SCADA+ Pack Latest Updates

SCADA+ 1.69

ag_codesys3_afu - 3S Software CodeSyS 3.x.x Arbitrary File Upload 0-Day
ag_PowerStudio_Scada_DoS - CIRCUTOR PowerStudio Scada Remote Denial Of Service Exploit 0-Day
ag_visu+_ce_pg - VISU+ 2.42 Code Execution Vulnerability 0-Day



SCADA+ 1.68

ag_cyberpower_systems_powerpanel_rce_fu - CyberPower Systems PowerPanel 3.1.2 Unauthenticated File Upload Vulnerability 0-Day
ag_point_of_view_dir_trav - AutomationDirect Point Of View Directory Traversal 0-Day
ag_intouch_hmi_pg - Wonderware InTouch HMI Code Execution Vulnerability 0-Day



SCADA+ 1.67

ag_newron_liz_for_docontrol_rce - Newron System LIZ for doControl Remote Code Execution 0-Day
ag_iFIX_ihDataArchiver_DoS - iFIX 5.0 ihDataArchiver Remote Denial Of Service Exploit 0-Day
ag_igss_odbc_server_dos - Interactive Graphical SCADA System ODBC Server v9.0 Denial Of Service 0-Day



SCADA+ 1.66

ag_simple_scada_ce - Simple-Scada 2.0.2 Command Execution 0-Day
ag_masterscada_ce_pg - MasterScada v.3.7 Code Execution Vulnerability 0-Day
ag_cyberpower_systems_powerpanel_xxe - CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval



SCADA+ 1.65

ag_labview_ce_pg - This module generate project for LabVIEW, that can execute trojan. 0-Day
ag_vtscada_dt - VTScada versions after Version 8 and before Version 11.2.02 Directory Traversal Vulnerability 0-Day
ag_schneider_electric_maxstream_configuration_xctu_pg_rce - Schneider Electric MaxStream Configuration X-CTU Code Execution Vulnerability 0-Day



SCADA+ 1.64

ag_galileo_ce_pg - Eaton Galileo 10.1.10 Code Execution Vulnerability 0-Day
ag_advantech_adamview_bof_poc - Advantech AdamView 4.30.003 Buffer Overflow PoC (CVE 2014-8386)
ag_esc_8832_data_controller_session_hijack - ESC 8832 Data Controller Session Hijack Scanner



SCADA+ 1.63

ag_Phoenix_Contact_ThinkNDo - Phoenix Contact Think&Do ActiveX Control Buffer Overflow Vulnerabilities 0-Day
ag_autobase_studio_rce_pg - AutoBase Studio Code Execution Vulnerability 0-Day
ag_cctv_dvr_vendors_rce - Remote Code Execution in CCTV-DVR affecting over 70 different vendors



SCADA+ 1.62

ag_DataNet_OPC_DirTrav - DataNet OPC HTTP Server Directory Traversal Vulnerability 0-Day
ag_DAQFactory_DoS - DAQFactory <= 5.91 Remote Denial Of Service Exploit 0-Day
ag_Panasonic_Configurator_DL_PoC - Panasonic Configurator DL DoS PoC 0-Day



SCADA+ 1.61

ag_FESTO_Robotino_DoS_PoC - FESTO Robotino DoS 0-Day
ag_Reliance4_DoS - Reliance 4 Control Server Denial Of Service Vulnerability 0-Day
ag_SCADA_Aspic_DataManipulation - Aspic 3.30 - All in One SCADA HMI system, telnet weakness 0-Day



SCADA+ 1.60

ag_vis@_rce_pg - SCADA ViSA 7.6.132 Code Execution Vulnerability 0-Day
ag_ICONICS_Activex_2 - ICONICS Genesis32 SCADA WebHMI Remote Arbitrary empty File Create 0-Day
ag_CenturyStar_DoS - Century Star NetComm.exe DoS Vulnerability 0-Day



