Skip to content

Pab450/CVE-2018-9995

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
N9plugins.exe
N9plugins.exe
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 

Repository files navigation

CVE-2018-9995 Exploit Tool for Python3

This Python script is designed to exploit CVE-2018-9995.

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

Please note that this script is provided for educational purposes only. The security flaw was discovered in 2018, and while many devices have been patched, a significant number of vulnerable devices may still be in circulation.

Shodan has identified approximately 14,000 potentially affected devices. However, it's essential to note that most of these viewers no longer work with modern search engines, possibly due to the removal of NAPI support.

This script has been tested with various viewers. However, even if you get access, in many cases you won't be able to view these cameras.

To solve this problem, I used the N9plugin.exe found on a server where the viewer was set up, along with the IE Tab chrome extension. It's possible that viewing will work without IE Tab.

I'm making N9plugin.exe available in this repository. I'd like to stress that I've used this exe in a closed environment and that it's important that you do the same. On Virus Total this one is flag 2/71:

CrowdStrike Falcon -> Win/grayware_confidence_60% (D)
SecureAge -> Malicious

Even if these could be false positives, it's important to be careful. You may be able to find other N9plugins that are safer online. It's up to you to do your research.

Quick start for the tool

git clone https://github.com/pab450/CVE-2018-9995
cd CVE-2018-9995
pip3 install requests argparse
python3 exploit.py 127.0.0.1

If the CVE works, it will return:

usernameA, passwordA
usernameB, passwordB
...

Otherwise, a python error.

Arguments

  • host: Specify the target host or IP address.
  • --port (-p): Specify an optional port (default is an empty string). Example:
python3 exploit.py 127.0.0.1 --port 9000

python3 exploit.py 127.0.0.1 -p 9000

python3 exploit.py 127.0.0.1

Few Dorks to find devices with potential vulnerabilities

Google:

inurl:device.rsp -in
intitle:"AHD Login"
intitle:"DVR Login"
intitle:"NVR Login"
intitle:"XVR Login"

Shodan:

html:login.rsp
login.rsp

Plus

It is also possible to completely rewrite the firmware of these devices.

About

CVE-2018-9995 Exploit Tool for Python3

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages