├── .gitattributes ├── .gitignore ├── LICENSE ├── README.md ├── config.py ├── exploit_examples └── pwn2own_ics_2023_dos │ ├── dos_crash_PTC_KepServerEx_v6.13.250.0.sh │ ├── dos_crash_Prosys_OPCUASimulation Server_v5.4.2-129.sh │ ├── dos_crash_Softing_edgeAggregator_v3.40.sh │ ├── dos_crash_Unified_Automation_UaGateway_v1.5.12-482.sh │ ├── dos_crash_dotnet_v1.4.371.60.sh │ ├── dos_crash_inductive_ignition_v8.1.24.sh │ └── dos_crash_softing_edge_old.sh ├── fuzzing_input_corpus_minimized └── opcua_corpuses.zip ├── main.py ├── opcua_messages.py ├── payloads ├── attacks │ ├── certificate_inf_chain_loop.py │ ├── chunk_flood.py │ ├── close_session_with_old_timestamp.py │ ├── complex_nested_message.py │ ├── function_call_null_deref.py │ ├── malformed_utf8.py │ ├── open_multiple_secure_channels.py │ ├── race_change_and_browse_address_space.py │ ├── thread_pool_wait_starvation.py │ ├── translate_browse_path_call_stack_overflow.py │ ├── unlimited_condition_refresh.py │ └── unlimited_persistent_subscriptions.py ├── corpus │ ├── attack_file_ASNeG_OpcUaStack_unhandled_exception.py │ ├── attack_file_nodejs_opcua_v8_oom.py │ ├── examples │ │ ├── corpus_asneg_opcuastack_crash_unhandeld_exception.bin │ │ ├── corpus_example_boofuzz.db │ │ └── corpus_nodejs_opcua_crash_v8_oom.bin │ ├── opcua_message_boofuzz_db.py │ └── opcua_message_file.py ├── sanity │ ├── sanity_diagnostic_info.py │ ├── sanity_get_node_id_info.py │ ├── sanity_read_nodes.py │ └── sanity_translate_browse_path.py └── utils.py ├── protocol.py ├── requirements.txt ├── server ├── example │ └── demo.png └── opcua_server.py └── structs.py /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/.gitattributes -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | .DS_Store 3 | .vscode 4 | .log 5 | venv -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/README.md -------------------------------------------------------------------------------- /config.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/config.py -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_PTC_KepServerEx_v6.13.250.0.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_PTC_KepServerEx_v6.13.250.0.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_Prosys_OPCUASimulation Server_v5.4.2-129.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_Prosys_OPCUASimulation Server_v5.4.2-129.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_Softing_edgeAggregator_v3.40.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_Softing_edgeAggregator_v3.40.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_Unified_Automation_UaGateway_v1.5.12-482.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_Unified_Automation_UaGateway_v1.5.12-482.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_dotnet_v1.4.371.60.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_dotnet_v1.4.371.60.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_inductive_ignition_v8.1.24.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_inductive_ignition_v8.1.24.sh -------------------------------------------------------------------------------- /exploit_examples/pwn2own_ics_2023_dos/dos_crash_softing_edge_old.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/exploit_examples/pwn2own_ics_2023_dos/dos_crash_softing_edge_old.sh -------------------------------------------------------------------------------- /fuzzing_input_corpus_minimized/opcua_corpuses.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/fuzzing_input_corpus_minimized/opcua_corpuses.zip -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/main.py -------------------------------------------------------------------------------- /opcua_messages.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/opcua_messages.py -------------------------------------------------------------------------------- /payloads/attacks/certificate_inf_chain_loop.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/certificate_inf_chain_loop.py -------------------------------------------------------------------------------- /payloads/attacks/chunk_flood.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/chunk_flood.py -------------------------------------------------------------------------------- /payloads/attacks/close_session_with_old_timestamp.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/close_session_with_old_timestamp.py -------------------------------------------------------------------------------- /payloads/attacks/complex_nested_message.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/complex_nested_message.py -------------------------------------------------------------------------------- /payloads/attacks/function_call_null_deref.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/function_call_null_deref.py -------------------------------------------------------------------------------- /payloads/attacks/malformed_utf8.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/malformed_utf8.py -------------------------------------------------------------------------------- /payloads/attacks/open_multiple_secure_channels.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/open_multiple_secure_channels.py -------------------------------------------------------------------------------- /payloads/attacks/race_change_and_browse_address_space.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/race_change_and_browse_address_space.py -------------------------------------------------------------------------------- /payloads/attacks/thread_pool_wait_starvation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/thread_pool_wait_starvation.py -------------------------------------------------------------------------------- /payloads/attacks/translate_browse_path_call_stack_overflow.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/translate_browse_path_call_stack_overflow.py -------------------------------------------------------------------------------- /payloads/attacks/unlimited_condition_refresh.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/unlimited_condition_refresh.py -------------------------------------------------------------------------------- /payloads/attacks/unlimited_persistent_subscriptions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/attacks/unlimited_persistent_subscriptions.py -------------------------------------------------------------------------------- /payloads/corpus/attack_file_ASNeG_OpcUaStack_unhandled_exception.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/attack_file_ASNeG_OpcUaStack_unhandled_exception.py -------------------------------------------------------------------------------- /payloads/corpus/attack_file_nodejs_opcua_v8_oom.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/attack_file_nodejs_opcua_v8_oom.py -------------------------------------------------------------------------------- /payloads/corpus/examples/corpus_asneg_opcuastack_crash_unhandeld_exception.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/examples/corpus_asneg_opcuastack_crash_unhandeld_exception.bin -------------------------------------------------------------------------------- /payloads/corpus/examples/corpus_example_boofuzz.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/examples/corpus_example_boofuzz.db -------------------------------------------------------------------------------- /payloads/corpus/examples/corpus_nodejs_opcua_crash_v8_oom.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/examples/corpus_nodejs_opcua_crash_v8_oom.bin -------------------------------------------------------------------------------- /payloads/corpus/opcua_message_boofuzz_db.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/opcua_message_boofuzz_db.py -------------------------------------------------------------------------------- /payloads/corpus/opcua_message_file.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/corpus/opcua_message_file.py -------------------------------------------------------------------------------- /payloads/sanity/sanity_diagnostic_info.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/sanity/sanity_diagnostic_info.py -------------------------------------------------------------------------------- /payloads/sanity/sanity_get_node_id_info.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/sanity/sanity_get_node_id_info.py -------------------------------------------------------------------------------- /payloads/sanity/sanity_read_nodes.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/sanity/sanity_read_nodes.py -------------------------------------------------------------------------------- /payloads/sanity/sanity_translate_browse_path.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/sanity/sanity_translate_browse_path.py -------------------------------------------------------------------------------- /payloads/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/payloads/utils.py -------------------------------------------------------------------------------- /protocol.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/protocol.py -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | construct==2.10.56 2 | asyncua -------------------------------------------------------------------------------- /server/example/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/server/example/demo.png -------------------------------------------------------------------------------- /server/opcua_server.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/server/opcua_server.py -------------------------------------------------------------------------------- /structs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/claroty/opcua-exploit-framework/HEAD/structs.py --------------------------------------------------------------------------------