工具分享 工控安全

分享一个施耐德以太网模块的老版本固件

获取方式

Unity OS Loader于NOE 771 01模块远程上传(V3.60版本固件FTP使用默认口令认证,OS Loader远程上传时不需要口令及设备MAC地址确认)

用途思考

1、静态部分可以用作防站(蜜罐)
image001_1
2、熟悉PLC内部文件架构
3、固件二进制分析

文件列表

commandList.lst
FLASH0
FLASH0/bin
FLASH0/ftp
FLASH0/fw
FLASH0/gdt
FLASH0/rdt
FLASH0/webloader.ini
FLASH0/wwwroot
FLASH0/bin/$TMP_EMPTY_DIR
FLASH0/ftp/$TMP_EMPTY_DIR
FLASH0/fw/crashlog.txt
FLASH0/fw/fw.ini //固件版本
FLASH0/fw/hw.ini
FLASH0/gdt/$TMP_EMPTY_DIR
FLASH0/rdt/password.rde //调用密码
FLASH0/wwwroot/cgi-bin
FLASH0/wwwroot/classes
FLASH0/wwwroot/conf
FLASH0/wwwroot/html
FLASH0/wwwroot/images
FLASH0/wwwroot/index.htm //web首页文件
FLASH0/wwwroot/lib
FLASH0/wwwroot/SchneiderTFE.zip //施耐德MIB文件
FLASH0/wwwroot/secure
FLASH0/wwwroot/unsecure
FLASH0/wwwroot/cgi-bin/$TMP_EMPTY_DIR
FLASH0/wwwroot/classes/jvmver.jar //JAVA APP
FLASH0/wwwroot/classes/RDE.jar //JAVA APP
FLASH0/wwwroot/classes/SAComm.jar //JAVA APP
FLASH0/wwwroot/classes/SysDiag.jar //JAVA APP
FLASH0/wwwroot/classes/webcfg.jar //JAVA APP
FLASH0/wwwroot/classes/webdiag.jar //JAVA APP
FLASH0/wwwroot/classes/XMLParser.jar//JAVA APP
FLASH0/wwwroot/classes/xmlrpc-1.1.jar //JAVA APP
FLASH0/wwwroot/conf/bootp
FLASH0/wwwroot/conf/dhcp
FLASH0/wwwroot/conf/diag
FLASH0/wwwroot/conf/exec
FLASH0/wwwroot/conf/fw
FLASH0/wwwroot/conf/Gcnftcop.sys
FLASH0/wwwroot/conf/glbdata
FLASH0/wwwroot/conf/ioscanner
FLASH0/wwwroot/conf/snmp
FLASH0/wwwroot/conf/bootp/$TMP_EMPTY_DIR
FLASH0/wwwroot/conf/dhcp/$TMP_EMPTY_DIR
FLASH0/wwwroot/conf/diag/$TMP_EMPTY_DIR
FLASH0/wwwroot/conf/exec/kerVer
FLASH0/wwwroot/conf/exec/NOE77101.bin //Quantum Ethernet Executive firmware Ver. 3.60
FLASH0/wwwroot/conf/fw/fw.ini
FLASH0/wwwroot/conf/glbdata/glbdata.ini
FLASH0/wwwroot/conf/ioscanner/$TMP_EMPTY_DIR
FLASH0/wwwroot/conf/snmp/snmp.ini
FLASH0/wwwroot/html/config.js //定义了WEB界面title可做通用设备识别
FLASH0/wwwroot/html/english
FLASH0/wwwroot/html/images
FLASH0/wwwroot/html/lib
FLASH0/wwwroot/html/english/control
FLASH0/wwwroot/html/english/diagnostic
FLASH0/wwwroot/html/english/documentation
FLASH0/wwwroot/html/english/header.htm
FLASH0/wwwroot/html/english/home
FLASH0/wwwroot/html/english/index.htm
FLASH0/wwwroot/html/english/maintenance
FLASH0/wwwroot/html/english/monitoring
FLASH0/wwwroot/html/english/setup
FLASH0/wwwroot/html/english/control/index.htm
FLASH0/wwwroot/html/english/control/menu.htm
FLASH0/wwwroot/html/english/diagnostic/index.htm
FLASH0/wwwroot/html/english/diagnostic/menu.htm
FLASH0/wwwroot/html/english/documentation/index.htm
FLASH0/wwwroot/html/english/documentation/menu.htm
FLASH0/wwwroot/html/english/home/home.htm
FLASH0/wwwroot/html/english/home/index.htm
FLASH0/wwwroot/html/english/home/menu.htm
FLASH0/wwwroot/html/english/maintenance/index.htm
FLASH0/wwwroot/html/english/maintenance/menu.htm
