CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/hardware/automotive/canprobe.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Module to Probe Different Data Points in a CAN Packet',

13
        'Description' => %q{

14
          Scans between two CAN IDs and writes data at each byte position. It will

15
          either write a set byte value (Default 0xFF) or iterate through all possible values

16
          of that byte position (takes much longer). Does not check for responses and is

17
          basically a simple blind fuzzer.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => ['Craig Smith'],

21
        'Platform' => ['hardware'],

22
        'SessionTypes' => ['hwbridge']

23
      )

24
    )

25
    register_options([

26
      OptInt.new('STARTID', [false, 'CAN ID to start scan', 0x300]),

27
      OptInt.new('STOPID', [false, 'CAN ID to stop scan', nil]),

28
      OptInt.new('PROBEVALUE', [false, 'Value to inject in the data stream', 0xFF]),

29
      OptInt.new('PADDING', [false, 'If a value is given a full 8 bytes will be used and padded with this value', nil]),

30
      OptBool.new('FUZZ', [false, 'If true interates through all possible values for each data position', false]),

31
      OptString.new('CANBUS', [false, 'CAN Bus to perform scan on, defaults to connected bus', nil])

32
    ])

33
  end

34


35
  def run

36
    unless client.automotive

37
      print_error('The hwbridge requires a functional automotive extention')

38
      return

39
    end

40
    stopid = datastore['STARTID']

41
    stopid = datastore['STOPID'] unless datastore['STOPID'].nil?

42
    data = '%02X' % datastore['PROBEVALUE']

43
    (datastore['STARTID']..stopid).each do |id|

44
      print_status("Probing 0x#{id.to_s(16)}...")

45
      8.times do |pos|

46
        padding = '00' * pos

47
        endpadding = ''

48
        endpadding = ('%02X' % datastore['PADDING']) * (7 - pos) if !datastore['PADDING'].nil?

49
        if datastore['FUZZ']

50
          256.times do |fuzzdata|

51
            client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + ('%02X' % fuzzdata) + endpadding)

52
          end

53
        else

54
          client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + data + endpadding)

55
        end

56
      end

57
    end

58
    print_status('Probe Complete')

59
  end

60
end

61


62