SCADA+ 1.59

ag_Yaskawa_SigmaWinPlus_Activex - Yaskawa SigmaWinPlus Remote Arbitrary File Overwrite 0-Day
ag_GX_IEC_Developer_Activex - GX IEC Developer 5.02 Remote Arbitrary File Overwrite 0-Day
ag_CodeMeter_DoS - CodeMeter WIBU-SYSTEMS AG Denial Of Service Vulnerability 0-Day



SCADA+ 1.58

ag_mh_scada_ce - MH-SCADA Command Execution 0-Day ag_Kinco_KHComserver_DoS - Kinco HMIware_CZ KHComserver Denial Of Service Vulnerability 0-Day
ag_autobase_netserver_dos - AutoBase Network Server 10.2.6.1 Denial Of Service 0-Day
ag_proxmox_configuration_overwrite - Proxmox VE < 3.4-10 Configuration file overwriting



SCADA+ 1.57

ag_phoenix_contact_webvisit_afu - Phoenix Contact WebVisit Arbitrary File Upload Vulnerability 0-Day
ag_Mango_Automation_sqli - Mango Automation SCADA get login and password list 0-Day
ag_mango_file_upload - Mango Automation SCADA, by Infinite Automation <= v.2.5.0 - File Upload 0-Day



SCADA+ 1.56

ag_aggregate_xxe - SCADA/HMI AggreGate <= v.5.11.03 - XXE 0-Day
ag_UCanCode_rce - UCanCode E-XD++ Visualization Enterprise Suite Remote Code Execution Vulnerability 0-Day
ag_igss_remote_project_injector - Interactive Graphical SCADA System v.11.0 Remote Project Injector 0-Day



SCADA+ 1.55

ag_MOXA_VPort_SDK_activex - Moxa VPort SDK PLUS ActiveX Control Buffer Overflow
ag_ICONICS_Activex_1 - ICONICS SCADA WebHMI Remote Arbitrary empty File Create
ag_EasyBuilderPro_HMI_Data_Server_DoS - EasyBuilder Pro HMI Data Server com_e30.exe Denial of Service
ag_cogent_datahub_pg - Cogent Datahub 7.3.9 Gamma Script Elevation of Privilege Vulnerability



SCADA+ 1.54

ag_easy_builder_pro_com_e30_dos - EasyBuilder Pro v.5.01.04 Denial Of Service Vulnerability 0-Day
ag_ISGA_Carlo_Gavazzi_DoS - Carlo Gavazzi ISGA Smart MPPT Inverter Denial Of Service Vulnerability 0-Day
ag_webaccess_8_0_afu - Advantech WebAccess(8.0) Dashboard Viewer arbitrary file upload (CVE 2016-0854)
ef_webaccess_8_1_afu - Advantech WebAccess(8.1) Dashboard Viewer arbitrary file upload [0-day]



SCADA+ 1.53

ag_cogento_datahub_rce - Cogent DataHub v.7.3.7 Gamma Command Injection Remote Code Execution Vulnerability
ag_cogento_datahub_fd - Cogento DataHub =< v.7.3.9.364 File Damager Exploit
ag_beck_ipc_change_ip - Beck ipc controller remote ip change
ag_Advantech_WebAccess_webvrpcs_DoS - Advantech WebAccess webvrpcs Denial Of Service Vulnerability. [0day]
ag_Advantech_file_overwrite_activex - Advantech NVS VideoDAQ Remote Arbitrary File Overwrite. [0day]



SCADA+ 1.52

SCADA+ 1.52 contains two 0day modules for Iocomp and Clear Scada software and two interesting modules for Centreon and Beckhoff:
- Centreon Blind SQL Injection, Arbitrary File Download, Remote Command Execution. public
- Clear scada information disclosure. [0day]
- Iocomp Software ActiveX Control Remote Code Execution Vulnerability. [0day]
- Beckhoff CX9020 CPU Module Reboot. public



