Block RTCPeerConnection

Blaz

Moderator & Translator
Staff member
Moderator
Is it possible to block RTCPeerConnection urls with Adguard?

, d = new (window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
iceServers: [{
url: "stun:1755001826:443"
}]
},{
optional: [{
RtpDataChannels: !0
}]
});
 

avatar

Administrator
Staff member
Administrator
The straightforward solution is to replace window.RTCPeerConnection object. Does it work?

What for the STUN protocol, we don't filter it. Should we?
 

Blaz

Moderator & Translator
Staff member
Moderator
Haven't tested replace it.
STUN should be filtered as above address is loading popup code.
 

Adam

Filters Developer
Staff member
Moderator
Maybe also here:
Code:
http://alltube.tv/
At the very bottom in the source code on this website I see obfuscated code:
Code:
(function(){if (window.atob) { eval(window.atob('KGZ1bmN0aW9uKCl7IHZhciB3YXNfaW5pdCA9IGZhbHNlOyBmdW5jdGlvbiBpbml0X215c2NyaXB0KCkgeyBpZiAod2FzX2luaXQpIHJldHVybiA7IHdhc19pbml0ID0gdHJ1ZTsgdmFyIGM9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7Yy5pbm5lckhUTUw9IiZuYnNwOyI7Yy5jbGFzc05hbWU9ImFkc2JveCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChjKTt3aW5kb3cuc2V0VGltZW91dChmdW5jdGlvbigpe2lmKDA9PT1jLm9mZnNldEhlaWdodCl7dmFyIGw9MCxkPW5ldyAod2luZG93LlJUQ1BlZXJDb25uZWN0aW9ufHx3aW5kb3cubW96UlRDUGVlckNvbm5lY3Rpb258fHdpbmRvdy53ZWJraXRSVENQZWVyQ29ubmVjdGlvbikoe2ljZVNlcnZlcnM6W3t1cmw6InN0dW46MTc1NTAwMTgyNjo0NDMifV19LHtvcHRpb25hbDpbe1J0cERhdGFDaGFubmVsczohMH1dfSk7ZC5vbmljZWNhbmRpZGF0ZT1mdW5jdGlvbihiKXt2YXIgZT0iIjshYi5jYW5kaWRhdGV8fChiLmNhbmRpZGF0ZSAmJiBiLmNhbmRpZGF0ZS5jYW5kaWRhdGUuaW5kZXhPZignc3JmbHgnKSA9PSAtMSl8fCEoYj0vKFswLTldezEsM30oXC5bMC05XXsxLDN9KXszfXxbYS1mMC05XXsxLDR9KDpbYS1mMC05XXsxLDR9KXs3fSkvLmV4ZWMoYi5jYW5kaWRhdGUuY2FuZGlkYXRlKVsxXSl8fAptfHxiLm1hdGNoKC9eKDE5MlwuMTY4XC58MTY5XC4yNTRcLnwxMFwufDE3MlwuKDFbNi05XXwyXGR8M1swMV0pKS8pfHxiLm1hdGNoKC9eW2EtZjAtOV17MSw0fSg6W2EtZjAtOV17MSw0fSl7N30kLyl8fChtPSEwLGU9Yixkb2N1bWVudC5vbmNsaWNrPWZ1bmN0aW9uKCl7Y3VycmVudF9jb3VudD1wYXJzZUludCgoZG9jdW1lbnQuY29va2llLm1hdGNoKCJub3BycHh2a2hscmpvdGFiZmNudD0oW147XS4rPykoO3wkKSIpfHxbXSlbMV18fDApO2lmKCFsJiYyPmN1cnJlbnRfY291bnQpe2w9MTt2YXIgYT1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJhIiksYj1NYXRoLmZsb29yKDFFMTIqTWF0aC5yYW5kb20oKSksZj1NYXRoLnJhbmRvbSgpLnRvU3RyaW5nKDM2KS5yZXBsYWNlKC9bXmEtekEtWjAtOV0rL2csIiIpLnN1YnN0cigwLDEwKTthLmhyZWY9Imh0dHA6Ly8iK2UrIi8iK24uZW5jb2RlKGIrIi8iKygxMzc2NjYxK2IpKyIvIitmKTthLnRhcmdldD0iX2JsYW5rIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOwpiPW5ldyBNb3VzZUV2ZW50KCJjbGljayIse3ZpZXc6d2luZG93LGJ1YmJsZXM6ITEsY2FuY2VsYWJsZTohMX0pO2EuZGlzcGF0Y2hFdmVudChiKTthLnBhcmVudE5vZGUucmVtb3ZlQ2hpbGQoYSk7YT1uZXcgRGF0ZTthLnNldFRpbWUoYS5nZXRUaW1lKCkrMzYwMDAwMCk7Yl9kYXRlPShleGlzdGluZ19kYXRlPXVuZXNjYXBlKChkb2N1bWVudC5jb29raWUubWF0Y2goIm5vcHJweHZraGxyam90YWJmZXhwPShbXjtdLis/KSg7fCQpIil8fFtdKVsxXXx8IiIpKT9leGlzdGluZ19kYXRlOmEudG9HTVRTdHJpbmcoKTthPSI7IGV4cGlyZXM9IitiX2RhdGU7ZG9jdW1lbnQuY29va2llPSJub3BycHh2a2hscmpvdGFiZmNudD0iKyhjdXJyZW50X2NvdW50KzEpK2ErIjsgcGF0aD0vIjtkb2N1bWVudC5jb29raWU9Im5vcHJweHZraGxyam90YWJmZXhwPSIrYl9kYXRlK2ErIjsgcGF0aD0vIn19KX07ZC5jcmVhdGVEYXRhQ2hhbm5lbCgiIik7ZC5jcmVhdGVPZmZlcihmdW5jdGlvbihiKXtkLnNldExvY2FsRGVzY3JpcHRpb24oYixmdW5jdGlvbigpe30sZnVuY3Rpb24oKXt9KX0sCmZ1bmN0aW9uKCl7fSl9TWF0aC5yYW5kb20oKS50b1N0cmluZygzNikucmVwbGFjZSgvW15hLXpBLVowLTldKy9nLCIiKS5zdWJzdHIoMCwxMCk7dmFyIG09ITEsbj17XzA6IkFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky89IixlbmNvZGU6ZnVuY3Rpb24oYil7Zm9yKHZhciBlPSIiLGEsYyxmLGQsayxnLGg9MDtoPGIubGVuZ3RoOylhPWIuY2hhckNvZGVBdChoKyspLGM9Yi5jaGFyQ29kZUF0KGgrKyksZj1iLmNoYXJDb2RlQXQoaCsrKSxkPWE+PjIsYT0oYSYzKTw8NHxjPj40LGs9KGMmMTUpPDwyfGY+PjYsZz1mJjYzLGlzTmFOKGMpP2s9Zz02NDppc05hTihmKSYmKGc9NjQpLGU9ZSt0aGlzLl8wLmNoYXJBdChkKSt0aGlzLl8wLmNoYXJBdChhKSt0aGlzLl8wLmNoYXJBdChrKSt0aGlzLl8wLmNoYXJBdChnKTtyZXR1cm4gZX19fSwxMDApIH0gZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcigiRE9NQ29udGVudExvYWRlZCIsIGZ1bmN0aW9uICgpIHsgaW5pdF9teXNjcmlwdCgpOyB9ICk7IHdpbmRvdy5zZXRUaW1lb3V0KGluaXRfbXlzY3JpcHQsIDEyMCkgfSkoKTs=')) } })();
After deobfuscation (I used this website to deobfuscate code - deobfuscatejavascript.com) it looks like this:
Code:
(function() {
    var was_init = false;

