Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding can_flood post exploitation for CAN #11595

Merged
merged 4 commits into from Apr 1, 2019

Conversation

Projects
None yet
4 participants
@pietrobiondi
Copy link
Contributor

commented Mar 20, 2019

Description

CAN-Flood is a post-exploitation module that floods a CAN interface for a number of rounds. Both the interface and the number of rounds are to be provided as inputs. An example list of frames also is part of the inputs, and sources the flooding at each round. The module therefore is general as it is parametric in the frame list.

What do you need

  • A session.
  • A file with list of frames.

Verification

First, start up a virtual CAN bus:

  • sudo modprobe can
  • sudo modprobe vcan
  • sudo ip link add dev vcan0 type vcan
  • sudo ip link set up vcan0

Then do the thing:

  • Start msfconsole

  • use auxiliary/server/local_hwbridge

  • set uripath trycanbus

  • run

  • use auxiliary/client/hwbridge/connect

  • set targeturi trycanbus

  • run

  • use post/hardware/automotive/can_flood

  • set canbus vcan0

  • set session 1

  • run

Output msfconsole

msf5 > use auxiliary/server/local_hwbridge
msf5 auxiliary(server/local_hwbridge) > run
[*] Auxiliary module running as background job 0.

[*] Using URL: http://0.0.0.0:8080/trycanbus
[*] Local IP: http://10.0.2.15:8080/trycanbus
[*] Server started.
msf5 auxiliary(server/local_hwbridge) > use auxiliary/client/hwbridge/connect
msf5 auxiliary(client/hwbridge/connect) > set targeturi trycanbus
targeturi => trycanbus
msf5 auxiliary(client/hwbridge/connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 03:17:55 -0400
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf5 auxiliary(client/hwbridge/connect) > use post/hardware/automotive/can_flood 
msf5 post(hardware/automotive/can_flood) > set canbus vcan0
canbus => vcan0
msf5 post(hardware/automotive/can_flood) > set session 1
session => 1
msf5 post(hardware/automotive/can_flood) > run

[*]  -- OPENING FRAMELIST FILE --
[*]  -- FLOODING -- 
[*] Post module execution completed
Show resolved Hide resolved modules/post/hardware/automotive/can_flood.rb Outdated
Show resolved Hide resolved modules/post/hardware/automotive/can_flood.rb Outdated
Show resolved Hide resolved modules/post/hardware/automotive/can_flood.rb Outdated
Show resolved Hide resolved modules/post/hardware/automotive/can_flood.rb Outdated
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

I'm not experienced enough with automotive tech to appropriately review this PR or test this module. Someone else will need to take it from here.

Also, whoever reviews this PR will request module documentation for this module.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

Tagging @wvu-r7 as per #10127 (comment)

pietrobiondi added some commits Mar 20, 2019

1) changed print_status with vprint_status 2) Fix iterations and line…
… splits 3) Changed name of the module 4) removed DisclosureDate
@pietrobiondi

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

Hi @bcoles , @wvu-r7 , I made all the required changes, I also added the documentation.

Let me know if there are other changes to make. Thank you.

@bcoles bcoles added docs and removed needs-docs labels Mar 22, 2019

@wvu-r7 wvu-r7 self-assigned this Mar 22, 2019

Show resolved Hide resolved modules/post/hardware/automotive/can_flood.rb Outdated
@pietrobiondi

This comment has been minimized.

Copy link
Contributor Author

commented Mar 27, 2019

Hi, thanks for reviewing my pull request. Regarding the loop, I could move the split operation out of the loop and access the data structure via a further "for loop" on a variable "index". Do you think it's more efficient?
The file entries are arbitrary, depending on the type of car you want to attack.
Thanks for your time.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

Yes, that would be better.

@pietrobiondi

This comment has been minimized.

Copy link
Contributor Author

commented Mar 27, 2019

Okay. Unfortunately at the moment I don't have my laptop with me, so I will make the changes on April 1st.
Thanks.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

@pietrobiondi: I'm happy to make some final changes and get this landed if you'd like. :)

@pietrobiondi

This comment has been minimized.

Copy link
Contributor Author

commented Mar 30, 2019

@pietrobiondi: I'm happy to make some final changes and get this landed if you'd like. :)

Hello @wvu-r7 , I apologize for the delay.
In the last commit I fixed the spacing and format of the documentation.
Moreover, I have analyzed the loop better, and I decided to move the split operation when reading the file in order to optimize the code.

Thanks for the time and suggestions.

@wvu-r7 wvu-r7 merged commit 2afd27a into rapid7:master Apr 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Apr 1, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

Please see my refactor of your loop here: f5f4c4b. each_index was unnecessary. Thanks.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

Release Notes

The CAN-Flood post module can be used to flood a CAN interface with supplied frames.

@pietrobiondi

This comment has been minimized.

Copy link
Contributor Author

commented Apr 1, 2019

Hello,
I saw your changes and I tested everything.
Everything works perfectly with the loop refactor.
Thanks for all.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

Thank YOU!

msjenkins-r7 added a commit that referenced this pull request Apr 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.