SCADA+ 1.51

SCADA+ 1.51 contains nice module with jsp shell uploading for Mango automation, and 0day vuln in Interactive Graphical SCADA
List:
- Mango Automation File Upload Vulnerability. shell uploading vector
- Interactive Graphical SCADA System v.11.0. Remote vuln PoC [0Day]



SCADA+ 1.50

SCADA+ pack 1.50 is out with three new exploits. This time for Mango Automation and Yokogawa Production Control System:
- Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
- Yokogawa CENTUM CS 3000 Integrated Production Control System Buffer Overflow.
- Yokogawa CENTUM CS 3000 another Buffer Overflow..
all modules for public vulns this time.



SCADA+ 1.49

SCADA+ 1.49 contains two new 0day vulns:
- Reliance 4 Control Server Denial Of Service Vulnerability [0day]
- Lanmisoft Home Automation Information Disclosure [0day]



SCADA+ 1.48

SCADA+ pack 1.48 is out with three new modules for DataNet, IPESOFT and Twincat pieces of sfotware. with two 0days:
- DataNet OPC HTTP Server Info disclosure [0day]
- IPESOFT D2000 SCADA Info disclosure [0day]
- TwinCAT PLC Control CodeMeter WIBU-SYSTEMS AG Denial Of Service Vulnerability. public



SCADA+ 1.47

SCADA+ 1.47 contains 3 new [0day] modules for following SCADA software and tools:
- Century Star SCADA httpsvr infoleak Vulnerability. [0-Day]
- Modbus SCADA (WLC Systems) DLL Hijacking. [0-Day]
- MOXA SoftCMS AspWebServer Denial Of Service Vulnerability. [0-Day]



SCADA+ 1.46

SCADA+ 1.46 contains two fresh new modules including one 0day:
- UCanCode E-XD++ Visualization Enterprise Suite Remote Code Execution Vulnerability. [0Day]
- Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass. public. (no CVE)



SCADA+ 1.45

Excellent 0day remote auth bypass in ClearSCADA and pretty funny public vuln for DLink routers in 1.45 release:
- ClearSCADA Remote Authentication Bypass Exploit. [0Day]
- SCADA Elipse DLL Hijacking. public
[network]:
- DLink Unauthenticated Remote DNS Change Exploit.


SCADA+ 1.44

SCADA+ pack is out with three new modules, including two 0Days:
- PeakHMI Runtime Buffer Overflow. 0day
- Infilink HMI Denial of Service. 0day
- WS10 Data Server SCADA <= 1.83 - Remote Code Execution



SCADA+ 1.43

SCADA+ 1.43 contains three 0Days and one public vuln. list :
- DAQFactory <= 5.91 Remote Denial Of Service Exploit. [0-Day]
- ANT Studio Web 2013 v.9190M Feb 26 2013 - DLL Hijacking. [0-Day]
- SCADA/HMI AggreGate <= v.5.11.03 - XXE . [0-Day]
- Advantech ADAMView <=v.4.3 - Buffer Overflow. ICS-ALERT-14-323-02



SCADA+ 1.42

SCADA+ is updated with four 0days, including excellent Mango automation exploit allowing administrative credentials retrieving. video available here https://vimeo.com/user7532837/videos
- B&B Electronics Vlinx ConnectPro Manager DoS [0-Day]
- Events SCADA HMI <= v.8.58 - reveals sensitive info [0-Day]
- Mango Automation get login and password list [0-Day]
- Panasonic Configurator DL DoS PoC [0-Day]



SCADA+ 1.41

3 New 0Days are available in 1.41 version !
- ScadaBR File Upload and command exec [0-Day]
- APT France SensorIP2 security weakness [0-Day]
- SCADA SpecView <= v2.5 Build 858 information leak [0-Day]



