Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/chocapikk/cve-2023-3519

Citrix ADC RCE CVE-2023-3519
https://github.com/chocapikk/cve-2023-3519

Last synced: about 1 year ago
JSON representation

Citrix ADC RCE CVE-2023-3519

Awesome Lists containing this project

README 

          
# Citrix ADC RCE CVE-2023-3519 Exploit Guide



This document provides a comprehensive guide for the exploit targeting Citrix ADC RCE CVE-2023-3519. This vulnerability primarily impacts Citrix VPX 13.1-48.47, but it could potentially affect other versions as well.



## Table of Contents



1. Overview

2. Prerequisites

3. Usage

   - Command Line Options

   - Exploit Procedure

   - Automatic Callback URL Generation

4. Shellcode Artifacts

5. Adapting for Other Versions

6. Disclaimer



## 1. Overview



This exploit leverages a vulnerability in Citrix ADC RCE. For a detailed analysis and writeup about this vulnerability, please refer to the article by Bishop Fox: [Analysis & Exploitation of CVE-2023-3519](https://bishopfox.com/blog/analysis-exploitation-cve-2023-3519).



## 2. Prerequisites



Before you can use the exploit, you must ensure the NASM tool is installed, which is required to build the shellcode:



```bash

$ sudo apt install nasm

```



## 3. Usage



### Command Line Options



To display the help menu and view the available options:



```bash

$ python3.10 exploit.py -h

```



The available options include:



- `--target TARGET`: Define the target. Format should be an URL or ip:port.

- `--file FILE`: Use a file that contains a list of targets, one per line.

- `--output OUTPUT`: Define an output file to save vulnerable targets.

- `--threads THREADS`: Specify the number of threads for concurrent scanning.



### Exploit Procedure



To initiate the exploit against a specific target:



```bash

OPENSSL_CONF=./openssl.cnf python3.10 exploit.py --target https://example.com

```



OR



```bash

OPENSSL_CONF=./openssl.cnf python3.10 exploit2.py --target https://example.com

```



### Automatic Callback URL Generation



The exploit script includes a feature to auto-generate a callback URL using a specific short-link service. While this is essential for the exploit process, users are urged to:



1. Maintain **privacy** by not disclosing or sharing the generated URL.

2. Limit the **usage** to avoid unintended consequences and potential service misuse.



## 4. Shellcode Artifacts



Post exploitation:



1. A PHP backdoor will be created at `/var/netscaler/logon/a.php`.

2. The SUID bit will be set on `/bin/sh`.



To automate the cleanup of these artifacts, use the provided `sh` payload. Note: The shellcode doesn't close its file descriptors. Running the exploit repeatedly might lead to resource exhaustion.



## 5. Adapting for Other Versions



If you are looking to use this exploit on other FreeBSD-based Citrix versions, you need to:



1. Identify the offset of the saved return pointer.

2. Locate a `jmp rsp` ROP gadget or an equivalent.

3. Determine the jump address to prevent crashing.



These parameters are specified at the beginning of the `exploit.py` script. Some versions might also need an adjustment to the RBP value.



## 6. Disclaimer



This tool is intended for security research and testing. Unauthorized access to computer systems is illegal. Always obtain proper authorization before scanning or exploiting systems.