FLASH0/wwwroot/html/english/monitoring/index.htm
FLASH0/wwwroot/html/english/monitoring/menu.htm
FLASH0/wwwroot/html/english/setup/index.htm
FLASH0/wwwroot/html/english/setup/menu.htm
FLASH0/wwwroot/html/images/noe77101.jpg //产品型号图片
FLASH0/wwwroot/html/images/Telemecanique.gif
FLASH0/wwwroot/html/images/TelemecaniquePocketPC.gif
FLASH0/wwwroot/html/lib/css
FLASH0/wwwroot/html/lib/images
FLASH0/wwwroot/html/lib/js
FLASH0/wwwroot/html/lib/css/header.css
FLASH0/wwwroot/html/lib/css/main.css
FLASH0/wwwroot/html/lib/css/menu.css
FLASH0/wwwroot/html/lib/images/left.gif
FLASH0/wwwroot/html/lib/images/moins.gif
FLASH0/wwwroot/html/lib/images/plus.gif
FLASH0/wwwroot/html/lib/images/right.gif
FLASH0/wwwroot/html/lib/js/header.js
FLASH0/wwwroot/html/lib/js/home.js
FLASH0/wwwroot/html/lib/js/index.js
FLASH0/wwwroot/html/lib/js/menu.js
FLASH0/wwwroot/html/lib/js/tools.js
FLASH0/wwwroot/images/eight_io.gif
FLASH0/wwwroot/images/empty.gif
FLASH0/wwwroot/images/hiendcpu.gif
FLASH0/wwwroot/images/logo.gif
FLASH0/wwwroot/images/miniplc.gif
FLASH0/wwwroot/images/module.gif
FLASH0/wwwroot/lib/home.js
FLASH0/wwwroot/lib/main.css
FLASH0/wwwroot/lib/main.js
FLASH0/wwwroot/secure/embedded
FLASH0/wwwroot/secure/system
FLASH0/wwwroot/secure/user
FLASH0/wwwroot/secure/embedded/bandwidth.htm
FLASH0/wwwroot/secure/embedded/chkdsk.htm
FLASH0/wwwroot/secure/embedded/classes
FLASH0/wwwroot/secure/embedded/dhcp_node_config.htm
FLASH0/wwwroot/secure/embedded/format_flash.htm
FLASH0/wwwroot/secure/embedded/french
FLASH0/wwwroot/secure/embedded/ftp_passwd_config.htm
FLASH0/wwwroot/secure/embedded/german
FLASH0/wwwroot/secure/embedded/globaldata.htm
FLASH0/wwwroot/secure/embedded/http_passwd_config.htm
FLASH0/wwwroot/secure/embedded/images
FLASH0/wwwroot/secure/embedded/ioscanning.htm
FLASH0/wwwroot/secure/embedded/messaging.htm
FLASH0/wwwroot/secure/embedded/reboot.htm
FLASH0/wwwroot/secure/embedded/set_readonly.htm
FLASH0/wwwroot/secure/embedded/smtpconf.htm
FLASH0/wwwroot/secure/embedded/smtpdiag.htm
FLASH0/wwwroot/secure/embedded/spanish
FLASH0/wwwroot/secure/embedded/support.htm
FLASH0/wwwroot/secure/embedded/web_page_Ver.ini
FLASH0/wwwroot/secure/embedded/classes/$TMP_EMPTY_DIR
FLASH0/wwwroot/secure/embedded/french/$TMP_EMPTY_DIR
FLASH0/wwwroot/secure/embedded/german/$TMP_EMPTY_DIR
FLASH0/wwwroot/secure/embedded/images/$TMP_EMPTY_DIR
FLASH0/wwwroot/secure/embedded/spanish/$TMP_EMPTY_DIR
FLASH0/wwwroot/secure/system/ctrlstat.htm
FLASH0/wwwroot/secure/system/ethernet.htm
FLASH0/wwwroot/secure/system/plccfg.htm
FLASH0/wwwroot/secure/system/rde.htm
FLASH0/wwwroot/secure/system/riostat.htm
FLASH0/wwwroot/secure/user/$TMP_EMPTY_DIR
FLASH0/wwwroot/unsecure/user
FLASH0/wwwroot/unsecure/user/$TMP_EMPTY_DIR

