The most prominent type of ICS is a supervisory control and data acquisition (SCADA) system. A SCADA network sends remote control signals to industrial assets used by critical infrastructure utilities. The SCADA also receives information about the state of these assets to analyze or troubleshoot any problems they may be experiencing. For example, an engineer may use a SCADA system to receive information about the pressure and volume of water in a tank at a treatment plant, while also using the SCADA to adjust those factors to run the tank more efficiently.

SCADA systems and networks are now being integrated into the enterprise network, and modern SCADA systems can interface with the TCP/IP stack. Like other networked ICSs, a networked SCADA presents new opportunities for exploitation. Metasploit has several modules in the exploit/windows/scada category that target vendor-specific SCADA components running Windows. Many of these trigger buffer overflows. Some examples include:

  • exploit/windows/scada/advantech_webaccess_webvrpcs_bof—Triggers a stack overflow against a web service.
  • exploit/windows/scada/daq_factory_bof—Triggers a stack overflow by sending excessive requests to a service port.
  • exploit/windows/scada/advantech_webaccess_dashboard_file_upload—Enables file upload to web server and arbitrary code execution.
  • exploit/windows/scada/codesys_gateway_server_traversal—Enables directory traversal on server.
  • exploit/windows/scada/igss_exec_17—Enables remote command injection.

As you can probably tell, these modules do not apply to all SCADA components. You may need to do more research or reconnaissance to determine the make and model of the SCADA components the target organization is running, and if Metasploit actually has a relevant module. There are, of course, other tools out there that can help you exploit SCADA systems.