Land rapid7#8290, Hwbridge Automotive Fix and Extension Enhancements

Author: pbarry-r7

lib/msf/core/post/hardware/automotive/dtc.rb

@@ -393,7 +393,7 @@ def get_dtcs(bus, src_id, dst_id, opt = {})
     end
     if (data.key? "Packets") && !data["Packets"].empty?
       data = response_hash_to_data_array(dst_id, data, 4)
-      if !data.empty? && data.even?
+      if !data.empty? && data.size.even?
         (0..data.size / 2).step(2) do |idx|
           code = ""
           case data[idx].hex & 0xC0 >> 3

lib/msf/core/post/hardware/automotive/uds.rb

@@ -220,26 +220,26 @@ def dot154_packet_decode(packet)
       daddr_mask = (fcf & DOT154_FCF_DADDR_MASK) >> 10
       if daddr_mask == DOT154_FCF_ADDR_EXT
         pktchop[3] = packet[offset,8]
-        offset+=8
+        offset += 8
       elsif daddr_mask == DOT154_FCF_ADDR_SHORT
         pktchop[3] = packet[offset,2]
-        offset+=2
+        offset += 2
       end
 
       # Examine the Intra-PAN flag
       if (fcf & DOT154_FCF_INTRA_PAN) == 0
         pktchop[4] = packet[offset,2]
-        offset+=2
+        offset += 2
       end
 
       # Examine the source addressing mode
       saddr_mask = (fcf & DOT154_FCF_SADDR_MASK) >> 14
       if daddr_mask == DOT154_FCF_ADDR_EXT
         pktchop[5] = packet[offset,8]
-        offset+=8
+        offset += 8
       elsif daddr_mask == DOT154_FCF_ADDR_SHORT
         pktchop[5] = packet[offset,2]
-        offset+=2
+        offset += 2
       end
     end
     # Append remaining payload

lib/msf/core/post/hardware/zigbee/utils.rb

@@ -63,6 +63,13 @@ def get_status
     send_request("/status")
   end
 
+  #
+  # Gets the devices statistics
+  #
+  def get_statistics
+    send_request("/statistics")
+  end
+
   #
   # Fetches custom methods from HW, if any
   #

lib/rex/post/hwbridge/client.rb

@@ -41,7 +41,7 @@ def is_valid_bus?(bus)
     valid = false
     get_supported_buses if buses.nil?
     unless bus.blank?
-      buses.each do |b|
+      self.buses.each do |b|
         valid = true if b["bus_name"] == bus
       end
     end
@@ -86,8 +86,8 @@ def set_active_bus(bus)
   end
 
   def get_supported_buses
-    buses = client.send_request("/automotive/supported_buses")
-    buses
+    self.buses = client.send_request("/automotive/supported_buses")
+    self.buses
   end
 
   def get_bus_config(bus)

lib/rex/post/hwbridge/extensions/automotive/automotive.rb

@@ -56,8 +56,8 @@ module UDSErrors
   0x78 => "RCRRP",
   0x7E => "SFNSIAS",
   0x7F => "SNSIAS",
-  0x81 => "RTH",
-  0x82 => "RTL",
+  0x81 => "RPMTH",
+  0x82 => "RPMTL",
   0x83 => "EIR",
   0x84 => "EINR",
   0x85 => "ERTTL",
@@ -100,8 +100,8 @@ module UDSErrors
   "RCRRP" => "Request Correctly Received, but Response is Pending",
   "SFNSIAS" => "Sub-Function Not Supoorted In Active Session",
   "SNSIAS" => "Service Not Supported In Active Session",
-  "RTH" => "RPM Too High",
-  "RTL" => "RPM Too Low",
+  "RPMTH" => "RPM Too High",
+  "RPMTL" => "RPM Too Low",
   "EIR" => "Engine is Running",
   "EINR" => "Engine is not Running",
   "ERTTL" => "Engine Run Time Too Low",
@@ -117,7 +117,7 @@ module UDSErrors
   "SLNIP" => "Shifter Lever Not In Park",
   "TCCL" => "Torque Converter Clutch Locked",
   "VTH" => "Voltage Too High",
-  "VTL" => "Voltage Too Low" 
+  "VTL" => "Voltage Too Low"
 }
 
 end

lib/rex/post/hwbridge/extensions/automotive/uds_errors.rb

@@ -13,6 +13,12 @@ class Console::CommandDispatcher::Automotive
   include Console::CommandDispatcher
   include Msf::Auxiliary::Report
 
+  def initialize(shell)
+    super
+    self.tpjobs     = []
+    self.tpjob_id   = 0
+  end
+
   #
   # List of supported commands.
   #
@@ -21,14 +27,17 @@ def commands
       'supported_buses'   => 'Get supported buses',
       'busconfig'         => 'Get baud configs',
       'connect'           => 'Get HW supported methods for a bus',
-      'cansend'           => 'Send a CAN packet'
+      'cansend'           => 'Send a CAN packet',
+      'isotpsend'         => 'Send an ISO-TP Packet and get a response',
+      'testerpresent'     => 'Sends TesterPresent Pulses to the bus'
     }
 
     reqs = {
       'supported_buses'  => ['get_supported_buses'],
       'busconfig'        => ['get_bus_config'],
       'connect'          => ['get_supported_methods'],
-      'cansend'          => ['cansend']
+      'cansend'          => ['cansend'],
+      'testerpresent'    => ['testpresent']
     }
 
