Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/hardware/automotive/canprobe.rb
21628 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Module to Probe Different Data Points in a CAN Packet',

13
        'Description' => %q{

14
          Scans between two CAN IDs and writes data at each byte position. It will

15
          either write a set byte value (Default 0xFF) or iterate through all possible values

16
          of that byte position (takes much longer). Does not check for responses and is

17
          basically a simple blind fuzzer.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => ['Craig Smith'],

21
        'Platform' => ['hardware'],

22
        'SessionTypes' => ['hwbridge'],

23
        'Notes' => {

24
          'Stability' => [CRASH_SERVICE_DOWN],

25
          'SideEffects' => [PHYSICAL_EFFECTS],

26
          'Reliability' => []

27
        }

28
      )

29
    )

30
    register_options([

31
      OptInt.new('STARTID', [false, 'CAN ID to start scan', 0x300]),

32
      OptInt.new('STOPID', [false, 'CAN ID to stop scan', nil]),

33
      OptInt.new('PROBEVALUE', [false, 'Value to inject in the data stream', 0xFF]),

34
      OptInt.new('PADDING', [false, 'If a value is given a full 8 bytes will be used and padded with this value', nil]),

35
      OptBool.new('FUZZ', [false, 'If true interates through all possible values for each data position', false]),

36
      OptString.new('CANBUS', [false, 'CAN Bus to perform scan on, defaults to connected bus', nil])

37
    ])

38
  end

39


40
  def run

41
    unless client.automotive

42
      print_error('The hwbridge requires a functional automotive extention')

43
      return

44
    end

45
    stopid = datastore['STARTID']

46
    stopid = datastore['STOPID'] unless datastore['STOPID'].nil?

47
    data = '%02X' % datastore['PROBEVALUE']

48
    (datastore['STARTID']..stopid).each do |id|

49
      print_status("Probing 0x#{id.to_s(16)}...")

50
      8.times do |pos|

51
        padding = '00' * pos

52
        endpadding = ''

53
        endpadding = ('%02X' % datastore['PADDING']) * (7 - pos) if !datastore['PADDING'].nil?

54
        if datastore['FUZZ']

55
          256.times do |fuzzdata|

56
            client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + ('%02X' % fuzzdata) + endpadding)

57
          end

58
        else

59
          client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + data + endpadding)

60
        end

61
      end

62
    end

63
    print_status('Probe Complete')

64
  end

65
end

66


67