10.0.1`<br>Victims: `10.10.1.69`, `10.10.1.42` | Attack source and target devices identified              |
| **Headers**       | `User-Agent: Mozilla/5.0...`<br>`Priv-Level: 15`                          | Browser impersonation and privilege escalation           |
| **Protocols**     | TCP, HTTP (port 80), SOAP/XML                                             | Exploitation of WSMA over unencrypted HTTP              |
| **Payloads**      | `execCLI` and `username cisco_support`                                   | Remote command execution and backdoor creation           |
| **TCP Behavior**  | SYN, ACK, FIN (normal sequence)                                           | Indicates stealthy, non-DoS targeted behavior            |
| **Ports Used**    | Port 80 (no HTTPS)                                                        | Sensitive traffic sent in plaintext                     |

---

## 🔐 Snort Rules Used

📄 See [`Snort_Rules.txt`](Snort%20Rules/Snort_Rules.txt) for all implemented rules.

Rules cover:
- Detection and prevention of `execCLI`, backdoor account creation, admin login attempts, and privilege escalation.

🖼️ Screenshot:  
![Snort Rules Example](Snort%20Rules/Snort_Rules_ScreenShot.png)

---

## Demonstration Highlights

- Simulated attack traffic with `hping3`
- Applied Snort IDS rules (alert-only) and IPS rules (packet blocking)
- Configured `iptables` to allow safe traffic and drop malicious packets
- Validated effectiveness using Wireshark on VM environment (via UTM on macOS)

---

## 🎥 Video Presentation

📺 **[Watch the full demo on YouTube](https://youtu.be/Pd3sRbPnEKQ)**  
_(Unlisted – accessible only via this link)_

---

## 👤 Author

**Dominicus Adjie Wicaksono**  
Student ID: 40352799  
📧 dominicadjiew@gmail.com  
🔗 [LinkedIn](https://www.linkedin.com/in/dominicusadjie)