From a727ebbf5ec9bc5f34374b07b3901ac536d3c31e Mon Sep 17 00:00:00 2001
From: PazFi <paz.fichman@scadafence.com>
Date: Mon, 1 Aug 2022 15:11:57 +0300
Subject: [PATCH] Adding detection of I-AM responses sent in unicast form.

---
 modules/auxiliary/scanner/scada/bacnet_l3.rb | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/scada/bacnet_l3.rb b/modules/auxiliary/scanner/scada/bacnet_l3.rb
index 7907e6c188..5d145f81d0 100644
--- a/modules/auxiliary/scanner/scada/bacnet_l3.rb
+++ b/modules/auxiliary/scanner/scada/bacnet_l3.rb
@@ -133,21 +133,33 @@ class MetasploitModule < Msf::Auxiliary
   def broadcast_who_is
     begin
       broadcast_addr = get_ipv4_broadcast(datastore['INTERFACE'])
+      interface_addr = get_ipv4_addr(datastore['INTERFACE'])
     rescue StandardError
       raise StandardError, "Interface #{datastore['INTERFACE']} is down"
     end
     cap = []
+
+    # Create a socket for broadcast response and a socket for unicast response.
     lsocket = Rex::Socket::Udp.create({
       'LocalHost' => broadcast_addr,
       'LocalPort' => datastore['PORT'],
       'Context' => { 'Msf' => framework, 'MsfExploit' => self }
     })
+    ssocket = Rex::Socket::Udp.create({
+      'LocalHost' => interface_addr,
+      'LocalPort' => datastore['PORT'],
+      'Context' => { 'Msf' => framework, 'MsfExploit' => self }
+    })
     datastore['COUNT'].times { lsocket.sendto(DISCOVERY_MESSAGE_L3, '255.255.255.255', datastore['PORT'], 0) }
+
+    # Collect responses with unicast or broadcast destination.
     loop do
       data, host, port = lsocket.recvfrom(65535, datastore['TIMEOUT'])
-      break if host.nil?
+      data2, host2, port2 = ssocket.recvfrom(65535, datastore['TIMEOUT'])
+      break if (host.nil? && host2.nil?)
 
-      cap << [data, host, port]
+      cap << [data, host, port] if host
+      cap << [data2, host2, port2] if host2
     end
     lsocket.close
     cap