You can download the slides of the research I was presenting at RootedCon'11 in Madrid "SCADA Trojans: Attacking the grid". A journey into attacking the power grid.

I presented:

- 0days in Advantech/BroadWin WebAccess SCADA product

- Weak Design/Vulnerabilities in CSE-Semaphore TBOX RTUs

- General attack against EMS Software via State Estimators.

I contacted ICS-CERT to coordinate with Advantech but the vendor denied having a security flaw. So guys, the exploit I'm releasing does not exist. All is product of your mind.

Well, indeed WebAccess is full of bugs.

It is an RPC exploit against WebAccess Network Service, port 4592. It leaks the security code that protects the scada node in addition to demonstrate RCE on XP. Slighly modifications can be done to support other systems.

I use "RPC heap spray", I mean any opcode with the following params "[in] long arg_x, [in][ref][size_is(arg_x)] char * arg_x " can be used to create a fake object to control the execution. It could be done in other ways, but this one is funny.

Check the slides, there is more info about the vulns there.

/>http://www.reversemode.com/downloads/exploit_advantech.zip
/>http://www.reversemode.com/downloads/Scada_Trojans_Ruben_Rootedcon.pdf

Ted.

We're closer than ever before, but we're still light years away from hacking the gas mains so they will explode and provide cover for an operation we're conducting... (Seen SwordFish anybody? Them d00dz has got skillz0rs)

On a serious note, thanks for the share Teddy, interesting as always.

HR,

Ghandi

Actually I'm a bit more in to PLC's and industrial technology, I've got quite a few PLC's at home I work with. Its quite surprising how some (very large) companies are open to exploits and security related issues so we can expect more to happen in this area...

Ted.