New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ZenTao Pro 8.8.2 Remote Code Execution module and docs #13828
Conversation
Notes
|
|
@kalba-security Thanks for your contribution, it looks good, however a quick scan of the documentation shows that you haven't provided instructions on how to install the software. Can you please update the documentation with these instructions and then we can look at getting someone to take a look at reviewing this PR further? |
|
@gwillcox-r7 sure! That's actually super easy in this case. I didn't know this information should also be added to the docs. Is this a new requirement? Because I didn't add it for any of my previous modules and no one ever mentioned it. |
Huh thats odd no one mentioned it before. Generally we try provide setup instructions wherever possible. I guess you could say it is a bit of a push on my part cause we have had some issues with recent modules not having enough documentation to test and then this leads to a lot of extra back and forth between the contributor and our team. So in a TLDR: it depends on the module but we are pushing for it (at least I am) more often these days, so probably a good habit to get into :) |
|
Yeah that's definitely fair. I know finding and installing vulnerable apps can be far from straightforward. I mean I've struggled with that plenty of times when investigating PoCs. So I will make sure to start adding this info from now on! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @kalba-security, thank you for the module! I don't really have many suggestions other than opting to use AutoCheck instead of the ForceExploit advanced option. Thanks!
|
Thanks @space-r7 ! I just added |
|
Thanks, I'll try to get an environment set up to test against today! |
|
Hey @todb-r7, would you be able to help with getting a CVE assigned for this? Thank you! |
|
@space-r7 sure thing! Use CVE-2020-7361. |
Thank you! |
|
Hey @kalba-security, I just submitted a pr (https://github.com/kalba-security/metasploit-framework/pull/2) to your branch that's mostly related to the |
|
Thanks, I will try to have a look at this tomorrow. |
Replace ret CheckCode with fail_with()
|
I just merged your PR @space-r7 . The changes worked all fine for the x64 target, but I was unable to get a shell with x86 until I added |
| 'cookie' => @cookie, | ||
| 'headers' => { | ||
| 'Accept' => 'application/json, text/javascript, */*; q=0.01', | ||
| 'Referer' => "http://#{datastore['RHOSTS']}#{normalize_uri(target_uri.path, 'user-login.html')}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HTTP modules should be able to access peer which represents "#{rhost}:#{port}".
If this works, it would be preferred to using datastore['rhosts'] which probably (maybe?) returns an array, with the added benefit that it also uses the correct port.
Arguable, the string should also be constructed taking into account the use of SSL. #{ssl? ? 'https' : 'http'}
|
|
||
| register_options [ | ||
| OptString.new('TARGETURI', [true, 'The base path to ZenTao', '/pro/']), | ||
| OptString.new('TARGETPATH', [true, 'The path on the target where commands will be executed', 'C:\\']), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to use the root directory rather than a temp directory?
| } | ||
| ] | ||
| ], | ||
| 'DefaultTarget' => 1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to default to x64 targets? x64 system are significantly more common than x86, but x86 payloads should work on x64, and this module does not appear to contain any arch-dependent logic, implying that x86 would be the better option.
| 1. Install the module as usual | ||
| 2. Start msfconsole | ||
| 3. Do: `use exploit/windows/http/zentao_pro_rce` | ||
| 4. Do: `set RHOSTS [IP]` | ||
| 5. Do: `set USERNAME [username for the ZenTao Pro account]` | ||
| 6. Do: `set PASSWORD [password for the ZenTao Pro account]` | ||
| 7. Do: `set RHOSTS [IP]` | ||
| 8. Do: `set payload [payload]` | ||
| 9. Do: `set LHOST [IP]` | ||
| 10. Do: `exploit` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rhosts set twice.
| 1. Install the module as usual | |
| 2. Start msfconsole | |
| 3. Do: `use exploit/windows/http/zentao_pro_rce` | |
| 4. Do: `set RHOSTS [IP]` | |
| 5. Do: `set USERNAME [username for the ZenTao Pro account]` | |
| 6. Do: `set PASSWORD [password for the ZenTao Pro account]` | |
| 7. Do: `set RHOSTS [IP]` | |
| 8. Do: `set payload [payload]` | |
| 9. Do: `set LHOST [IP]` | |
| 10. Do: `exploit` | |
| 1. Install the module as usual | |
| 2. Start msfconsole | |
| 3. Do: `use exploit/windows/http/zentao_pro_rce` | |
| 4. Do: `set RHOSTS [IP]` | |
| 5. Do: `set USERNAME [username for the ZenTao Pro account]` | |
| 6. Do: `set PASSWORD [password for the ZenTao Pro account]` | |
| 7. Do: `set payload [payload]` | |
| 8. Do: `set LHOST [IP]` | |
| 9. Do: `exploit` |
|
Made remaining changes in 6c066a9. Test output: |
Release NotesNew exploit module |
About
This change adds a new module to /modules/exploits/windows/http/ that exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with
SYSTEM privileges. The change also adds documentation for this module. The module is based on this PoC: https://www.exploit-db.com/exploits/48633. Because the issue has not been assigned a CVE yet, I contacted the researchers who published the PoC. They said that they disclosed the issue over a month ago, but that the client failed to understand the severity of problem and has not taken any steps to address it. I have also personally informed the vendor about the issue and about the existence of the PoC exploit earlier this week.
Vulnerable system
ZenTao Pro versions 8.8.1 and 8.8.2 (confirmed) and likely earlier versions as well.
Verification Steps
use exploit/windows/http/zentao_pro_rceset RHOSTS [IP]set USERNAME [username for the ZenTao Pro account]set PASSWORD [password for the ZenTao Pro account]set RHOSTS [IP]set payload [payload]set LHOST [IP]exploitOptions
PASSWORD
The password for the ZenTao Pro account to authenticate with. This option is required.
TARGETPATH
The path on the target where commands will be executed. The default value is
C:\.TARGETURI
The base path to ZenTao Pro. The default value is
/pro/.USERNAME
The username for the ZenTao Pro account to authenticate with. This option is required.
Targets
Scenarios
ZenTao 8.8.2 running on Windows 10 (XAMPP server)