Add example of metasploit-dect code

git-svn-id: https://dedected.org/svn/trunk@63 8d8ab74c-27aa-4a3d-9bde-523a2bc1f624
author: dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624> 2009-02-03 23:05:20 +0000
committer: dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624> 2009-02-03 23:05:20 +0000
commit: 9f1a22031678f029b209160754047487c03b4713 (patch)
tree: 8592310489b3e60d961ad59a43b9dde80126d0a8
parent: db5f95dcee08a3dd0700deacb6385f46c70502be (diff)
3 files changed, 254 insertions, 0 deletions
diff --git a/metasploit-dect/README b/metasploit-dect/README
new file mode 100755
index 0000000..2ec9da4
--- /dev/null
+++ b/metasploit-dect/README
@@ -0,0 +1,22 @@
+To install:
+
+COA Mixin:
+
+1. Copy coa.rb [msf directory]/lib/msf/core/exploit/ 
+2. Edit [msf directory]/lib/msf/core/exploit.rb and add require ''
+
+Example Scanner Module:
+
+1. Create [msf directory]/modules/auxiliary/scanner/coa/ directory
+2. Copy scanner.rb to the above directory
+
+Notes/Bugs: 
+
+1. This module relies on the COM-ON-AIR Linux driver and as such won't 
+work with Windows systems.
+
+2. The example module uses an infinite loop while scanning, I haven't 
+found an elegant way to break out of this w/out using ctrl-c. Thus this 
+leaves the file descriptor to the device open. Restarting the module 
+won't work you will need to restart Metasploit. I will figure out a fix 
+for this at some point in an update.
diff --git a/metasploit-dect/coa.rb b/metasploit-dect/coa.rb
new file mode 100755
index 0000000..2272959
--- /dev/null
+++ b/metasploit-dect/coa.rb
@@ -0,0 +1,169 @@
+module Msf
+
+module Exploit::COA
+
+DECT_BAND_EMEA = 		0x01
+DECT_BAND_US = 			0x02
+DECT_BAND_BOTH =		0x03
+
+COA_MODE_SNIFF = 		0x0300
+COA_SUBMODE_SNIFF_SCANFP = 	0x0001
+COA_SUBMODE_SNIFF_SCANPP = 	0x0002
+COA_SUBMODE_SNIFF_SYNC = 	0x0003
+
+COA_IOCTL_MODE =		0xD000
+COA_IOCTL_RADIO	=		0xD001
+COA_IOCTL_RX =			0xD002
+COA_IOCTL_TX =			0xD003
+COA_IOCTL_CHAN =		0xD004
+COA_IOCTL_SLOT =		0xD005
+COA_IOCTL_RSSI =		0xD006
+COA_IOCTL_FIRMWARE =		0xD007
+COA_IOCTL_SETRFPI =		0xD008
+
+station = {
+		
+	  }
+
+	def initialize(info = {})
+		super
+
+		register_options(
+			[
+				OptString.new('INTERFACE', [true, 'The name of the Com-On-Air Interface', '/dev/coa']),
+				OptString.new('BAND', [true, 'DECT band', DECT_BAND_US]),
+				OptString.new('CHAN', [false, 'DECT channel', 0]),
+				OptString.new('RFPI', [false, 'RFPI for synchronous scan', nil])
+			], Msf::Exploit::COA
+		)
+	end
+
+	if (Rex::Compat.is_windows())
+		throw "This module only works on Linux systems."