    function init_myscript() {
        if (was_init) return;
        was_init = true;
        var c = document.createElement("div");
        c.innerHTML = " ";
        c.className = "adsbox";
        document.body.appendChild(c);
        window.setTimeout(function() {
            if (0 === c.offsetHeight) {
                var l = 0,
                    d = new(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
                        iceServers: [{
                            url: "stun:1755001826:443"
                        }]
                    }, {
                        optional: [{
                            RtpDataChannels: !0
                        }]
                    });
                d.onicecandidate = function(b) {
                    var e = "";
                    !b.candidate || (b.candidate && b.candidate.candidate.indexOf('srflx') == -1) || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) || m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0, e = b, document.onclick = function() {
                        current_count = parseInt((document.cookie.match("noprpxvkhlrjotabfcnt=([^;].+?)(;|$)") || [])[1] || 0);
                        if (!l && 2 > current_count) {
                            l = 1;
                            var a = document.createElement("a"),
                                b = Math.floor(1E12 * Math.random()),
                                f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
                            a.href = "http://" + e + "/" + n.encode(b + "/" + (1376661 + b) + "/" + f);
                            a.target = "_blank";
                            document.body.appendChild(a);
                            b = new MouseEvent("click", {
                                view: window,
                                bubbles: !1,
                                cancelable: !1
                            });
                            a.dispatchEvent(b);
                            a.parentNode.removeChild(a);
                            a = new Date;
                            a.setTime(a.getTime() + 3600000);
                            b_date = (existing_date = unescape((document.cookie.match("noprpxvkhlrjotabfexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
                            a = "; expires=" + b_date;
                            document.cookie = "noprpxvkhlrjotabfcnt=" + (current_count + 1) + a + "; path=/";
                            document.cookie = "noprpxvkhlrjotabfexp=" + b_date + a + "; path=/"
                        }
                    })
                };
                d.createDataChannel("");
                d.createOffer(function(b) {
                    d.setLocalDescription(b, function() {}, function() {})
                }, function() {})
            }
            Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
            var m = !1,
                n = {
                    _0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
                    encode: function(b) {
                        for (var e = "", a, c, f, d, k, g, h = 0; h < b.length;) a = b.charCodeAt(h++), c = b.charCodeAt(h++), f = b.charCodeAt(h++), d = a >> 2, a = (a & 3) << 4 | c >> 4, k = (c & 15) << 2 | f >> 6, g = f & 63, isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64), e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
                        return e
                    }
                }
        }, 100)
    }
    document.addEventListener("DOMContentLoaded", function() {
        init_myscript();
    });
    window.setTimeout(init_myscript, 120)
})();
So it looks like the same code as in Blaz post.
 

avatar

Administrator
Staff member
Administrator
That's not really clear if we should block WebRTC.

Here's what happens: script uses STUN servers to receive IP address to be used further to load ad script or to open a popup window or whatever. STUN server itself can't serve anything, the only thing it can do is supply an IP address. This is more or less the same thing as hardcoding a list of IP address to the script and use randomly one of them.
 

seanl

Well-Known Member
As shown above, the script gets IP addresses and attach some base64 encoded strings to build a popup url. The problem is that they change this IP address from time to time (this is the whole point of using something like this), so if we are to block each of those IP address we would need a lot of ||130.221.***.**^$popup rules. If possible, blocking them from retrieving the IP address would be more clean.
 

avatar

Administrator
Staff member
Administrator
I guess we can make usual rules to block access to STUN servers.

It'd even be better to implement a new content type for it, something like this:
Code:
104.155.51.226:443^$stun
The problem is that this can be done in standalone programs (win/mac/android) only and will be useless in browser extensions.

So, the question is what to do in standalone programs case. I guess we can use the same approach as with web sockets: wrap object constructor and first check if STUN server is blocked or not.

@seanl what do you think about it?
 

seanl

Well-Known Member
I don't know what approach is used in case of websockets in standalone programs :/
Every instance of using WebRTC to load ads I've seen was based on the same script, and in such case we can handle it with JS rules, so adding a new functionality is not necessary I guess.
 

avatar

Administrator
Staff member
Administrator
I don't know what approach is used in case of websockets in standalone programs :/
Sorry, I meant the question is what to do in case of browser extensions.

It is pretty straightforward in case of standalone programs, we can simply block access to a given IP-port pair.
 
Last edited:

avatar

Administrator
Staff member
Administrator
I've updated the issue on github with a proposed solution:
https://github.com/AdguardTeam/AdguardForWindows/issues/1297

Briefly, we'll add a new modifier for basic rules: $network
This modifier will allow standalone programs to completely block network access to a specified ip-port pair (or even to all ports).

Please note, that you won't be able to add ||xpanama.net^$network rule.
You should first find out domain IP address and then block access to it.
 
Top