Mini Project #4: Vulnerability Exploitation in

ICS Protocol

Assigned: November 1, 2019 Due: November 11, 2019, 11:59pm EST

Introduction
This two part project will focus on using the SHODAN search engine
and ICS-CERT database to find devices visible on the net and their
particular vulnerabilities. In the second part we will pretend as if one of
the nodes that was found via Shodan has a real vulnerability in an ICS
protocol library (that has now been patched) that you will exploit.

1 Part 1 (20 Points)

Cyberattacks are on the rise and a major contributing factor to this is
the fact that many of these devices are accessible/visible just by a
quick search online. SHODAN (https://www.shodan.io/) is a search
engine that lets the user find specific types of devices (webcams, routers,
servers, etc.) connected to the internet using a variety of filters.

1. Using Shodan’s filters find devices accessible through the net under these
categories:

(a) Industrial Control Systems:

i. Modbus protocol
ii. ENIP protocol
iii. BACnet protocol
(b) Web cameras
(c) Printers

Shodan gives the option of generating reports, when you create a

free account. Please use your GT credentials to create an account
and generate reports for the above mentioned categories and turn
in your reports.

2. Now that you know how to look for specific devices on the internet,
let’s say you used Shodan and found that a local Industrial Plant uses
Allen Bradley Micrologix 1100 family of PLCs. The next step is to find if
this model/family of PLC has any known vulnerabilities. Use ICS-CERT
(https://ics-cert.us-cert.gov/) database to find all the vulnerabilities
you can find for this particular model. Submit your findings in

1
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

the form of a PDF containing the Model number, the vulnerability discovered, brief
description of the vulnerability. Your report must include at least four
vulnerabilities with their descriptions in your own words (you will not receive
credit for simply copy/pasting text).

3. Hopefully, you have found a Buffer overflow vulnerability from your

search of the ICSCERT database. We know for sure that this particular
model 1763-L16BWA suffers from Buffer overflow vulnerability. Go
back to Shodan and search for this particular model to find how many
devices you can find for this model. To search for this particular
model, Go to Explore EtheNet/IP and append the model number into
the search field. Generate and submit a report.

You can use the PDF Mage Firefox plug-in to generate your reports Link

2 Part 2 (80 Points)

Buffer Overflow is a very popular vulnerability that is exploited by attackers.
For more information on Buffer Overflow, please see the following links:

1. How Buffer Overflow Attacks Work

2. Buffer Overflow Exploit

3. First Stack Buffer Overflow to modify Variable

4. How to exploit a buffer overflow vulnerability - Practical

In this section, you will exploit a buffer overflow vulnerability in the libmodbus
library. NOTE: This is different from the buffer overflow vulnerability you
found in the previous section. We’re now pretending as if you found a
device that suffers from the buffer overflow vulnerability in the libmodbus
library. This vulnerability exists in version 3.0.4 (and previous ones), and was
patched in version 3.1.2 at February 10, 2015. The vulnerability can be
found in the modbus reply function and is exploited by the remote write/read
requests. In this function, rsp is a buffer which was defined in the stack. This
buffer is used when the server tries to read/write from/to the registers (see
the modbus reply function in modbus.c file). Since the number of requested
registers is not checked in this function, rsp can be overwritten. This is exactly
the main vulnerability of the modbus reply function.

We have provided you with a virtual machine (VM) image for this part of

2
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol
project. We do not recommend using your own ubuntu instance or VM
because the underlying architec- ture of the machine could change the
address structure of the registers causing variation in your solution. Our
VM’s image link is: Image Link

3
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

2.1 Executing Existing Malicious Program in the Sever Side (50 Points)
In the desktop of the VM, there is a folder named “modbus”, where the
libmodbus library has been installed. The client and server files can be
found in this directory: Desktop/mod- bus/tests/.libs. The client code can
send a packet to the server to first write in multiple registers and then read
multiple registers. The server code receives the packets, writes to the
specified registers and reads the given registers, and finally responds to
the client’s request. There is a function named secret function in the server
file which is not executed under normal conditions. The aim of this part of
the assignment is to send a request from the client code such that the
secret function is executed. If you successfully execute the secret function,
you will see the send packet and the following statement in terminal (no
response packet). You should only modify the client.py ftle to exploit the
server.
Congratulations!
You have executed the secret function!

You are required to use the modbus write and read registers function in the
client which sends a packet to the server requesting write to multiple
registers first, and then, read from multiple registers. This way, you can put
the specified values in the rsp buffer and redirect the server program to
malicious functions.

Steps:

1. Import the OVA file to VirtualBox. (Username: ubuntu,

Password: 123456)

2. Go to the following directory and run the server and client files: Directory:
Desktop/Modbus/tests/.libs
You can run the server in the first terminal: sudo ./unit-test-server
You can run the client in the second terminal: sudo python client.py
In the first step, try to construct and send a typical message to the
server to see its behaviour and then change the client file to cause
the malicious behaviour. Once you constructed a normal packet
follow the next steps.