SCADA+ 1.40

SCADA+ 1.40 contains:
- ARTIS WaterMon (Last Update: 2013-04-18) - SQL Injection [0-Day]
- Web-Server Plugin <= v.4.0.6 build 512 for Advanced Serial Data Logger <= 4.1.6 build 1114 - Directory Traversal [0-Day]
- e.SCADA.r (Eramosa SCADA Reporting) <= v.0.32 - reveals sensitive info [0-Day]
- SCADA Mango Automation, by Infinite Automation <= v.2.5.0 - File Upload [0-Day]



SCADA+ 1.39

SCADA+ 1.39 contains:
- Sagem Fast 3304-V1 Denial Of Service Vulnerability
- ScadaBR (Last Update: 2014-06-02) - BruteForce
- Z-Scada Net2.0 0-Day
- SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability 0-Day



SCADA+ 1.38

SCADA+ 1.38 contains:
- Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability
- FANUC OlpcPRO Directory Traversal Vulnerability [0-day]
- NOVUS NConfig 1.3.3 [0-Day]
- D-Link DIR-300 DIR-600 DIR-615 routers Password Recovery



SCADA+ 1.37

SCADA+ 1.37 contains:
- Yokogawa CENTUM CS 3000 Remote Denial of Service
- IBM SPSS SamplePower Remote Arbitrary File Overwrite
- FESTO Robotino 0-Day DoS
- Cogent DataHub Directory Traversal Vulnerability 0-day



SCADA+ 1.36

SCADA+ 1.36 contains:
- Carlo Gavazzi PowerSoft Directory Traversal Vulnerability 0-day
- Advantech Domain Focused Configuration Tool 0-Day DoS
- ABB Test Signal Viewer CWGraph3D ActiveX Control Remote Code Execution Vulnerability



SCADA+ 1.35

SCADA+ 1.35 contains new nice 0Day modules for Siemens and Aspic industrial software. :
- Siemens Automation License Manager Service Denial Of Service Vulnerability. [0Day]
- Siemens Automation License Manager Remote Arbitrary File Overwrite. 2011-4529
- SCADA AspicManager (package: Aspic 3.30 - All in One SCADA HMI system) buffer overflow. [0Day]
- Aspic 3.30 - All in One SCADA HMI system telnet weakness. default pwd and more. [0Day]



SCADA+ 1.34

SCADA+ 1.34 pack contains nice 3 [0day] modules for famous CoDeSys framework software pieces (latest versions), soft is frequently used in SCADA industry:
- CoDeSys ENI Server ver 3.2.2.23 Stack Buffer Overflow [0Day]
- CoDeSys Webserver ver 1.1.9.14 Stack Buffer Overflow [0Day]
- CoDeSys Gateway Server Denial Of Service Vulnerability [0Day]
there are also videos for these modules available on https://vimeo.com/user7532837/videos



SCADA+ 1.33

SCADA pack 1.33 contains several [0day] net related vulns and a scada module:
[network]:
- PRTG Server.exe Remote Crash. [0day]. PoC
- IP POWER 9258 W2 Information Leak (admin creds). [0day]
- FrameFlow Server Monitor Denial Of Service Vulnerability. [0day]
[scada]:
- Tri-PLC Nano-10 r81 - Denial of Service



SCADA+ 1.32

SCADA 1.32 update contains pretty interesting 0days, including one for iOS scada system! List:
- ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability [0Day]
- Ecava IntegraXor <= 4.1.4380 - Denial of Service. ICSA-14-016-01
- Delta Electronics Buffer Overflow Exploit [0Day]
- Advantech WebAccess ActiveX ProjectName() exploit [0Day]
- Ecava IntegraXor SCADA <= 4.1.4380 Information leak. [0Day]
Two new videos are also available on https://vimeo.com/user7532837


SCADA+ 1.31

SCADA 1.31 as always contains fresh public modules and 0day DoSes.
List:
- ABB MicroSCADA Remote Code Execution. public
- Eaton Network Shutdown Module Denial Of Service Vulnerability. [0Day]
- Ignition Gateway OPC-UA Server Denial Of Service. [0Day]
- Eaton Network Shutdown Module Remote Code Execution + creds steal. public



SCADA+ 1.30

SCADA+ ver 1.30 contains following new modules:
[network and scada]:
- Western Digital My Net N600, N750, N900, N900C Get admin password. CVE-2013-5006
- Schneider Electric PLC ETY Series Ethernet Controller - Denial of Service. public
- RuggedDirector 1.2 Remote Denial of Service [0Day].
- Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution.


