Adding can_flood post exploitation for CAN

[pietrobiondi]

Description

CAN-Flood is a post-exploitation module that floods a CAN interface for a number of rounds. Both the interface and the number of rounds are to be provided as inputs. An example list of frames also is part of the inputs, and sources the flooding at each round. The module therefore is general as it is parametric in the frame list.

What do you need

• A session.
• A file with list of frames.

Verification

First, start up a virtual CAN bus:

• sudo modprobe can
• sudo modprobe vcan
• sudo ip link add dev vcan0 type vcan
• sudo ip link set up vcan0

Then do the thing:

• Start msfconsole

• use auxiliary/server/local_hwbridge

• set uripath trycanbus

• run

• use auxiliary/client/hwbridge/connect

• set targeturi trycanbus

• run

• use post/hardware/automotive/can_flood

• set canbus vcan0

• set session 1

• run

Output msfconsole

msf5 > use auxiliary/server/local_hwbridge
msf5 auxiliary(server/local_hwbridge) > run
[*] Auxiliary module running as background job 0.

[*] Using URL: http://0.0.0.0:8080/trycanbus
[*] Local IP: http://10.0.2.15:8080/trycanbus
[*] Server started.
msf5 auxiliary(server/local_hwbridge) > use auxiliary/client/hwbridge/connect
msf5 auxiliary(client/hwbridge/connect) > set targeturi trycanbus
targeturi => trycanbus
msf5 auxiliary(client/hwbridge/connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 03:17:55 -0400
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf5 auxiliary(client/hwbridge/connect) > use post/hardware/automotive/can_flood 
msf5 post(hardware/automotive/can_flood) > set canbus vcan0
canbus => vcan0
msf5 post(hardware/automotive/can_flood) > set session 1
session => 1
msf5 post(hardware/automotive/can_flood) > run

[*]  -- OPENING FRAMELIST FILE --
[*]  -- FLOODING -- 
[*] Post module execution completed

[bcoles]

I'm not experienced enough with automotive tech to appropriately review this PR or test this module. Someone else will need to take it from here.

Also, whoever reviews this PR will request module documentation for this module.

• Template
• Examples

[bcoles]

Tagging @wvu-r7 as per #10127 (comment)

[pietrobiondi]

Hi @bcoles , @wvu-r7 , I made all the required changes, I also added the documentation.

Let me know if there are other changes to make. Thank you.

[pietrobiondi]

Hi, thanks for reviewing my pull request. Regarding the loop, I could move the split operation out of the loop and access the data structure via a further "for loop" on a variable "index". Do you think it's more efficient?
The file entries are arbitrary, depending on the type of car you want to attack.
Thanks for your time.

[wvu]

Yes, that would be better.

[pietrobiondi]

Okay. Unfortunately at the moment I don't have my laptop with me, so I will make the changes on April 1st.
Thanks.

[wvu]

@pietrobiondi: I'm happy to make some final changes and get this landed if you'd like. :)

[pietrobiondi]

@pietrobiondi: I'm happy to make some final changes and get this landed if you'd like. :)

Hello @wvu-r7 , I apologize for the delay.
In the last commit I fixed the spacing and format of the documentation.
Moreover, I have analyzed the loop better, and I decided to move the split operation when reading the file in order to optimize the code.

Thanks for the time and suggestions.

[wvu]

Please see my refactor of your loop here: f5f4c4b. each_index was unnecessary. Thanks.

[wvu]

Release Notes

The CAN-Flood post module can be used to flood a CAN interface with supplied frames.

[pietrobiondi]

Hello,
I saw your changes and I tested everything.
Everything works perfectly with the loop refactor.
Thanks for all.

[wvu]

Thank YOU!