固件下载(noe77101_OS.bin)

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Delta Electronics Delta Industrial Automation COMMGR

This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation COMMGR softwar. . . read more Thu, 21 Jun 2018 10:00:42 EDT

Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix

This advisory includes mitigation recommendations for an improper input validation vulnerability reported in Rockwell Automation Allen-Bradley Compact. . . read more Thu, 21 Jun 2018 09:55:36 EDT

Natus Xltek NeuroWorks

This medical device advisory includes mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in the Natus Xltek NeuroWorks. . . read more Thu, 14 Jun 2018 12:05:47 EDT

Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C

This advisory includes mitigation recommendations for a permissions, privileges, and access controls vulnerability reported in Siemens SCALANCE X swit. . . read more Thu, 14 Jun 2018 10:10:00 EDT

Schneider Electric U.motion Builder

This advisory includes mitigations for a command injection, cross-site scripting, and improper input validation vulnerabilities in the Schneider Elect. . . read more Tue, 12 Jun 2018 14:31:11 EDT

Siemens SCALANCE X Switches

This advisory includes mitigation recommendations for a cross-site scripting vulnerability reported in Siemens SCALANCE X switches.. . . read more Tue, 12 Jun 2018 11:28:10 EDT

Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway

This advisory contains mitigation recommendations for an unquoted search path or element vulnerability in the Rockwell Automation RSLinix Classic soft. . . read more Thu, 07 Jun 2018 11:55:09 EDT

Philips' IntelliVue Patient and Avalon Fetal Monitors

This medical device advisory includes mitigations for improper authentication, information exposure, and stack-based buffer overflow vulnerabilities i. . . read more Tue, 05 Jun 2018 10:05:11 EDT

ABB IP Gateway

This advisory contains mitigation recommendations for improper authentication, cross-site request forgery, and unprotected storage of credentials vuln. . . read more Tue, 05 Jun 2018 10:00:07 EDT

Delta Industrial Automation DOPSoft

This advisory contains mitigation recommendations for out-of-bounds read, heap-based buffer overflow, and stack-based buffer overflow vulnerabilities. . . read more Thu, 31 May 2018 10:10:11 EDT

GE MDS PulseNET and MDS PulseNET Enterprise

This advisory includes mitigations for improper authentication, improper restriction of XML external entity reference ('XXE'), and relative. . . read more Thu, 31 May 2018 10:05:11 EDT

Yokogawa STARDOM Controllers

This advisory includes mitigations for a hard-coded credentials vulnerability in the Yokogawa STARDOM Controller products.. . . read more Thu, 31 May 2018 10:00:11 EDT

BeaconMedaes TotalAlert Scroll Medical Air Systems

This medical device advisory includes mitigations for improper access controls, insufficiently protected credentials, and unprotected storage of crede. . . read more Thu, 24 May 2018 10:05:11 EDT

Schneider Electric Floating License Manager

This advisory includes mitigations for heap-based buffer overflow, improper restriction of operations within the bounds of a memory buffer, and open r. . . read more Thu, 24 May 2018 10:00:05 EDT

BD Kiestra and InoquIA Systems

This medical device advisory includes mitigations for vulnerabilities in which the product user interface does not warn the user of unsafe actions in. . . read more Tue, 22 May 2018 10:05:00 EDT

Martem TELEM-GW6/GWM (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-18-142-01 Martem TELEM-GW6/GWM that was published May 22, 2018, on the NCCIC. . . read more Tue, 22 May 2018 10:00:00 EDT

Medtronic N'Vision Clinician Programmer

This medical advisory includes mitigations for a missing encryption of sensitive data vulnerability in Medtronic's N'Vision Clinician Progra. . . read more Thu, 17 May 2018 10:25:01 EDT

GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi

This advisory includes mitigations for an improper input validation vulnerability in the GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CP. . . read more Thu, 17 May 2018 10:15:17 EDT

PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series

This advisory includes mitigations for command injection, information exposure, and stack-based buffer overflow vulnerabilities in the PHOENIX CONTACT. . . read more Thu, 17 May 2018 10:10:01 EDT

Siemens SIMATIC S7-400 CPU

This advisory includes mitigations for an improper input validation vulnerability in the Siemens SINAMIC S7-400 CPU.. . . read more Thu, 17 May 2018 10:05:14 EDT