fortiphyd / grficsv2 Goto Github PK

Good afternoon,

I've set up everything according to your 2nd video and the system works up to a point.

What works:
-the Unity UI plant page
-the HMI page
-the VMs.

The part that doesn't work is the PLC. I'm getting a EADDRINUSE for port 8080 when running the sudo nodejs server.js command.

I suppose it has something to do with port 8080, but there's nothing else running in VirtualBox.

unable to import workstation vm, what to do?

Hi,

first of all, thanks for the great work ! I've managed to run GRFICSv2 with docker containers and I've used OpenPLCv3 instead of OpenPLCv2 as the web interface is nicer. The chemical plan seems to work : I can see the values on ScadaBR which match what I see on the Simulation. I can also change directly OpenPLC holding registers with modbus command to change the pressure_sp.

I have a question : what's the purpose of the variables hmi_* registers at %MWxx as ScadaBR seems to read %IWxx variables ?

https://github.com/Fortiphyd/GRFICSv2/blob/master/workstation_vm/simplified_te.st#L377

  hmi_pressure AT %MW20 : INT;
   hmi_level AT %MW21 : INT;
   hmi_f1_valve_pos AT %MW22 : INT;
   hmi_f1_flow AT %MW23 : INT;
   hmi_f2_valve_pos AT %MW24 : INT;
   hmi_f2_flow AT %MW25 : INT;
   hmi_purge_valve_pos AT %MW26 : INT;
   hmi_purge_flow AT %MW27 : INT;
   hmi_product_valve_pos AT %MW28 : INT;
   hmi_product_flow AT %MW29 : INT;
   scan_count AT %MW30 : UINT := 0;

I've imported VM with NAT interface selected as noticed in description. But I have only loopback interface with no Internet connetction to download all needful updates as mentioned in instruction. I tried to change /etc/network/interface but with no success

Hi,
first of all thanks for all your work and effort you're putting in such project, it is really a good resource for learning and practicing on ICS. i have only a few questions that i hope you can answer:

• is it possible to change the networking architecture of the environment or it is constrained to the specified host-only network adapters?
• are there more resourse/documentation on how to use and configure the framework besides the provided video tutorials? Or maybe also some already implemented framework use case?

Thanks,

When trying to build the PLC container using the Dockerfile, there are permission problems. This is due to the .sh scripts that are not executable.

The ScadaBR image can be reached, the others seem to be missing..

My installation of pfSense stops at the point shown below:

• Took the VMs from the manual
• Network adapters are configured according to the manual
• Restart after Network Configuration
• Windows 10
• Virtual Box 7.0

According to the Usenix paper, a libmodbus version had been used for OpenPLC that is vulnerable to a buffer overflow. The buffer overflow can be verified by issuing an according "Read Registers" command that results in a service crash (or SIGSEGV under gdb). As the paper further mentions, the lesser-known "Read Write Register" function (code 0x17) has to be used to gain actual Remote Code Execution.

Unfortuantely, the Modbus service on the PLC returns an "Illegal Function" error, when using that function code, as can be seen from the pymodbus.console output:

and also under Wireshark:

Looking at the libmodbus code inside this repo (and also on the pre-built PLC VM), one can see that this function code is defined:
https://github.com/Fortiphyd/GRFICSv2/blob/master/plc_vm/OpenPLC_v2-master/libmodbus-3.0.4/src/modbus-private.h#L65

and that it should also be properly handled:
https://github.com/Fortiphyd/GRFICSv2/blob/master/plc_vm/OpenPLC_v2-master/libmodbus-3.0.4/src/modbus.c#L870

So, the code path for responding with an "Illegal Function" error should not be taken.

EDIT:
Taking another look at the PLC code base, I realized that the openplc gets linked against libmodbus, but actually uses its own Modbus implementation. The modbus.cpp does not contain a definition for function code 0x17 and also does not have the code implemented for handling it. Thus the message handling function defaults to the "Illegal Function" response.

The overflow still triggers for read requests, due to the modbus.cpp having been modified, accordingly: https://github.com/Fortiphyd/GRFICSv2/blob/master/plc_vm/OpenPLC_v2-master/core/modbus.cpp#L292

So, apparently, it would be required to also re-implement the "Read and Write Registers" function inside the modbus.cpp to gain code executioin.

So I did not find the DHCP server address, upper and lower bound of the two ethernet adapter. What should be the IP addresses of those?

After uploading the attack.st file, what file needs to be uploaded to revert the PLC to normal operation?

Hello,
inside at process simulation, what are these values ?

Inside at Unity 3D
A: 47%
B: 1%
C: 52%

Simulation in C++
A_in_purge
B_in_purge
C_in_purge

ScadaBR
AComp
BComp
CComp

Where can I find all the logs