diff options
author | dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624> | 2009-02-03 23:05:20 +0000 |
---|---|---|
committer | dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624> | 2009-02-03 23:05:20 +0000 |
commit | 9f1a22031678f029b209160754047487c03b4713 (patch) | |
tree | 8592310489b3e60d961ad59a43b9dde80126d0a8 | |
parent | db5f95dcee08a3dd0700deacb6385f46c70502be (diff) |
Add example of metasploit-dect code
git-svn-id: https://dedected.org/svn/trunk@63 8d8ab74c-27aa-4a3d-9bde-523a2bc1f624
-rwxr-xr-x | metasploit-dect/README | 22 | ||||
-rwxr-xr-x | metasploit-dect/coa.rb | 169 | ||||
-rwxr-xr-x | metasploit-dect/scanner.rb | 63 |
3 files changed, 254 insertions, 0 deletions
diff --git a/metasploit-dect/README b/metasploit-dect/README new file mode 100755 index 0000000..2ec9da4 --- /dev/null +++ b/metasploit-dect/README @@ -0,0 +1,22 @@ +To install: + +COA Mixin: + +1. Copy coa.rb [msf directory]/lib/msf/core/exploit/ +2. Edit [msf directory]/lib/msf/core/exploit.rb and add require '' + +Example Scanner Module: + +1. Create [msf directory]/modules/auxiliary/scanner/coa/ directory +2. Copy scanner.rb to the above directory + +Notes/Bugs: + +1. This module relies on the COM-ON-AIR Linux driver and as such won't +work with Windows systems. + +2. The example module uses an infinite loop while scanning, I haven't +found an elegant way to break out of this w/out using ctrl-c. Thus this +leaves the file descriptor to the device open. Restarting the module +won't work you will need to restart Metasploit. I will figure out a fix +for this at some point in an update. diff --git a/metasploit-dect/coa.rb b/metasploit-dect/coa.rb new file mode 100755 index 0000000..2272959 --- /dev/null +++ b/metasploit-dect/coa.rb @@ -0,0 +1,169 @@ +module Msf + +module Exploit::COA + +DECT_BAND_EMEA = 0x01 +DECT_BAND_US = 0x02 +DECT_BAND_BOTH = 0x03 + +COA_MODE_SNIFF = 0x0300 +COA_SUBMODE_SNIFF_SCANFP = 0x0001 +COA_SUBMODE_SNIFF_SCANPP = 0x0002 +COA_SUBMODE_SNIFF_SYNC = 0x0003 + +COA_IOCTL_MODE = 0xD000 +COA_IOCTL_RADIO = 0xD001 +COA_IOCTL_RX = 0xD002 +COA_IOCTL_TX = 0xD003 +COA_IOCTL_CHAN = 0xD004 +COA_IOCTL_SLOT = 0xD005 +COA_IOCTL_RSSI = 0xD006 +COA_IOCTL_FIRMWARE = 0xD007 +COA_IOCTL_SETRFPI = 0xD008 + +station = { + + } + + def initialize(info = {}) + super + + register_options( + [ + OptString.new('INTERFACE', [true, 'The name of the Com-On-Air Interface', '/dev/coa']), + OptString.new('BAND', [true, 'DECT band', DECT_BAND_US]), + OptString.new('CHAN', [false, 'DECT channel', 0]), + OptString.new('RFPI', [false, 'RFPI for synchronous scan', nil]) + ], Msf::Exploit::COA + ) + end + + if (Rex::Compat.is_windows()) + throw "This module only works on Linux systems." + end + + def open_coa + self.dect_device = File.open(datastore['INTERFACE'], "w+") + end + + + def close_coa + self.dect_device.close + end + + + def fp_scan_mode + self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANFP].pack('s')) + set_band(datastore['BAND']) + end + + def pp_scan_mode(rfpi) + self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('s')) + end + + def call_scan_mode + self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s')) + end + + def stop + self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_IDLE].pack('s')) + end + + def rfpi + self.rfpi + end + + def set_rfpi(r) + self.rfpi = r + self.dect_device.ioctl(COA_IOCTL_SETRFPI, [self.rfpi].pack('s')) + end + + def channel + self.channel.to_i + end + + def band + self.band.to_i + end + + def set_band(b) + self.band = b.to_i + + if (band == DECT_BAND_US) + set_channel(23) + + elsif (band == DECT_BAND_EMEA) + set_channel(0) + + elsif (band == DECT_BAND_BOTH) + set_channel(0) + end + end + + def set_channel(chan) + self.channel = chan.to_i + self.dect_device.ioctl(COA_IOCTL_CHAN, [channel].pack('i')) + end + + def next_channel + if (band == DECT_BAND_US) + if (channel < 27) + set_channel(channel + 1) + else + set_channel(23) + end + + elsif (band == DECT_BAND_EMEA) + if (channel < 9) + set_channel(channel + 1) + else + set_channel(0) + end + + elsif (band == DECT_BAND_BOTH) + if (channel < 9) + set_channel(channel + 1) + elsif (channel == 9) + set_channel(23) + elsif (channel > 9 && channel < 27) + set_channel(channel + 1) + else + set_channel(0) + end + + end + end + + def poll + data = select([self.dect_device], nil, nil, 0.50) + if (data != nil) + data = data[0][0].read + end + + data + end + + def parse_rfpi(data) + sprintf("%02x %02x %02x %02x %02x",data[0], data[1], data[2], data[3], data[4]) + end + + def parse_station(data) + station = { + 'channel' => data[0], + 'rssi' => data[1], + 'rfpi' => parse_rfpi(data[2,5]) + } + end + + def parse_call(data) + call = { + 'channel' => data[0], + 'rssi' => data[1], + 'rfpi' => parse_rfpi(data[2,5]) + } + end + + + attr_accessor :dect_device, :channel, :band +end +end diff --git a/metasploit-dect/scanner.rb b/metasploit-dect/scanner.rb new file mode 100755 index 0000000..4f865fc --- /dev/null +++ b/metasploit-dect/scanner.rb @@ -0,0 +1,63 @@ +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::COA + + def initialize + super( + 'Name' => 'DECT Base Station Scanner', + 'Version' => '$revision$', + 'Description' => %q{ + This module scans for DECT device base stations. + }, + 'Author' => + ['DK <privilegedmode@gmail.com>'], + 'References' => + [ + ['Dedected', 'http://www.dedected.org'], + ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('VERBOSE',[true,'Be verbose.',true]) + ], + self.class + ) + + end + + base_stations = [] + + def run + print_status("Opening interface: #{datastore['INTERFACE']}") + open_coa + print_status("Using band: #{band}") + print_status("Changing to fp scan mode.") + fp_scan_mode + print_status("Scanning..") + + while (true) + data = poll + + if (data != nil) + puts data + parsed_data = parse_station(data) + print_status("Found RFPI: #{parsed_data['rfpi']}") + end + + next_channel + + if (datastore['VERBOSE']) + print_status("Switching to channel: #{channel}") + end + sleep(1) + end + + stop + close_coa + end +end |