Citrix ADC RCE CVE-2023-3519# Citrix ADC RCE CVE-2023-3519 Exploit Guide
This document provides a comprehensive guide for the exploit targeting Citrix ADC RCE CVE-2023-3519. This vulnerability primarily impacts Citrix VPX 13.1-48.47, but it could potentially affect other versions as well.
## Table of Contents
1. Overview
2. Prerequisites
3. Usage
- Command Line Options
- Exploit Procedure
- Automatic Callback URL Generation
4. Shellcode Artifacts
5. Adapting for Other Versions
6. Disclaimer
## 1. Overview
This exploit leverages a vulnerability in Citrix ADC RCE. For a detailed analysis and writeup about this vulnerability, please refer to the article by Bishop Fox: [Analysis & Exploitation of CVE-2023-3519](https://bishopfox.com/blog/analysis-exploitation-cve-2023-3519).
## 2. Prerequisites
Before you can use the exploit, you must ensure the NASM tool is installed, which is required to build the shellcode:
```bash
$ sudo apt install nasm
```
## 3. Usage
### Command Line Options
To display the help menu and view the available options:
```bash
$ python3.10 exploit.py -h
```
The available options include:
- `--target TARGET`: Define the target. Format should be an URL or ip:port.
- `--file FILE`: Use a file that contains a list of targets, one per line.
- `--output OUTPUT`: Define an output file to save vulnerable targets.
- `--threads THREADS`: Specify the number of threads for concurrent scanning.
### Exploit Procedure
To initiate the exploit against a specific target:
```bash
OPENSSL_CONF=./openssl.cnf python3.10 exploit.py --target https://example.com
```
OR
```bash
OPENSSL_CONF=./openssl.cnf python3.10 exploit2.py --target https://example.com
```
### Automatic Callback URL Generation
The exploit script includes a feature to auto-generate a callback URL using a specific short-link service. While this is essential for the exploit process, users are urged to:
1. Maintain **privacy** by not disclosing or sharing the generated URL.
2. Limit the **usage** to avoid unintended consequences and potential service misuse.
## 4. Shellcode Artifacts
Post exploitation:
1. A PHP backdoor will be created at `/var/netscaler/logon/a.php`.
2. The SUID bit will be set on `/bin/sh`.
To automate the cleanup of these artifacts, use the provided `sh` payload. Note: The shellcode doesn't close its file descriptors. Running the exploit repeatedly might lead to resource exhaustion.
## 5. Adapting for Other Versions
If you are looking to use this exploit on other FreeBSD-based Citrix versions, you need to:
1. Identify the offset of the saved return pointer.
2. Locate a `jmp rsp` ROP gadget or an equivalent.
3. Determine the jump address to prevent crashing.
These parameters are specified at the beginning of the `exploit.py` script. Some versions might also need an adjustment to the RBP value.
## 6. Disclaimer
This tool is intended for security research and testing. Unauthorized access to computer systems is illegal. Always obtain proper authorization before scanning or exploiting systems.
[4.0K] /data/pocs/0508b3b12ed4ac2e3d7876727328879a8c30460b
├── [7.8K] exploit2.py
├── [8.3K] exploit.py
├── [1.2K] mkshellcode.py
├── [ 172] openssl.cnf
├── [3.0K] README.md
└── [ 94] requirements.txt
0 directories, 6 files