3. Run the server code in the gdb debugger (sudo gdb ./unit-test-
4
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol
server) and determine the location of the rsp buffer in the stack.
Determine the return address of the modbus reply function and the
starting address of secret funtion.

4. Design the payload such that you can overwrite the return address
of the mod- bus reply function and run the secret funtion.

5. Explain what you did in each step with details and support your
report with screen- shots (e.g., stack, addresses, terminal after the
successful exploitation).

You can find the libmodbus library functions in the modbus/src directory in
modbus.c file. Also, the source code of the server (unit-test-server.c) is available
at Desktop/modbus/tests. gdb (if you’re using gdb for the first time, we
recommend checking out here) can be used

5
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

to find the aforementioned addresses and test/debug your exploit.

However, it should be noted that your final exploit (i.e., the final version of
your client.py ) should work outside of gdb. Again, the successful exploit
will lead to the following statement printed in the server terminal.
Congratulations!
You have executed the secret function!

2.2 Opening a New Clean Shell in the Server Side (30 Points)
Once you finish the previous part, this part should be easy for you. In
order to complete this part, you should modify the client.py file in such
a way that a new, clean shell is opened in the terminal that server runs.
If you check the current shell in the server ter- minal (i.e., sudo echo $0)
before exploiting the server code, you will see bash. After the successful
exploitation, you should see sh as the current shell.

Hint: ROP Attack Example

Deliverable and Submission Instructions

Create a zip file named <First Name> <Last Name> mp4.zip, that
includes all of your files and submit it on Canvas. Your zip file should be
generated in such way that when extracted there is one directory for
the Shodan reports and all of the other files are in the base directory.

<First_Name>_<Last_Name>_mp4
|-- client21.py
|-- client22.py
|-- report.pdf (part 2)
|-- vulnerabilities.pdf (part 1.2)
|-- shodanreports
|-- modbus_protocol.pdf
|-- enip_protocol.pdf
|-- bacnet_protocol.pdf
|-- webcams.pdf
|-- printers.pdf
|-- model.pdf (from 1.3)

6
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

A modbus write and read registers

This function code performs a combination of one read operation and
one write operation in a single MODBUS transaction. The write
operation is performed before the read. Holding registers are
addressed starting at zero. The request specifies the starting address
and number of holding registers to be read as well as the starting
address, number of holding registers, and the data to be written. The
byte count specifies the number of bytes to follow in the write data
field. The normal response contains the data from the group of
registers that were read. The byte count field specifies the quantity of
bytes to follow in the read data field.

Figure 1: Modbus Documentation for modbus write and read registers

Here is an example of a request to read six registers starting at register

4, and to write three registers starting at register 15:

7
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

Figure 2: Example Payload for modbus write and read registers

8
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

The example payload unit-test-client.c uses the stuct.pack function to send the
request.

Table 1: Example Payload

Name Data
Padding <00><00><00><00><00
>
Size of Request <0F>
Buffer + Function <FF><17>
Code
Read Starting <00><6B>
Address
Quantity to Read <00><03>
Write Starting <00><6C>
Address
Quantity to Write <00><02>
Write Byte Count <04>
Write Registers <00><00><00><00>
Value

When executed in the python script it will look like:

m = struct.pack(’21B’,0x00,0x00,0x00, 0x00,0x00, 0x0F,

0xFF,0x17,0x00,0x6B,0x00,0x03,0x00, 0x6C, 0x00, 0x02, 0x04,
0x00,0x00,0x00,0x00)
s.send(m)

Example Response:
<00><00><00><00><00><09><FF><17><06><02><2B><00><00><00><00>

9
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol

B Executing Typical Message with GDB

This section assists with determining the return address of secret function
and executing it through GDB.

1. Start unit-test-server.c using GDB

2. Set a break-point at modbus reply : b modbus reply

3. Run unit-test-server.c: run

4. When the code hits modbus reply it will stop, so obtain information
about the frame at this point: info frame

5. The return address is stored in eip which is at address 0xbffff69c

6. Determine the address of secret function: p secret function – which is 0x08048f30

7. Set the return address of eip to the address of secret function: set *0xbffff69c
= 0x8048f30

Figure 3: Execution of secret function in GDB

Determining the payload to send to execute the secret function will take some
trial-and- error. You can set a break-point at modbus.c:912 which is the
return line of the mod- bus reply function, at which point the stack would be
modified and the function would be ready to return. You can monitor the
1
0
Mini Project Vulnerability Exploitation in an ICS
#4 Protocol
stack with this command: x/128xw &rsp

1
1