Land rapid7#7935, HWBridge RF transceiver extension

Author: pbarry-r7

documentation/modules/post/hardware/rftransceiver/rfpwnon.md

@@ -0,0 +1,88 @@
+Port of a brute force utility by LegacySecurityGroup, the original can be found
+[here](https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py).
+It's a generic AM/OOK brute forcer with PWM translations.  It has been
+demonstrated to work against static key garage door openers.
+
+## Options ##
+
+  **FREQ**
+
+  Frequency to brute force.
+
+  **BAUD**
+
+  Baud rate.  Default: 2000
+
+  **BINLENGTH**
+
+  Binary bit-length for bruteforcing.  Default: 8
+
+  **REPEAT**
+
+  How many times to repeat the sending of the packet.  Default: 5
+
+  **PPAD**
+
+  Binary data to append to packet.  (Example: "0101")  Default: None
+
+  **TPAD**
+
+  Binary data to add to end of packet.  (Example: "0101")  Default: None
+
+  **RAW**
+
+  Do not do PWM encoding on packet.  Default: False
+
+  **TRI**
+
+  Use trinary signals.  Default: False
+
+  **EXTRAVERBOSE**
+
+  Adds some extra status messages.
+
+  **INDEX**
+
+  USB Index number.  Default: 0
+
+  **DELAY**
+
+  How many milliseconds to delay before transmission.  Too fast tends to lock up the device.  Default: 500 (0.5 seconds)
+
+## Scenarios
+
+  Run a brute force of 6 characters long with 2 repeats:
+
+```
+hwbridge > run post/hardware/rftransceiver/rfpwnon FREQ=915000000 BINLEGTH=6 REPEAT=2
+
+[*] Generating de bruijn sequence...
+[*] Brute forcing frequency: 915000000
+[*] Transmitting...
+[*] Binary before PWM encoding:
+[*] 00000000
+[*] Binary after PWM encoding:
+[*] 11101110111011101110111011101110
+[*] Transmitting...
+[*] Binary before PWM encoding:
+[*] 00000000
+[*] Binary after PWM encoding:
+[*] 11101110111011101110111011101110
+[*] Transmitting...
+[*] Binary before PWM encoding:
+[*] 00000001
+[*] Binary after PWM encoding:
+[*] 11101110111011101110111011101000
+[*] Transmitting...
+[*] Binary before PWM encoding:
+[*] 00000001
+[*] Binary after PWM encoding:
+[*] 11101110111011101110111011101000
+[*] Transmitting...
+[*] Binary before PWM encoding:
+[*] 00000010
+[*] Binary after PWM encoding:
+[*] 11101110111011101110111010001110
+[*] Transmitting...
+...
+```

documentation/modules/post/hardware/rftransceiver/transmitter.md

@@ -0,0 +1,40 @@
+Simple module to transmit a given frequency for a specified amount of seconds. This
+code was ported from [AndrewMohawk](https://github.com/AndrewMohawk).
+
+NOTE: Users of this module should be aware of their local laws,
+regulations, and licensing requirements for transmitting on any
+given radio frequency.
+
+
+## Options ##
+
+  **FREQ**
+
+  Frequency to brute force.
+
+  **BAUD**
+
+  Baud rate.  Default: 4800
+
+  **POWER**
+
+  Power level to specify.  Default: 100
+
+  **SECONDS**
+
+  How many seconds to transmit the signal.  Default: 4
+
+  **INDEX**
+
+  USB Index number.  Default: 0
+
+## Scenarios
+
+  Transmit a given signal for 4 seconds
+
+```
+hwbridge > run post/hardware/rftransceiver/transmitter FREQ=433880000
+
+[*] Transmitting on 433880000 for 4 seconds...
+[*] Finished transmitting
+```

lib/msf/base/sessions/hwbridge.rb

@@ -167,6 +167,16 @@ def load_zigbee
     console.disable_output = original
   end
 
+  #
+  # Loads the rftransceiver extension
+  #
+  def load_rftransceiver
+    original = console.disable_output
+    console.disable_output = true
+    console.run_single('load rftransceiver')
+    console.disable_output = original
+  end
+
   #
   # Load custom methods provided by the hardware
   #

lib/msf/core/post/hardware.rb

@@ -3,4 +3,5 @@ module Msf::Post::Hardware
   require 'msf/core/post/hardware/automotive/uds'
   require 'msf/core/post/hardware/automotive/dtc'
   require 'msf/core/post/hardware/zigbee/utils'
+  require 'msf/core/post/hardware/rftransceiver/rftransceiver'
 end