+	end
+
+	def open_coa
+		self.dect_device = File.open(datastore['INTERFACE'], "w+")
+	end
+
+
+	def close_coa
+		self.dect_device.close
+	end
+
+
+	def fp_scan_mode
+		self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANFP].pack('s')) 
+		set_band(datastore['BAND'])
+	end
+
+	def pp_scan_mode(rfpi)
+		self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('s'))
+	end
+
+	def call_scan_mode
+		self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s'))
+	end
+
+	def stop
+		self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_IDLE].pack('s'))
+	end
+
+	def rfpi
+		self.rfpi
+	end
+
+	def set_rfpi(r)
+		self.rfpi = r
+		self.dect_device.ioctl(COA_IOCTL_SETRFPI, [self.rfpi].pack('s'))
+	end
+
+	def channel
+		self.channel.to_i
+	end
+
+	def band
+		self.band.to_i
+	end
+
+	def set_band(b)
+		self.band = b.to_i
+
+		if (band == DECT_BAND_US)
+			set_channel(23)
+
+		elsif (band == DECT_BAND_EMEA)
+			set_channel(0)
+
+		elsif (band == DECT_BAND_BOTH)
+			set_channel(0)
+		end
+	end
+
+	def set_channel(chan)
+		self.channel = chan.to_i
+		self.dect_device.ioctl(COA_IOCTL_CHAN, [channel].pack('i'))
+	end
+
+	def next_channel
+		if (band == DECT_BAND_US)
+			if (channel < 27)
+				set_channel(channel + 1)
+			else
+				set_channel(23)
+			end
+
+		elsif (band == DECT_BAND_EMEA)
+			if (channel < 9)
+				set_channel(channel + 1)
+			else
+				set_channel(0)
+			end
+
+		elsif (band == DECT_BAND_BOTH)
+			if (channel < 9)
+                                set_channel(channel + 1)
+                        elsif (channel == 9)
+                                set_channel(23)
+                        elsif (channel > 9 && channel < 27)
+                                set_channel(channel + 1)
+                        else
+                                set_channel(0)
+                        end
+
+		end
+	end
+
+	def poll
+		data = select([self.dect_device], nil, nil, 0.50)
+		if (data != nil)
+                	data = data[0][0].read
+		end
+		
+		data
+	end
+
+	def parse_rfpi(data)
+		sprintf("%02x %02x %02x %02x %02x",data[0], data[1], data[2], data[3], data[4])
+	end
+
+	def parse_station(data)
+		station = {
+		'channel' => data[0],
+		'rssi' => data[1],
+		'rfpi' => parse_rfpi(data[2,5])
+		}
+	end
+
+	def parse_call(data)
+		 call = {
+                'channel' => data[0],
+                'rssi' => data[1],
+                'rfpi' => parse_rfpi(data[2,5])               
+		}
+	end
+	
+
+	attr_accessor :dect_device, :channel, :band
+end
+end
diff --git a/metasploit-dect/scanner.rb b/metasploit-dect/scanner.rb
new file mode 100755
index 0000000..4f865fc
--- /dev/null
+++ b/metasploit-dect/scanner.rb
@@ -0,0 +1,63 @@
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+        include Msf::Exploit::COA
+	
+	def initialize
+                super(
+                        'Name'          => 'DECT Base Station Scanner',
+                        'Version'       => '$revision$',
+                        'Description'   => %q{
+                                This module scans for DECT device base stations.
+                        },
+                        'Author'        =>
+                                ['DK <privilegedmode@gmail.com>'],
+                        'References'    =>
+                                [
+                                        ['Dedected', 'http://www.dedected.org'],
+                                ],
+                        'License'       => MSF_LICENSE
+                )
+
+                register_options(
+                        [
+				OptString.new('VERBOSE',[true,'Be verbose.',true])
+                        ],
+                        self.class
+                )
+
+        end
+
+	base_stations = []
+
+	def run
+		print_status("Opening interface: #{datastore['INTERFACE']}")
+		open_coa
+		print_status("Using band: #{band}")
+		print_status("Changing to fp scan mode.")
+		fp_scan_mode
+		print_status("Scanning..")
+
+		while (true)
+			data = poll
+
+			if (data != nil)
+				puts data
+				parsed_data = parse_station(data)
+				print_status("Found RFPI: #{parsed_data['rfpi']}")
+			end
+
+			next_channel
+
+			if (datastore['VERBOSE'])
+				print_status("Switching to channel: #{channel}")
+			end
+			sleep(1)
+		end
+
+		stop
+		close_coa
+	end
+end
author	dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624>	2009-02-03 23:05:20 +0000
committer	dkemp <dkemp@8d8ab74c-27aa-4a3d-9bde-523a2bc1f624>	2009-02-03 23:05:20 +0000
commit	9f1a22031678f029b209160754047487c03b4713 (patch)
tree	8592310489b3e60d961ad59a43b9dde80126d0a8
parent	db5f95dcee08a3dd0700deacb6385f46c70502be (diff)