Module: Msf::Exploit::DECT_COA

Defined in:
lib/msf/core/exploit/dect_coa.rb

Overview

This modules provides methods for interacting with a Com-On-Air DECT device

Constant Summary collapse

DECT_BAND_EMEA =

Constants

0x01
DECT_BAND_US =
0x02
DECT_BAND_BOTH =
0x03
COA_MODE_IDLE =
0x0000
COA_MODE_FP =
0x0100
COA_MODE_PP =
0x0200
COA_MODE_SNIFF =
0x0300
COA_MODE_JAM =
0x0400
COA_MODE_EEPROM =
0x0500
COA_SUBMODE_SNIFF_SCANFP =
0x0001
COA_SUBMODE_SNIFF_SCANPP =
0x0002
COA_SUBMODE_SNIFF_SYNC =
0x0003
COA_IOCTL_MODE =
0xD000
COA_IOCTL_RADIO =
0xD001
COA_IOCTL_RX =
0xD002
COA_IOCTL_TX =
0xD003
COA_IOCTL_CHAN =
0xD004
COA_IOCTL_SLOT =
0xD005
COA_IOCTL_RSSI =
0xD006
COA_IOCTL_FIRMWARE =
0xD007
COA_IOCTL_SETRFPI =
0xD008

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#bandObject

Returns the value of attribute band


102
103
104
# File 'lib/msf/core/exploit/dect_coa.rb', line 102

def band
  self.band.to_i
end

#channelObject

Returns the value of attribute channel


98
99
100
# File 'lib/msf/core/exploit/dect_coa.rb', line 98

def channel
  self.channel.to_i
end

#dect_deviceObject

Returns the value of attribute dect_device


191
192
193
# File 'lib/msf/core/exploit/dect_coa.rb', line 191

def dect_device
  @dect_device
end

Instance Method Details

#call_scan_modeObject


81
82
83
84
# File 'lib/msf/core/exploit/dect_coa.rb', line 81

def call_scan_mode
  self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s'))
  set_band(datastore['BAND'])
end

#close_coaObject


64
65
66
67
# File 'lib/msf/core/exploit/dect_coa.rb', line 64

def close_coa
  self.dect_device.close if self.dect_device
  self.dect_device = nil
end

#fp_scan_modeObject


70
71
72
73
# File 'lib/msf/core/exploit/dect_coa.rb', line 70

def fp_scan_mode
  self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANFP].pack('s'))
  set_band(datastore['BAND'])
end

#initialize(info = {}) ⇒ Object


38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/dect_coa.rb', line 38

def initialize(info = {})
  super

  register_options(
    [
      OptString.new('INTERFACE', [true, 'The name of the Com-On-Air Interface', '/dev/coa']),
      OptString.new('BAND', [true, 'DECT band', DECT_BAND_US]),
      OptString.new('CHAN', [false, 'DECT channel', 0]),
      OptString.new('RFPI', [false, 'RFPI for synchronous scan', nil])
    ], Msf::Exploit::DECT_COA
  )
end

#next_channelObject


125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# File 'lib/msf/core/exploit/dect_coa.rb', line 125

def next_channel
  case band
  when DECT_BAND_US
    if (channel < 27)
      set_channel(channel + 1)
    else
      set_channel(23)
    end

  when DECT_BAND_EMEA
    if (channel < 9)
      set_channel(channel + 1)
    else
      set_channel(0)
    end

  when DECT_BAND_BOTH
    if (channel < 9)
      set_channel(channel + 1)
    elsif (channel == 9)
      set_channel(23)
    elsif (channel > 9 && channel < 27)
      set_channel(channel + 1)
    else
      set_channel(0)
    end
  end
end

#open_coaObject


51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/msf/core/exploit/dect_coa.rb', line 51

def open_coa

  close_coa if self.dect_device

  begin
    self.dect_device = File.open(datastore['INTERFACE'], "wb+")
  rescue ::Exception => e
    print_error("Could not open the Com-On-Air device at #{datastore['INTERFACE']}")
    print_error("This module only works on Linux with the appropriate hardware and driver, while running as root")
    raise RuntimeError, "Could not open the Com-On-Air device: #{e}"
  end
end

#parse_call(data) ⇒ Object


176
177
178
179
180
181
182
183
# File 'lib/msf/core/exploit/dect_coa.rb', line 176

def parse_call(data)
  {
    'channel'  => data[0],
    'rssi'     => data[1],
    'rfpi_raw' => data[2,5],
    'rfpi'     => parse_rfpi(data[2,5])
  }
end

#parse_rfpi(data) ⇒ Object


163
164
165
# File 'lib/msf/core/exploit/dect_coa.rb', line 163

def parse_rfpi(data)
  sprintf("%02x %02x %02x %02x %02x",data[0], data[1], data[2], data[3], data[4])
end

#parse_station(data) ⇒ Object


167
168
169
170
171
172
173
174
# File 'lib/msf/core/exploit/dect_coa.rb', line 167

def parse_station(data)
  {
    'channel'  => data[0],
    'rssi'     => data[1],
    'rfpi_raw' => data[2,5],
    'rfpi'     => parse_rfpi(data[2,5])
  }
end

#poll_coaObject


154
155
156
157
158
159
160
161
# File 'lib/msf/core/exploit/dect_coa.rb', line 154

def poll_coa
  data = ::IO.select([self.dect_device], nil, nil, 0.50)
  if (data != nil)
    data = data[0][0].read
  end

  data
end

#pp_scan_mode(rfpi) ⇒ Object


75
76
77
78
79
# File 'lib/msf/core/exploit/dect_coa.rb', line 75

def pp_scan_mode(rfpi)
  self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('S'))
  print_line("#{rfpi}")
  self.set_rfpi(rfpi.to_i)
end

#record_coa(filename) ⇒ Object

Raises:

  • (RuntimeError)

185
186
187
188
189
# File 'lib/msf/core/exploit/dect_coa.rb', line 185

def record_coa(filename)
  raise RuntimeError, "DECT call recording is not supported yet"
  fd = File.open(filename, 'rb+')
  fd.close
end

#rfpiObject


90
91
92
# File 'lib/msf/core/exploit/dect_coa.rb', line 90

def rfpi
  self.rfpi
end

#set_band(b) ⇒ Object


106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/msf/core/exploit/dect_coa.rb', line 106

def set_band(b)
  self.band = b.to_i

  if (band == DECT_BAND_US)
    set_channel(23)

  elsif (band == DECT_BAND_EMEA)
    set_channel(0)

  elsif (band == DECT_BAND_BOTH)
    set_channel(0)
  end
end

#set_channel(chan) ⇒ Object


120
121
122
123
# File 'lib/msf/core/exploit/dect_coa.rb', line 120

def set_channel(chan)
  self.channel = chan.to_i
  self.dect_device.ioctl(COA_IOCTL_CHAN, [channel].pack('i'))
end

#set_rfpi(rfpi) ⇒ Object


94
95
96
# File 'lib/msf/core/exploit/dect_coa.rb', line 94

def set_rfpi(rfpi)
  self.dect_device.ioctl(COA_IOCTL_SETRFPI, [rfpi].pack('s'))
end

#stop_coaObject


86
87
88
# File 'lib/msf/core/exploit/dect_coa.rb', line 86

def stop_coa
  self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_IDLE].pack('s'))
end