- Notifications
You must be signed in to change notification settings - Fork4
Kill any Android VPN in the browser, and expose the client's real IP address.
License
noarchwastaken/vpn_killer
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Kill any Android VPN in the browser, and expose the client's real IP address.
Me and a friend of mine@A5dblk stumbled uponthis bug, which allows any Javascript to eat up an infinite amount of RAM on Firefox, or up to 4GB per tab on Chromium.
After playing with the exploit for a while, we noticed that, Android will kill most background processes, including VPNs, when the Javascript is consuming memory.
So I came up with the idea of spamming requests while allocating memory. After the VPN is killed by Android, a few requests will be made without VPN before the browser tab is killed, revealing the client's real IP address.
Any version of Android.
The memory exhaution bug affects all platforms that Firefox and Chromium runs on, but the VPN-killing behavior is only tested on Android.
The backend ofvpn_killer is built usingRocket.rs and Rust.
Currently, only binaries for x86_64 GNU/Linux are built.
Clone this repository.
Install and switch to Rust nightly for this repository.
cargo build --release
Forvpn_killer to work, you need a client that is connected to a VPN and making requests from different IPs with and without the VPN.
For testing purposes, you canset up a Wireguard server on your computer, and connect to it on your phone.
With this setup, remember to browse the non-VPN IP of your computer; for example, if your computer (server) has192.168.1.30 for home intranet and10.26.0.1 for VPN, you should use the former in the address bar.
$ vpn_killer
If you are building it yourself:
$ cargo run --release
You will see Rocket launching and listening onhttp://0.0.0.0:8000:
🔧 Configured for production. => address: 0.0.0.0 => port: 8000 => log: critical => workers: 24 => secret key: generated => limits: forms = 32KiB => keep-alive: 5s => read timeout: 5s => write timeout: 5s => tls: disabledWarning: environment is 'production', but no `secret_key` is configured🚀 Rocket has launched from http://0.0.0.0:8000Browse port8000 on your computer using an Android device, and click "Get my real IP":
63e078cb-343f-4777-bdca-3a4add7e2a14 connected | Initial IP: 10.26.0.3063e078cb-343f-4777-bdca-3a4add7e2a14 IP changed | known IPs: [10.26.0.30, 192.168.1.250]Uncomment the line containingkillVPN(); insrc/assets/index.html; build again.
If you run Android 9 or later, turn onAlways-on VPN andBlock connections without VPN in your system VPN settings.
Be aware that this will break split-tunneling (a.k.a. Per-app proxy).
Or you can useTor Browser, which relies on an internal Tor for proxy, and cannot make connections without it.
About
Kill any Android VPN in the browser, and expose the client's real IP address.