SCADA+ Pack



"Value Add" ZDA pack (Zero-Day-Access pack) exploits for ICS/SCADA, Medical, Defense and general software.




Latest ZDA updates:
Total 50+ modules available for ZDA Service (ZDA pack) users

Latest updates are posted to twitter: here

Examples of valued add modules available for ZDA pack clients in 2018:

ag_LeCroy_EasyScope_ActiveX 0day
http://teledynelecroy.com/support/softwaredownload/easyscope.aspx
LeCroy EasyScope LabWindows/CVI, LabVIEW, and other products ActiveX Remote Code Execution Vulnerability

ag_Cybrotech_CyBroHttpServer_DirTrav 0day
http://www.cybrotech.com/software-category/tools/
Cybrotech CyBroHttpServer Directory traversal vulnerability allows remote attackers to read arbitrary files.

ag_KOYO_C_more_Programming_DoS 0day
https://support.automationdirect.com/products/cmore.html
KOYO C-more Programming Software Emulator Denial of Service

ag_Do_more_Designer_DoS 0day
https://support.automationdirect.com/products/domore.html
Do-more Designer programming tool DoS.

ag_Reliance4_Control_Server_DoS 0day
https://www.reliance-scada.com/en/main
Reliance4 SCADA Control Server Denial of Service Tested on: Reliance 4.8.0

ag_Simple_SCADA_infoleak 0day
https://simple-scada.com
Simple-Scada allows remote attackers to read some files.

ag_DELTA_IA_Robot_DRAstudio_afu 0day
http://www.deltaww.com
Allows to upload arbitrary files. Unauth. Tested against DRAStudio 1.00.02 on Windows 7 .
Delta Industrial Automation Robot DRAStudio Arbitrary File Upload

ag_DELTA_IA_Robot_DRAstudio_afd 0day
http://www.deltaww.com
Special crafted packets allow to disclose arbitrary files. UnAuth. Tested against DRAStudio 1.00.02 on Windows 7.

ag_GP_PRO_EX_WinGP_Runtime_afu 0day
http://www.profaceamerica.com
Allows remote attacker to upload arbitrary files. Length of filepath is limited. Module also creates executable trojan in root folder.
Tested against WinGP Runtime 4.8.0 on Windows 7 SP1 x64.

ag_GP_PRO_EX_WinGP_Runtime_afd 0day
http://www.profaceamerica.com
allows to disclose arbitrary files. Tested against WinGP Runtime 4.8.0 on Windows 7 SP1 x64.

ag_vbase_vokserver_info_disclosure 0day
https://www.vbase.net/en/index.php
Vulnerability allows remote attackers to disclose info.

esa_automation_crew_webserver_infodisclosure [0day]
https://www.esa-automation.com/en/products/crew/
Vulnerability allows remote attackers to disclose files. UnAuthenticated.

lsis_wXP_afd [0day]
http://www.lsis.com
Vulnerability allows remote attacker to disclose arbitrary files. password protection bypassed!

wintr_trojanprojectgeneration [0day]
https://www.fultek.com.tr
WinTr SCADA malicious project generation. Project being loaded adds user "hacker" to the system

wintr_scada_info_disclosure [0day]
https://www.fultek.com.tr/en/scada/
Specially crafted request allows to disclose files. Authentication bypassed!

ag_loytec_lweb900_server_infodisclosure [0day]
https://www.logicals.com/
Remote attacker can disclose arbitrary files on LWEB-900 server

ag_logi_cals_logi_RTS_privilege_escalation [0day]
https://www.logicals.com/
logi.RTS Privileges escalation.

ag_logi_cals_logi_RTS_RTShttpd_DoS [0day]
https://www.logicals.com/
Special TCP packet cause DoS to RTShttpd.exe.

ag_webport_bsqli_privilege_escalation 0day http://webport.se/
Vulnerability allows user with minimal privileges to become an admin user.

ag_infrasightlabs_vscopeserver_privilege_escalationfile_download 0day https://www.infrasightlabs.com/
Vulnerability allows authorized user or guest(if allowed) to create new admin user.

ag_PASvisu_dosfile_download 0day https://www.pilz.com
Specially crafted TCP request cause DoS.

ag_PASvisu_afufile_download 0day https://www.pilz.com
Vulnerability allows remote file upload.

ag_winplc7_webserver_arbitrary_file_disclosurefile_download 0day http://www.vipa.com
Vulnerability allows remote file disclosure (with some limitations).

ag_reliance_scada_directory_traversal
Reliance web server allows to get content of arbitrary file.

May 9th. ZDA pack released. Version 1.0 contains:

ag_winplc7_webserver_arbitrary_file_disclosure
Vulnerability allows unauthenticated user to read contents of arbitrary file on remote machine.

eisbaer_scada_directory_traversal2
Vulnerability allows unauthenticated user to read contents of arbitrary file on remote machine.

ag_cogent_datahub_bsqlifile_download
Specially crafted HTTP request leads to BSQLi.

ag_codesys3_files_manipulation
Enabled virtual PLC allows to read arbitrary file, directory list, remove file.

ag_atvise_afdfile_download
Atvise OPC UA service allows remote attacker to read OS files.

ag_visu_rcefile_download
TCPUploadServer allows authenticated users to create/delete files and dirs, start/stop project.

ag_igss_afdfile_download
Specially crafted tcp package to IGSSupdateservice.exe allows to read arbitrary file content.

ag_moxa_aopc_ua_server_file_corrupt_or_dos
Specially crafted TCP packet allows unathenticated attacker to rewrit content of any file with content of log data. may cause DoS.

atvise_remote_project_management
Atvise OPC UA service allows to read and write data. Also unauthenticated attacker can execute some opc methods.

ag_atvise_privilege_escalation
Atvise OPC UA service allows to read and write data. This module enumerates users and changes their passwords.

ag_cogent_datahub_log_poison_rce
The exploit allows to create log file with some code, that calls shell command.

ag_cogent_datahub_7_3_x_dos
Specially crafted GET request cause DoS.

ag_integraXor_config_corruption
under some conditions an attacker can get some information about project settings and can change it.

ag_integraXor_information_disclosure
under some conditions an attacker can get some information about project settings and environment.

ag_integraXor_remote_project_management
under some conditions an attacker can run or stop project and tasks by sending crafted package to igsvc service. This module stops all tasks of project.

ag_myscada_hardcoded
MyScada MyPRO uses hardcoded credentials which could be used to execute project scripts.

ag_s3scada_qnx_rce
S3 Scada QNX allows to execute QNX shell commands.

ag_s3scada_remote_stop
Specially crafted tcp request allows to stop scada

ag_remote_osciloscope_dos
This module turn the oscilloscope to self correction mode

ag_webaccess_dcerpc_afu_rce
Unauthorized person can create and execute files on remote machine over DCERPC-protocol.

ag_LUTRON_HomeWorks_Interactive_activex
LUTRON ActiveXs have unsafe methods which could lead to information disclosure

ag_indigo_scada_information_disclosure
Specially crafted TCP requests lead to disclosure of info (include creds, logs, etc).

ag_CIMON_SCADA_HttpSvr_DoS
Specially crafted TCP requests lead to CIMON SCADA Denial of Service ag_eisbaer_scada
Vulnerability allows unauthenticated user to read content of some files on a remote machine.

ag_vtscada_ce
TD Scada has own scripting language for "Script Application". We could use that to create and execute the trojan.

ag_citectScada_7_2_dos
Specially crafted TCP request cause Citect SCADA DoS.


For how to buy information - refer here