Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Auxiliary
8
  include Msf::Auxiliary::Report
9
  include Msf::Exploit::Remote::HttpClient
10

11

12
  def initialize(info={})
13
    super( update_info( info, {
14
        'Name'          => 'Hardware Bridge Session Connector',
15
        'Description'   => %q{
16
          The Hardware Bridge (HWBridge) is a standardized method for
17
          Metasploit to interact with Hardware Devices.  This extends
18
          the normal exploit capabilities to the non-ethernet realm and
19
          enables direct hardware and alternative bus manipulations.  You
20
          must have compatible bridging hardware attached to this machine or
21
          reachable on your network to use any HWBridge exploits.
22

23
          Use this exploit module to connect the physical HWBridge which
24
          will start an interactive hwbridge session.  You can launch a hwbridge
25
          server locally by using compliant hardware and executing the local_hwbridge
26
          module.  After that module has started, pass the HWBRIDGE_BASE_URL
27
          options to this connector module.
28
        },
29
        'License'       => MSF_LICENSE,
30
        'Author'        =>
31
          [
32
            'Craig Smith'                       # hwbridge metaspliot module
33
          ],
34
        'Session'       => Msf::Sessions::HWBridge,
35
        'SessionTypes'  => [ 'hwbridge' ],
36
        'References'    =>
37
          [
38
            [ 'URL', 'http://opengarages.org/hwbridge' ]  # TODO
39
          ]
40
      }
41
      ))
42
    register_options(
43
      [
44
        Opt::RPORT(8080),
45
        Opt::RHOST('127.0.0.1'),
46
        OptBool.new('DEBUGJSON', [false, "Additional debugging out for JSON requests to HW Bridge", false]),
47
        OptString.new('TARGETURI', [ true, "The path to the hwbridge API", '/'])
48
      ],
49
      self.class
50
    )
51
    @last_access = nil
52
  end
53

54
  #
55
  # Generic fetch json call. returns hash of json
56
  #
57
  def fetch_json(uri)
58
    tpath = normalize_uri("#{datastore['TARGETURI']}/#{uri}")
59
    res = send_request_cgi({
60
      'uri' => tpath,
61
      'method' => 'GET'
62
    })
63
    return nil if !res || !res.body || !res.code
64
    if res.code == 200
65
      print_status res.body if datastore['DEBUGJSON'] == true
66
      return JSON.parse(res.body)
67
    elsif res.code == 401
68
      print_error "Access Denied: #{res.body}"
69
    end
70
    return nil
71

72
    rescue OpenSSL::SSL::SSLError
73
      vprint_error("SSL error")
74
      return nil
75
    rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
76
      vprint_error("Unable to Connect")
77
      return nil
78
    rescue ::Timeout::Error, ::Errno::EPIPE
79
      vprint_error("Timeout error")
80
      return nil
81

82
  end
83

84
  #
85
  # Disclaimer for legal and those without common sense...
86
  #
87
  def print_disclaimer
88
    print_warning("NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge")
89
    print_warning("         could have real world consequences.  Use this module in a controlled testing")
90
    print_warning("         environment and with equipment you are authorized to perform testing on.")
91
  end
92

93
  #
94
  # Uses status information to automatically load proper extensions
95
  #
96
  def autoload_extensions(sess)
97
    if self.hw_specialty.key? 'automotive'
98
      sess.load_automotive if self.hw_specialty['automotive'] == true
99
    end
100
    if self.hw_specialty.has_key? 'zigbee'
101
      sess.load_zigbee if self.hw_specialty['zigbee'] == true
102
    end
103
    if self.hw_specialty.has_key? 'rftransceiver'
104
      sess.load_rftransceiver if self.hw_specialty['rftransceiver'] == true
105
    end
106
    sess.api_version = self.api_version if self.api_version
107
    sess.fw_version = self.fw_version if self.fw_version
108
    sess.hw_version = self.hw_version if self.hw_version
109
    sess.device_name = self.device_name if self.device_name
110
  end
111

112
  #
113
  # If the hardware contains custom methods, create functions for those
114
  #
115
  def load_custom_methods(sess)
116
    if self.hw_capabilities.key? 'custom_methods'
117
      sess.load_custom_methods if self.hw_capabilities['custom_methods'] == true
118
    end
119
  end
120

121
  #
122
  # Fetches the status of the hwbridge
123
  #
124
  def get_status
125
    data = fetch_json("/status")
126
    unless data.nil?
127
      if data.key? 'operational'
128
        @last_access = Time.now
129
        if data.key? 'hw_specialty'
130
          self.hw_specialty = data['hw_specialty']
131
        end
132
        if data.key? 'hw_capabilities'
133
          self.hw_capabilities = data['hw_capabilities']
134
        end
135
        if data.key? 'api_version'
136
          self.api_version = data['api_version']
137
        end
138
        if data.key? 'fw_version'
139
          self.fw_version = data['fw_version']
140
        end
141
        if data.key? 'hw_vesrion'
142
          self.hw_version = data['hw_version']
143
        end
144
        if data.key? 'device_name'
145
          self.device_name = data['device_name']
146
        end
147
      end
148
    end
149
  end
150

151
  def run
152
    print_status "Attempting to connect to #{datastore['RHOST']}..."
153
    self.get_status()
154
    unless @last_access.nil?
155
      sess = Msf::Sessions::HWBridge.new(self)
156
      sess.set_from_exploit(self)
157

158
      framework.sessions.register(sess)
159
      print_good "HWBridge session established"
160
      autoload_extensions(sess)
161
      load_custom_methods(sess)
162
      print_status "HW Specialty: #{self.hw_specialty}  Capabilities: #{self.hw_capabilities}"
163
      print_disclaimer
164
    else
165
      print_error "Could not connect to API"
166
    end
167
  end
168

169
  attr_reader :hw_specialty
170
  attr_reader :hw_capabilities
171
  attr_reader :api_version
172
  attr_reader :fw_version
173
  attr_reader :hw_version
174
  attr_reader :device_name
175

176
  protected
177

178
  attr_writer :hw_specialty
179
  attr_writer :hw_capabilities
180
  attr_writer :api_version
181
  attr_writer :fw_version
182
  attr_writer :hw_version
183
  attr_writer :device_name
184
end
185

186