Manipulating memory of ICS Siemens Simatic S7-300 (and others)
First of all, I would like to give thanks to all Siemens’ team for its support in this topic of memory manipulation because they were available all the time to discuss this with me, and I received much help from them.
I would also like to highlight that image below describes the key to patch the vulnerabilities of this post. For this, you have to increase the security of Siemens Simatic S7-300 devices to Level 3 (which by default is level 1). This provides full protection against both read and write memory. Another option is not publish TCP port 102 to Internet.
In the above image it is possible to see the numbered rectangles which correspond to the explanations below point by point:
1. In this case, «hola» is written in Base64 encoding character by character (byte by byte) once the connection with the PLC has been made in its memory. These characters will be sent one by one to the memory of this device by selecting database 3, from position 1 to position 8.
2. With the command client.db_read(<db_number>,<start_address>,<size>), the contents of the first 256 bytes are read from position 1 of database 3.
3. As can be seen in the image, the string «aG9sYQ==» is loaded into the memory, which means «hola».
4. Then the characters inserted in the db are read from position 1 to position 8, and stored in the variable «datar».
5. The content of data containing the string that is stored in the PLC is displayed.
The second script can be used to upload one file called «PoC.zip» which should be converted to a «string» in base64 in order to upload byte by byte in the PLC. Afterwards, this file can be downloaded from the device. The only limitation that one has is the device memory size that one uses.
Also it is possible to read sensitive information with the other script:
Contribución gracias a Carlos Antonini
Powered by WPeMatico