Share
## https://sploitus.com/exploit?id=E210A992-6AFE-56B2-91A8-CA375A8B7142
# ICS Vulnerability PoC Library โ SCAA Benchmark Support
Proof-of-concept vulnerability samples for the 15 high-impact CVEs evaluated in
**RQ6 (Industrial Practicability and Real-World Efficacy)** of:
> *"SCAA: Semantic-Contextual Attributed Graphs for Industrial Binary Vulnerability Detection"*
---
## Purpose
This library provides **detection-oriented PoC samples** for the SCAA static analysis benchmark.
Each PoC is a compilable C source file that faithfully reproduces the **vulnerability pattern**
(CWE category, trigger path, and code structure) of the target CVE.
> **Scope**: These samples are designed for static binary analysis and vulnerability detection
> research. They are **not** network-weaponised exploits and do not target live ICS systems.
> All APT-category samples reproduce the documented CWE pattern only โ no destructive payload.
---
## CVE Coverage (RQ6 Table, Manuscript ยง5.6)
| # | CVE | Target | Category | CWE | Detection |
|---|-----|--------|----------|-----|-----------|
| 1 | CVE-2021-27478 | Rockwell EtherNet/IP | PF | CWE-121 | โ |
| 2 | CVE-2019-6833 | Schneider Modicon (VxWorks) | PF | CWE-787 | โ |
| 3 | CVE-2020-5595 | Mitsubishi MELSEC-Q | PF | CWE-20 | โ |
| 4 | CVE-2021-22277 | ABB AC800M (MMS) | PF | CWE-400 | โ |
| 5 | CVE-2021-22681 | Siemens S7-1200 | AE | CWE-321 | โ |
| 6 | CVE-2020-12038 | Rockwell Studio 5000 | AE | CWE-287 | โ |
| 7 | CVE-2020-8476 | ABB AC500 PLC | AE | CWE-798 | โ |
| 8 | CVE-2023-27396 | Omron CJ2M (FINS) | AE | CWE-306 | โ |
| 9 | CVE-2015-5374 | Siemens WinCC | SA | CWE-119 | โ |
| 10 | CVE-2023-2573 | AVEVA InTouch HMI | SA | CWE-287 | โ |
| 11 | CVE-2019-6503 | GE CIMPLICITY HMI | SA | CWE-22 | โ |
| 12 | CVE-2021-38397 | Honeywell Experion PKS | SA | CWE-78 | โ |
| 13 | CVE-2010-2772 | Siemens Step7 (Stuxnet) | APT | CWE-798 | โ |
| 14 | CVE-2019-6829 | Schneider Triconex (Triton) | APT | CWE-345 | ~ |
| 15 | CVE-2014-0751 | GE CIMPLICITY (BlackEnergy) | APT | CWE-22 | โ |
**Categories**: PF = Protocol Fuzzing ยท AE = Authentication/Encryption ยท SA = SCADA/HMI Application ยท APT = Advanced Persistent Threat
**Detection**: โ = Full detection ยท ~ = Partial detection (similarity score below threshold)
---
## Repository Structure
```
software_vul_poc/
โโโ README.md
โโโ .gitignore
โโโ category_PF/ Protocol-level parsing vulnerabilities
โ โโโ CVE-2021-27478/ CIP integer sign confusion โ stack overflow
โ โโโ CVE-2019-6833/ URGENT/11 TCP/IP heap overflow (VxWorks)
โ โโโ CVE-2020-5595/ MELSEC-Q improper input validation
โ โโโ CVE-2021-22277/ MMS malformed packet โ resource exhaustion
โโโ category_AE/ Authentication & encryption weaknesses
โ โโโ CVE-2021-22681/ S7 hardcoded cryptographic key
โ โโโ CVE-2020-12038/ Studio 5000 authentication bypass
โ โโโ CVE-2020-8476/ AC500 hardcoded credentials
โ โโโ CVE-2023-27396/ FINS missing authentication
โโโ category_SA/ SCADA/HMI software vulnerabilities
โ โโโ CVE-2015-5374/ WinCC memory corruption (CIP EN100)
โ โโโ CVE-2023-2573/ InTouch HMI web auth bypass
โ โโโ CVE-2019-6503/ CIMPLICITY path traversal
โ โโโ CVE-2021-38397/ Experion PKS command injection
โโโ category_APT/ APT-level ICS malware patterns
โ โโโ CVE-2010-2772/ Stuxnet Step7 hardcoded DB password
โ โโโ CVE-2019-6829/ Triton/TRITON TriStation safety bypass
โ โโโ CVE-2014-0751/ BlackEnergy CIMPLICITY directory traversal
โโโ harness/
โโโ build_all.sh Compile all C samples
โโโ run_scaa.py Feed binaries to SCAA detection pipeline
โโโ expected_results.json
```
---
## Build & Test
```bash
# Compile all PoC samples (requires gcc or arm-linux-gnueabi-gcc)
bash harness/build_all.sh
# Run SCAA detection on all compiled binaries
python harness/run_scaa.py --model-path /path/to/trained/model
# Expected: 14/15 detections (CVE-2019-6829 partial, score 0.74 < ฯ=0.78)
```
---
## Advisory References
Each CVE directory contains a `README.md` with:
- NVD detail page link
- ICS-CERT / CISA advisory link
- Vendor security bulletin
- Public research/analysis references
---
## Ethical Use Statement
These samples are released under **CC BY-NC 4.0** for academic and defensive security
research only. They reproduce documented vulnerability patterns for detection system
evaluation and are not intended for offensive use against production systems.
All APT-category files reproduce only the CWE-level code pattern described in
public post-mortem analyses. No functional destructive payload is included.