SCADA+ 1.29

SCADA+ 1.29 released with two new network devices exploitation modules and two scada side exploits:
[network]:
- ONO Hitron CDE-30364 Router Denial Of Service. public
- ZeroShell Local File Disclosure Vulnerability. public
[scada]:
- Tri-PLC Nano-10 r81 Denial of Service. public
- wlcsystems.com Modbus SCADA Vulnerability. [0day]



SCADA+ 1.28

SCADA+ 1.28 is out with nice [0day] DoSes for Siemens, Moore Industries and Eaton software, and more. Modules list:
- Siemens WinCC TIA Portal miniweb.exe remote dos 0-Day
- Moore Industries NCS Configuration 0-Day DoS
- EATON VURemote 0-Day DoS.
- Galil-RIO Rio-47100 Denial of Service.
Happy DoSing



SCADA+ 1.27

SCADA+ 1.27:
contains 4 modules for 3S, pwStore, National Instruments industrial software.
This time all CVE listed.
- pwStore Denial of Service
- 3S CODESYS Gateway-Server <= 2.3.9.27 Directory traversal vulnerability.
- two modules for different National Instruments LabWindows/CVI,
LabVIEW, and other products ActiveXes.



SCADA+ 1.26

SCADA 1.26 is out with two 0day DoSes for Siemens and Honeywell pieces of industrial software. plus two ActiveX exploits (one of them is also 0day). Listing:
- SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX Control Remote
Command Execution [0Day].
- Siemens ProTool Pro CS [0Day] DoS.
- Honeywell UniSim ShadowPlant Bridge DoS. [0Day]
- Honeywell ActiveX control code execution. CVE-2013-0108



SCADA+ 1.25

SCADA 1.25 is out with two 0day DoSes and 3 public sploits for Schneider Electric, Mikrotik and Moxa software.
ag_Mikrotik_Syslog_Server_DoS - Mikrotik Syslog Server for Windows 1.15 Denial of Service
ag_MOXA_AWK_Search_Utility_DoS - MOXA AWK Search Utility DoS [0Day] DoS
ag_schnider_factory_cast - Schneider Electric Ethernet Modules Multiple Service Default Hardcoded Credentials
ag_schnider_modbusdrv - Multiple Schneider Electric Products 'ModbusDrv.exe' Local Buffer Overflow Vulnerability
ag_schnider_modbussim - Schneider Electric PLC Simulator 'sim.exe' Remote denial-of-service [0Day]



SCADA+ 1.24

SCADA+ 1.24 pack version contains four new modules covering industrial related software.
Among them 2 0days: DoS for Moxa tool and buffer overflow exploit for Schnider Electric Web Designer.
List:
- Clorius Controls ICS SCADA Information Disclosure
- Mitsubishi MX ActiveX Component exploit
- MOXA Mass Configuration Tool Denial of Service [0Day]
- Schnider Electric Web Designer remote BOF bug [0Day]



SCADA+ 1.23

New SCADA+ 1.23 version is out with two 0days and two public DoSes for well known Scadas:
- Schneider Electric Accutech Manager Server Denial Of Service
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server DoS
- Schneider Electric Vijeo Web Gate Server vuln [0Day]
- Schneider Electric Vijeo Web Gate Server Denial Of Service [0Day]



