Framework not working with prosys or kepware

[GianlucaTravasci]

Hello,

I recently attempted to use your framework with Prosys Simulation Server and Kepware, but I encountered some issues. For instance, I tried to install Prosys version 5.4.6-148 on my own PC and attempted to launch Denial of Service (DoS) attacks from a virtual machine to the server using the following command:

python3 main.py prosys <IP> 53530 /OPCUA/SimulationServer thread_pool_wait_starvation

Below are the outputs I received for each execution of the scripts, except for the "sanity" one:

For Prosys Simulation Server:

**** Started at 2023-09-18 10:25:41.298352 ****
[-] Opening connection to 192.168.1.227:53530 (timeout: 60)
[-] Opening OPC UA session with opc.tcp://192.168.1.227:53530/OPCUA/SimulationServer
[-] Sending HEL message with 84 bytes
    [-] Setting OPN ReqLifetime to 360000
[-] Sending OPN message with 133 bytes
    [-] Got Secure Channel Id = 3
[-] Sending Create message with 384 bytes
    [-] Got AuthID = 05beddaeec37997a89f7b2b7c260a44363f469d41416c11e75b6ae2dea6738c8
[-] Sending Activate message with 149 bytes
[-] Sending MSG Request - Worker Wait Data Starvation x 200 times
Traceback (most recent call last):
  File "/home/parrot/opcua-exploit-framework/main.py", line 174, in <module>
    main()
  File "/home/parrot/opcua-exploit-framework/main.py", line 168, in main
    DICT_FUNCS[func_type](server_details)
  File "/home/parrot/opcua-exploit-framework/payloads/attacks/thread_pool_wait_starvation.py", line 33, in attack
    opcua.send_recv(message_write_starvation, num_requests, should_recv=False)
  File "/home/parrot/opcua-exploit-framework/protocol.py", line 129, in send_recv
    self.opcua_send(msg, hold_final_chunk=hold_final_chunk)
  File "/home/parrot/opcua-exploit-framework/protocol.py", line 93, in opcua_send
    self.sock.send(data)
BrokenPipeError: [Errno 32] Broken pipe

For Kepware:

**** Started at 2023-09-18 09:04:13.774327 ****
[-] Opening connection to 192.168.1.18:49320 (timeout: 60)
[-] Opening OPC UA session with opc.tcp://192.168.1.18:49320/
[-] Sending HEL message with 61 bytes
  [-] Setting OPN ReqLifetime to 360000
[-] Sending OPN message with 133 bytes
  [-] Got Secure Channel Id = 1508780078
[-] Sending Create message with 331 bytes
Traceback (most recent call last):
  File "/home/user/opcua-exploit-framework/main.py", line 174, in <module>
    main()
  File "/home/user/opcua-exploit-framework/main.py", line 168, in main
    DICT_FUNCS[func_type](server_details)
  File "/home/user/opcua-exploit-framework/payloads/sanity/sanity_read_nodes.py", line 12, in attack
    opcua.create_session()
  File "/home/user/opcua-exploit-framework/protocol.py", line 317, in create_session
    self.auth_id = create_resp.opc_data.object.object.auth_token
AttributeError: 'NoneType' object has no attribute 'auth_token'

Please let me know if you need any further information or assistance in resolving these issues.

[SharonBrizinov]

Hi @GianlucaTravasci

1. Prosys has fixed this vulnerability in v5.2.2 see here more details - https://www.prosysopc.com/blog/pwn2own-resource-exhaustion-exploit/
2. Regarding Kepware - you'll have to configure Kepware to accept remote connections and allow anonymous login

Please let me know if you have more questions

[GianlucaTravasci]

Hi @SharonBrizinov. I'm sorry for the late rely. I've tried with the kepware v.6.6.350.0 server, i've allowed the remote connection with anonymous login and finally trusted an opc client. Here attached the configuration of the kepware server:

After all that setup i've tried the following commands python3 main.py kepware ip 49320 / sanity python3 main.py kepware ip 49320 "" sanity But I've received the same as before.

Maybe we are doing something wrong with remote connection setup, can you please provide me the steps to correctly setup it.

[SharonBrizinov]

Hi @GianlucaTravasci you would also need to Accept remote connections. Kepware did a very good job protecting their customers so the default settings are hardened. Please note that doing so is highly dangerous and not recommended outside testing beds :)

1. Open TCP port 49320 in the firewall (or disable firewall)
2. Enable external connection and allow plain OPC UA (none TLS)
   • In the windows taskbar - right click the green kepware logo → OPC UA Configuration
   • Choose the endpoint that is not localhost and Enable it
   • Click Edit (after selecting the external endpoint)
   • Check the None checkbox in the security policies list
   • Make sure to disable the localhost endpoint or change the port to 49321 so it won’t interfere with remote connections

Do Reinitialize

• In the windows taskbar - right click the green kepware logo → Reinitialize