CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/citrix_published_applications.rb
Views: 11623
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Citrix MetaFrame ICA Published Applications Scanner',

12
      'Description'    => %q{

13
        This module attempts to query Citrix Metaframe ICA server to obtain

14
        a published list of applications.

15
      },

16
      'Author'         => [ 'aushack' ],

17
      'References'     =>

18
        [

19
          [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],

20
        ]

21
    ))

22


23
    register_options(

24
      [

25
        Opt::RPORT(1604),

26
      ])

27
  end

28


29
  def autofilter

30
    false

31
  end

32


33
  def run

34
    connect_udp

35


36
    print_status("Attempting to contact Citrix ICA service...")

37


38
    client_connect =

39
      "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

40
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

41


42
    # Server hello response

43
    server_response =

44
      "\x30\x00\x02\x31\x02\xfd\xa8\xe3\x02\x00\x06\x44"

45


46
    udp_sock.put(client_connect)

47
    res = udp_sock.get(3)

48


49
    if (res[0,server_response.length] == server_response)

50
      print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")

51


52
      find_published =

53
        "\x2a\x00\x01\x32\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

54
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x02\x00" +

55
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

56
      server_list_pre =

57
        "\xea\x00\x04\x33\x02\xfd\xa8\xe3\x02\x00\x06\x44\xac\x1f\x03\x1f" +

58
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" +

59
        "\x0b\x00\x28\x00\x00\x00\x00\x00"

60


61
      udp_sock.put(find_published)

62
      res = udp_sock.get(3)

63


64
      if (res.index(server_list_pre) == 0) # good packet, with following data

65
        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length,res.length].gsub("\x00","\r\n"))

66
      end

67
    else

68
      print_error("Citrix did not report any Published Applications. Try the brute force module instead.")

69
    end

70


71
    disconnect_udp

72
  end

73
end

74


75