SCADA+ 1.22

New modules are ready for your attention. Scada section inlcudes two 0day DoSes for IOServer and Netbiter Scadas.
You will also find a cool 0day AirTies routers exploit.
Listing:
[netdev]:
- AirTies rt series routers hardcoded credentials exploit [0day]
- Harbour Networks switch/router info disclosure. PoC. [0day]
[scada]:
- NetBiterConfig DoS 0day (PoC)
- IOServer OPC Server DoS 0-Day.
- IOServer Directory Traversal. CVE-2012-4680



SCADA+ 1.21

New SCADA+ pack 1.21 version is out with two 0days for eSolar system
and widely implemented Adroit SCADA.
listing:
- Adroit SCADA Intelligence Server [0day ]DoS
- Advantech Studio v7.0 Directory Traversal. public.
- C3-ilex EOScada Denial Of Service. public
- Esolar alternative energy management system [0day]



SCADA+ 1.20

SCADA+ Pack:
New 0day in ANT Studio and cve-listed Netbiter WebSCADA in scada
section and 0day for korean router for your fun... along with old but
still usefull in some scada installations QNX modules. List:
- iptime korean router DoS [0day].
[scada]:
- QNX QCONN Remote Shutdown
- QNX phrelay DoS
- Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA
WS100 and WS200. CVE-2010-4730
- ANT Studio denial of service [0day]



SCADA+ 1.19

SCADA+ 1.19 is out with two [0days] for SCADA!
We also continue to add info to network devices section... 3 modules this time along with 1 [0day].
Listing: [Network Devices]:
- [0day] AirTies rt104 router unauthorized download config
- Directory Traversal Vulnerability in Sitecom Home Storage Center
- Thomson twg850-4 Unauthenticated Backup File Access
[scada]:
- [0day] WINCC v7.0 SP2 CCEServer.exe denial of service
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server 8.10.0000.18236 info disclosure



SCADA+ 1.18

SCADA+ 1.18 is out with 3 new scada related 0days! and enhanced network devices exploitation tool.
Network devices modules include those for AirOS and famous Qlogic. Modules list
[Network devices]:
- Ubiquiti Networks AirOS Directory Traversal Vulnerability for AirOS 5, 4.0, 3.6.1
- Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure
- QLogic SANsurfer FC HBA Manager Directory Traversal vulnerability.
- new version 1.1 of Automated network devices exploitation tool. see changelog for details
[scada]:
- [0day] Elipse E3 ActiveReports Remote Arbitrary File Replace
- [0day] Carel Plantvisor v.2.4.4 (possibly others) directory traversal vulnerability.
- [0day] QNX FTPD DoS


SCADA+ 1.17

SCADA+ 1.17 is out with a new network routers exploitation tool !
This tool scans network for routers and try to launch appropriate exploits of ours.
This should be really helpfull in automation of the testing process. Scada section includes excellent modules with two [0days]!

Modules list:
[Network devices]:
- Automated network devices exploitation tool! It utilizes nmap scanning and autolaunchs appropriate exploits.
[scada]:
- ABB WebWare RobNetScanHost.exe Remote Code Execution Exploit
- SpecView <= 2.5 build 853 Directory Traversal
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView
server remote command execution
- [0day] KASKAD scada v.5.00 Remote Heap Overflow .



SCADA+ 1.16

This release is completely focused on network devices... Latest vulns for famous routers, including one 0day:
- Siemens Gigaset se551 authorization bypass [0day].
- Enigma2 Webinterface remote root file disclosure exploit
- Comtrend Router CT-5624 remote password disclosure vulnerability
- ASUS RT-N56U fw <= 1.0.1.4 remote password disclosure vulnerability
- ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
- ZyXEL ZyWALL USG Appliance authentication bypass
- SAGEM ROUTER FAST 3304/3464/3504 - Telnet Authentication bypass
- Livebox TP Router Denial Of Service
- Linksys WAP610N fw.<=1.0.01 Unauthenticated Root Access Security Vulnerability