     # Ensure any requirements of the command are met
@@ -106,9 +115,10 @@ def cmd_connect(*args)
     end
     unless client.automotive.is_valid_bus? bus
       print_error("You must specify a valid bus via -b")
+      print_line("Current active bus: #{self.active_bus}") if self.active_bus
       return
     end
-    active_bus = bus
+    self.active_bus = bus
     client.automotive.set_active_bus(bus)
     hw_methods = client.automotive.get_supported_methods(bus)
     hw_methods
@@ -141,7 +151,7 @@ def cmd_cansend(*args)
         data = val
       end
     end
-    bus = active_bus if bus.blank? && !active_bus.nil?
+    bus = self.active_bus if bus.blank? && !self.active_bus.nil?
     unless client.automotive.is_valid_bus? bus
       print_error("You must specify a valid bus via -b")
       return
@@ -154,17 +164,167 @@ def cmd_cansend(*args)
     success
   end
 
+  #
+  # Generic ISO-TP CAN send packet command
+  #
+  def cmd_isotpsend(*args)
+    bus = ''
+    id = ''
+    ret = ''
+    data = ''
+    timeout = nil
+    maxpackets = nil
+    cansend_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ],
+      '-b' => [ true, 'Target bus'],
+      '-I' => [ true, 'CAN ID'],
+      '-R' => [ true, 'Return ID'],
+      '-D' => [ true, 'Data packet in Hex (Do not include ISOTP command size)'],
+      '-t' => [ true, 'Timeout value'],
+      '-m' => [ true, 'Max packets to receive']
+    )
+    cansend_opts.parse(args) do |opt, _idx, val|
+      case opt
+      when '-h'
+        print_line("Usage: isotpsend -I <ID> -D <data>\n")
+        print_line(cansend_opts.usage)
+        return
+      when '-b'
+        bus = val
+      when '-I'
+        id = val
+      when '-R'
+        ret = val
+      when '-D'
+        data = val
+      when '-t'
+        timeout = val.to_i
+      when '-m'
+        maxpackets = val.to_i
+      end
+    end
+    bus = self.active_bus if bus.blank? && !self.active_bus.nil?
+    unless client.automotive.is_valid_bus? bus
+      print_error("You must specify a valid bus via -b")
+      return
+    end
+    if id.blank? || data.blank?
+      print_error("You must specify a CAN ID (-I) and the data packets (-D)")
+      return
+    end
+    if ret.blank?
+      ret = (id.hex + 8).to_s(16)
+      print_line("Default return set to #{ret}")
+    end
+    bytes = data.scan(/../)  # Break up data string into 2 char (byte) chunks
+    if bytes.size > 8
+      print_error("Data section can only contain a max of 8 bytes (for now)")
+      return
+    end
+    opt = {}
+    opt['TIMEOUT'] = timeout unless timeout.nil?
+    opt['MAXPKTS'] = maxpackets unless maxpackets.nil?
+    result = client.automotive.send_isotp_and_wait_for_response(bus, id, ret, bytes, opt)
+    if result.key? 'Packets'
+      result['Packets'].each do |pkt|
+        print_line pkt.inspect
+      end
+    end
+    print_line(result['error'].inspect) if result.key? 'error'
+    result
+  end
+
+  #
+  # Sends TesterPresent packets as a background job
+  #
+  def cmd_testerpresent(*args)
+    bus = ''
+    id = ''
+    stop = false
+    stopid = 0
+    tp_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ],
+      '-b' => [ true, 'Target bus' ],
+      '-I' => [ true, 'CAN ID' ],
+      '-x' => [ true, 'Stop TesterPresent JobID']
+    )
+    tp_opts.parse(args) do |opt, _idx, val|
+      case opt
+      when '-h'
+        print_line("Usage: testerpresent -I <ID>\n")
+        print_line(tp_opts.usage)
+        return
+      when '-b'
+        bus = val
+      when '-I'
+        id = val
+      when '-x'
+        stop = true
+        stopid = val.to_i
+      end
+    end
+    bus = self.active_bus if bus.blank? && !self.active_bus.nil?
+    unless client.automotive.is_valid_bus? bus
+      print_error("You must specify a valid bus via -b")
+      return
+    end
+    if id.blank? && !stop
+      if self.tpjobs.size.positive?
+        print_line("TesterPresent is currently active")
+        self.tpjobs.each_index do |jid|
+          if self.tpjobs[jid]
+            print_status("TesterPresent Job #{jid}: #{self.tpjobs[jid][:args].inspect}")
+          end
+        end
+      else
+        print_line("TesterPreset is not active.  Use -I to start")
+      end
+      return
+    end
+    if stop
+      if self.tpjobs[stopid]
+        self.tpjobs[stopid].kill
+        self.tpjobs[stopid] = nil
+        print_status("Stopped TesterPresent #{stopid}")
+      else
+        print_error("TesterPresent #{stopid} was not running")
+      end
+    else
+      jid = self.tpjob_id
+      print_status("Starting TesterPresent sender (#{self.tpjob_id})")
+      self.tpjob_id += 1
+      self.tpjobs[jid] = Rex::ThreadFactory.spawn("TesterPresent(#{id})-#{jid}", false, jid, args) do |myjid,xargs|
+        ::Thread.current[:args] = xargs.dup
+        begin
+          loop do
+            client.automotive.cansend(bus, id, "023E00")
+            sleep(2)
+          end
+        rescue ::Exception
+          print_error("Error in TesterPResent: #{$!.class} #{$!}")
+          elog("Error in TesterPreset: #{$!.class} #{$!}")
+          dlog("Callstack: #{$@.join("\n")}")
+        end
+        self.tpjobs[myjid] = nil
+        print_status("TesterPreset #{myjid} has stopped (#{::Thread.current[:args].inspect})")
+      end
+    end
+  end
+
   #
   # Name for this dispatcher
   #
   def name
     'Automotive'
   end
 
-  private
-
   attr_accessor :active_bus
 
+  protected
+
+  attr_accessor :tpjobs, :tpjob_id # :nodoc:
+
+
 end
 
 end