13
0
Fork 1

Add example of metasploit-dect code

git-svn-id: https://dedected.org/svn/trunk@63 8d8ab74c-27aa-4a3d-9bde-523a2bc1f624
This commit is contained in:
dkemp 2009-02-03 23:05:20 +00:00
parent db5f95dcee
commit 9f1a220316
3 changed files with 254 additions and 0 deletions

22
metasploit-dect/README Executable file
View File

@ -0,0 +1,22 @@
To install:
COA Mixin:
1. Copy coa.rb [msf directory]/lib/msf/core/exploit/
2. Edit [msf directory]/lib/msf/core/exploit.rb and add require ''
Example Scanner Module:
1. Create [msf directory]/modules/auxiliary/scanner/coa/ directory
2. Copy scanner.rb to the above directory
Notes/Bugs:
1. This module relies on the COM-ON-AIR Linux driver and as such won't
work with Windows systems.
2. The example module uses an infinite loop while scanning, I haven't
found an elegant way to break out of this w/out using ctrl-c. Thus this
leaves the file descriptor to the device open. Restarting the module
won't work you will need to restart Metasploit. I will figure out a fix
for this at some point in an update.

169
metasploit-dect/coa.rb Executable file
View File

@ -0,0 +1,169 @@
module Msf
module Exploit::COA
DECT_BAND_EMEA = 0x01
DECT_BAND_US = 0x02
DECT_BAND_BOTH = 0x03
COA_MODE_SNIFF = 0x0300
COA_SUBMODE_SNIFF_SCANFP = 0x0001
COA_SUBMODE_SNIFF_SCANPP = 0x0002
COA_SUBMODE_SNIFF_SYNC = 0x0003
COA_IOCTL_MODE = 0xD000
COA_IOCTL_RADIO = 0xD001
COA_IOCTL_RX = 0xD002
COA_IOCTL_TX = 0xD003
COA_IOCTL_CHAN = 0xD004
COA_IOCTL_SLOT = 0xD005
COA_IOCTL_RSSI = 0xD006
COA_IOCTL_FIRMWARE = 0xD007
COA_IOCTL_SETRFPI = 0xD008
station = {
}
def initialize(info = {})
super
register_options(
[
OptString.new('INTERFACE', [true, 'The name of the Com-On-Air Interface', '/dev/coa']),
OptString.new('BAND', [true, 'DECT band', DECT_BAND_US]),
OptString.new('CHAN', [false, 'DECT channel', 0]),
OptString.new('RFPI', [false, 'RFPI for synchronous scan', nil])
], Msf::Exploit::COA
)
end
if (Rex::Compat.is_windows())
throw "This module only works on Linux systems."
end
def open_coa
self.dect_device = File.open(datastore['INTERFACE'], "w+")
end
def close_coa
self.dect_device.close
end
def fp_scan_mode
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANFP].pack('s'))
set_band(datastore['BAND'])
end
def pp_scan_mode(rfpi)
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('s'))
end
def call_scan_mode
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s'))
end
def stop
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_IDLE].pack('s'))
end
def rfpi
self.rfpi
end
def set_rfpi(r)
self.rfpi = r
self.dect_device.ioctl(COA_IOCTL_SETRFPI, [self.rfpi].pack('s'))
end
def channel
self.channel.to_i
end
def band
self.band.to_i
end
def set_band(b)
self.band = b.to_i
if (band == DECT_BAND_US)
set_channel(23)
elsif (band == DECT_BAND_EMEA)
set_channel(0)
elsif (band == DECT_BAND_BOTH)
set_channel(0)
end
end
def set_channel(chan)
self.channel = chan.to_i
self.dect_device.ioctl(COA_IOCTL_CHAN, [channel].pack('i'))
end
def next_channel
if (band == DECT_BAND_US)
if (channel < 27)
set_channel(channel + 1)
else
set_channel(23)
end
elsif (band == DECT_BAND_EMEA)
if (channel < 9)
set_channel(channel + 1)
else
set_channel(0)
end
elsif (band == DECT_BAND_BOTH)
if (channel < 9)
set_channel(channel + 1)
elsif (channel == 9)
set_channel(23)
elsif (channel > 9 && channel < 27)
set_channel(channel + 1)
else
set_channel(0)
end
end
end
def poll
data = select([self.dect_device], nil, nil, 0.50)
if (data != nil)
data = data[0][0].read
end
data
end
def parse_rfpi(data)
sprintf("%02x %02x %02x %02x %02x",data[0], data[1], data[2], data[3], data[4])
end
def parse_station(data)
station = {
'channel' => data[0],
'rssi' => data[1],
'rfpi' => parse_rfpi(data[2,5])
}
end
def parse_call(data)
call = {
'channel' => data[0],
'rssi' => data[1],
'rfpi' => parse_rfpi(data[2,5])
}
end
attr_accessor :dect_device, :channel, :band
end
end

63
metasploit-dect/scanner.rb Executable file
View File

@ -0,0 +1,63 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::COA
def initialize
super(
'Name' => 'DECT Base Station Scanner',
'Version' => '$revision$',
'Description' => %q{
This module scans for DECT device base stations.
},
'Author' =>
['DK <privilegedmode@gmail.com>'],
'References' =>
[
['Dedected', 'http://www.dedected.org'],
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('VERBOSE',[true,'Be verbose.',true])
],
self.class
)
end
base_stations = []
def run
print_status("Opening interface: #{datastore['INTERFACE']}")
open_coa
print_status("Using band: #{band}")
print_status("Changing to fp scan mode.")
fp_scan_mode
print_status("Scanning..")
while (true)
data = poll
if (data != nil)
puts data
parsed_data = parse_station(data)
print_status("Found RFPI: #{parsed_data['rfpi']}")
end
next_channel
if (datastore['VERBOSE'])
print_status("Switching to channel: #{channel}")
end
sleep(1)
end
stop
close_coa
end
end