SCADA+ 1.15

SCADA+ is out with new network devices covered and pretty nice ICS stuff:
- PowerNet Twin Client <= 8.9 (RFSync 1.0.0.1) DoS
- RuggedCom devices password generator
- Sielco Sistemi Winlog Buffer Overflow
[Network devices]:
- 3Com OfficeConnect ADSL Wireless 11g Firewall Router authentication bypass 0day
- Cisco SA500 series SQL Injection
- Huawei HG866 GPON unauthenticated root pwd change



SCADA+ 1.14

SCADA+ professional 1.14 includes nice modules for SCADA and network devices,
featured modules are:
- PROMOTIC <= 8.1.3 directory traversal leveraged to user credentials steal !
- Siemens SIMATIC WinCC MiniWeb DoS. for ICS-ALERT-11-332-02.
- Pro-face Pro-Server EX WinGP PCRuntime <= 3.1.00 Invalid Memory Access DOS
[Network devices]:
- NetGear routers remote password disclosures
- WinRadius Server 2009 DoS



SCADA+ 1.13

SCADA+ 1.13 is out with:
- bunch of DoSes for IBM SolidDB. sometime this is also used in industrial soft. both fresh and old bugs covered.
- Advantech Studio [0day] DoS,
- xArrow multiple DoS,
- GeFanuc Proficy Portal directory traversal.



SCADA+ professional 1.12


NOTE: starting from this 1.12 version SCADA+ standard and Step-ahead licenses will be gradually merged into single "SCADA+ professional package"!

This time we include 3 step ahead scada modules from previous releases.
We have also powered this release with some modules for network devices.
Modules list:
- CEserver from Advantech Studio and Indusoft Web Studio buffer overflow. [0day]
- Carel Plant Visor Pro Hardcoded credentials vulnerability. [0day]
- Sunway ForceControl and pNetPower httpsvr.exe heap-based buffer overflow
modules for network devices:
- D-Link Wireless N Router (DIR-615) firmware 3.10NA apply.cgi Admin Authentication Bypass
- D-Link ShareCenter DNS-320 firmware v2.00b06 remote DoS
- D-Link Wireless G Router (WBR-1310) firmware 2.00 Authentication Bypass
- TRENDnet internet camera TV-IP201(P) firmware v2.00 Authentication Bypass



SCADA+ 1.11

SCADA+ 1.11 is available for download.
Five remote [0day] DoSes for remotely reachable services in famous SCADAs are available this time.
Covered are such vendors like GE Fanuc Proficy, Atvise, Trace Mode, xArrow.
Modules list:
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Atvise v.2.1.16 denial of service. [0day]
- xArrow v3.2 DoS. [0day]

Step Ahead (professional) SCADA 1.11

Step Ahead (professional version) users additionally receive nice 0day in GE Fanuc Proficy, allowing scada users credentials steal and DoS in WinCC.
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY scada users credentials steal. [0day]
- WINCC denial of service. [0day]



SCADA+ 1.10

Two fresh 0days for GE Fanuc and Broadwin\Advantech WebAccess, plus two 'old' 0days for Carel Plant Visor Pro (those were available previously in professional SCADA+ version).
Modules allow for sensitive information retrieving, such as SCADA users or admins names, database admin password hashes, configuration files.
- Ge Fanuc Real Time Portal v 3.0 SP1 sensitive information disclosure [0day]
- Broadwin\Advantech WebAccess v7.0 sensitive information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]



SCADA+ 1.9

New modules for public vulns in CoDeSys, Siemens WINCC and Samsung air conditioning Data manager server. Some allows full system compromise!
- Samsung Data Manager server (air conditioning systems) == 1.4.1 hardcoded credentials. [0day]
- CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow. exploit allows full pwn.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, hmiload.exe directory traversal. exploit allows full pwn via troyan uploading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Directory traversal. exploit allows arbitrary files downloading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Denial of Service.
- LabStoRe <= 1.5.4 SQL Injection allowing admin + pwdhash retreiving.
- Samsung Data Manager server <= 1.4.2 multiple vulnerabilities (some critical).

