Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/citrix_published_applications.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Citrix MetaFrame ICA Published Applications Scanner',

14
        'Description' => %q{

15
          This module attempts to query Citrix Metaframe ICA server to obtain

16
          a published list of applications.

17
        },

18
        'Author' => [ 'aushack' ],

19
        'References' => [

20
          [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],

21
        ],

22
        'Notes' => {

23
          'Reliability' => UNKNOWN_RELIABILITY,

24
          'Stability' => UNKNOWN_STABILITY,

25
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

26
        }

27
      )

28
    )

29


30
    register_options(

31
      [

32
        Opt::RPORT(1604),

33
      ]

34
    )

35
  end

36


37
  def autofilter

38
    false

39
  end

40


41
  def run

42
    connect_udp

43


44
    print_status("Attempting to contact Citrix ICA service...")

45


46
    client_connect =

47
      "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

48
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

49


50
    # Server hello response

51
    server_response =

52
      "\x30\x00\x02\x31\x02\xfd\xa8\xe3\x02\x00\x06\x44"

53


54
    udp_sock.put(client_connect)

55
    res = udp_sock.get(3)

56


57
    if (res[0, server_response.length] == server_response)

58
      print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")

59


60
      find_published =

61
        "\x2a\x00\x01\x32\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

62
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x02\x00" +

63
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

64
      server_list_pre =

65
        "\xea\x00\x04\x33\x02\xfd\xa8\xe3\x02\x00\x06\x44\xac\x1f\x03\x1f" +

66
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" +

67
        "\x0b\x00\x28\x00\x00\x00\x00\x00"

68


69
      udp_sock.put(find_published)

70
      res = udp_sock.get(3)

71


72
      if (res.index(server_list_pre) == 0) # good packet, with following data

73
        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length, res.length].gsub("\x00", "\r\n"))

74
      end

75
    else

76
      print_error("Citrix did not report any Published Applications. Try the brute force module instead.")

77
    end

78


79
    disconnect_udp

80
  end

81
end

82


83