CVE-2018-9995 PoC — TBK DVR4104和DVR4216 安全漏洞

Source

Associated Vulnerability

Title:TBK DVR4104和DVR4216 安全漏洞 (CVE-2018-9995)
Description:TBK DVR4104和DVR4216都是高清数字录像机设备。 TBK DVR4104和DVR4216中存在安全漏洞。远程攻击者可借助Cookie: uid=admin包头利用该漏洞绕过身份验证。

Description

.NET console application that exploits CVE-2018-9995 vulnerability

Readme

# DVRFaultNET
.NET console application that exploits DVR [CVE-2018-9995 vulnerability](https://www.cve.org/CVERecord?id=CVE-2018-9995)


![DVRFault logo](imgs/DVRFaultMini.png)
____
# Usage
![DVRFault logo](imgs/screenshot.png)

Once launched, you will be prompted to enter the URL of the DVR camera. The program add `?opt=user&cmd=list` to the URL and sends a request containing `"Cookie:uid=admin"` header then server return a JSON string provides all users credentials.

File Snapshot


 [4.0K]  /data/pocs/41c3278151b22aa23c661de01672e794db3534ae
├── [4.0K]  DVRFaultNET
│   ├── [ 619]  App.config
│   ├── [ 854]  ClientUrl.cs
│   ├── [ 44K]  DVRFault.ico
│   ├── [6.2K]  DVRFaultNET.csproj
│   ├── [ 456]  DVRFaultNET.csproj.user
│   ├── [2.9K]  Localization.cs
│   ├── [4.9K]  Program.cs
│   ├── [4.0K]  Properties
│   │   └── [2.0K]  AssemblyInfo.cs
│   └── [ 426]  RespondModel.cs
├── [1.1K]  DVRFaultNET.sln
├── [4.0K]  imgs
│   ├── [212K]  DVRFaultFull.png
│   ├── [ 94K]  DVRFaultMini.png
│   └── [ 24K]  screenshot.png
├── [4.0K]  packages
│   ├── [4.0K]  Newtonsoft.Json.13.0.2
│   │   ├── [4.0K]  lib
│   │   │   ├── [4.0K]  net20
│   │   │   │   ├── [567K]  Newtonsoft.Json.dll
│   │   │   │   └── [596K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  net35
│   │   │   │   ├── [504K]  Newtonsoft.Json.dll
│   │   │   │   └── [542K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  net40
│   │   │   │   ├── [571K]  Newtonsoft.Json.dll
│   │   │   │   └── [554K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  net45
│   │   │   │   ├── [695K]  Newtonsoft.Json.dll
│   │   │   │   └── [697K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  net6.0
│   │   │   │   ├── [695K]  Newtonsoft.Json.dll
│   │   │   │   └── [694K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  netstandard1.0
│   │   │   │   ├── [665K]  Newtonsoft.Json.dll
│   │   │   │   └── [676K]  Newtonsoft.Json.xml
│   │   │   ├── [4.0K]  netstandard1.3
│   │   │   │   ├── [683K]  Newtonsoft.Json.dll
│   │   │   │   └── [684K]  Newtonsoft.Json.xml
│   │   │   └── [4.0K]  netstandard2.0
│   │   │       ├── [689K]  Newtonsoft.Json.dll
│   │   │       └── [696K]  Newtonsoft.Json.xml
│   │   ├── [1.1K]  LICENSE.md
│   │   ├── [2.3M]  Newtonsoft.Json.13.0.2.nupkg
│   │   ├── [8.7K]  packageIcon.png
│   │   └── [1.9K]  README.md
│   └── [4.0K]  Newtonsoft.Json.Bson.1.0.2
│       ├── [4.0K]  lib
│       │   ├── [4.0K]  net45
│       │   │   ├── [ 95K]  Newtonsoft.Json.Bson.dll
│       │   │   ├── [ 26K]  Newtonsoft.Json.Bson.pdb
│       │   │   └── [ 37K]  Newtonsoft.Json.Bson.xml
│       │   ├── [4.0K]  netstandard1.3
│       │   │   ├── [ 96K]  Newtonsoft.Json.Bson.dll
│       │   │   ├── [ 26K]  Newtonsoft.Json.Bson.pdb
│       │   │   └── [ 37K]  Newtonsoft.Json.Bson.xml
│       │   └── [4.0K]  netstandard2.0
│       │       ├── [ 95K]  Newtonsoft.Json.Bson.dll
│       │       ├── [ 26K]  Newtonsoft.Json.Bson.pdb
│       │       └── [ 37K]  Newtonsoft.Json.Bson.xml
│       ├── [1.1K]  LICENSE.md
│       └── [197K]  Newtonsoft.Json.Bson.1.0.2.nupkg
└── [ 473]  README.md

19 directories, 45 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!