Step Ahead (professional) SCADA 1.9

For step ahead (professional) SCADA+ users there are Three additional 0days for well known SCADAs ... all allowing full pwn!
- SCPSA Carel Plantvisor [0day]. full pwn!
- SCPSA KASKAD scada v.5.00 Remote Heap Overflow. [0day]. full pwn!
- SCPSA Ge Fanuc Proficy HMI/SCADA CIMPLICITY. [0day]. full pwn!



SCADA+ 1.8

In SCADA+ 1.8 there are modules for several fresh public vulns (mostly Luigi Auriemma's) in well known industrial soft. Mostly DoSes this time...
- Beckhoff TwinCAT <= 2.11.0.2004
- Optima <= 1.5.2.13 Denial of Service
- OPCSystems.net <= 4.00.0048 denial of service
- Data Archiver service in GE Intelligent Platforms Proficy Historian
<= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 stack overflow proof of concept / DOS
- Atvise webMI2ADS <= 1.0 denial of service
- another Atvise webMI2ADS <= 1.0 denial of service
- Atvise webmitestserver directory traversal

Step Ahead (professional) SCADA 1.8

Step Ahead users also receive nice module, allowing to decrypt users credentials in Promotic SCADA! and nice scada related activex exploit.
- PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0. allows code execution
SCPSA_promotic - PROMOTIC <= 8.1.3 directory traversal leveraged touser credentials steal.



SCADA+ 1.7

New modules this time include:
- Rockwell's RSLogix5000 Denial of Service. CVE listed.
- SCADAPRO buffer overflow / DOS. CVE listed
- Cogent Datahub. no CVE.
- Sunway httpsvr.exe unauthenticated remote command execution. no CVE
- Sunway AngelServer DOS. no CVE.
- Sunway SNMP NetDBServer stack-based buffer overflow. no CVE.

Step Ahead (professional) SCADA 1.7

Step ahead SCADA+ users additionally receive a 0day :
- Advantech Web Studio denial of service [0day].



SCADA+ 1.6

New SCADA+ version 1.6 is out with following stuff for newest CVE listed vulns. some of them were found by Luigi Auriemma:
- Cogent DataHub Directory traversal vulnerability. CVE-2011-3500.
- DAQFactory <= v.5.85 build 1853 stack based buffer overflow. CVE-2011-3492
- CarelDataServer Directory traversal vulnerability. CVE-2011-3487
- Procyon Core Server stack buffer overflow. CVE-2011-3322
- SCADAPRO <= v.4.0.0.0 unauthenticated remote command execution. no CVE, but public.

Step Ahead (professional) SCADA 1.6

Step ahead SCADA+ users additionally receive nice 0days :
- CEserver buffer overflow. [0day]. This software is available for most embedded systems. Exploit by now covers WinXP sp3 embedded.
- Carel Plant Visor Pro critical information disclosure. [0day] All scada users logins+pwds steal
- Carel Plant Visor Pro critical information disclosure. Second vuln. [0day] All scada users logins+pwds steal



SCADA+ 1.5

New SCADA+ modules include:
- 0day for Broadwin\Advantech WebAccess. error based SQL Injection with filters bypass. was available via Step Ahead ~ 1.5 monthes ago.
- glorious Labview (version 6 and possibly others) DoS via ipv6 query. old bug, for old but commonly used Labview version.
- Progea Movicon 11 remote DoS crashing the server.

Step Ahead (professional) SCADA 1.5

Step Ahead (professional SCADA) users additionally to all above receive
- 0day Carel Plant Visor Pro vulnerability. Used on nuclear plants e.g. in Canada. exploit allows credentials steal.
- Sunway ForceControl and pNetPower buffer overflow. vuln is known to exist (but details are not public), patch available. thousands of installations in Turkey and China http://gleg.net/httpsrv_shodan.png