Silly admin, Citrix is for script kiddies
A hot, new module has landed in Metasploit Framework this week. It takes advantage of CVE-2019-19781 which is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway. This exploit takes advantage of unsanitized input within the URL structure of one of the API endpoints to access specified directories. Conveniently there is a directory available that houses executable code. I think you see where this is going. Thanks to mekhalleh for adding this one.
BlueKeeping up appearances
zerosum0x0 made a nice improvement to the BlueKeep RCE module that makes it much more reliable. He had the clever idea to send mouse movement events to the RDP connection periodically to prevent timeouts. This should help improve the reliability of the the module over slow connections or VPNs and reduce the chance of crashing the target.
Presenting your screen during a meeting or conference can be a pain. Luckily, projector manufacturers have come up with a solution. Even luckier, they included a bug that lets you execute remote code on those projectors to allow a “world class, next-level presentation full of synergy”. Community member jacob-baines has added a new module that takes advantage of this vulnerability to allow you to find a nice little hiding spot in a room where everyone is looking (or playing on their phones).
New year, new flags
If you haven’t heard, registration for the 3rd Annual(ish) Metasploit Capture The Flag competition is now live. Teams of all sizes are encouraged to come and test their mettle against the devious challenges that the Metasploit team has put together. There are lots of prizes and bragging rights to be had. There’s only room for 1,000 teams, so be sure to hurry over and register to secure your spot. Play starts on January 30th, 2020 at 12:00 PM EST and runs until 11:59 AM EST on February 3rd, 2020. Good luck and happy hunting!
New modules (5)
- Citrix ADC (NetScaler) Directory Traversal RCE by James Brytan, James Smith, Marisa Mack, Project Zero India, Rob Vinson, Sergey Pashevkin, Steven Laura, TrustedSec, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2019-19781
- Citrix ADC (NetScaler) Directory Traversal Scanner by Erik Wynter and altonjx, which checks for targets vulnerable to CVE-2019-19781
- Webmin password_change.cgi Backdoor by wvu and AkkuS, which exploits CVE-2019-15107
- Barco WePresent file_transfer.cgi Command Injection by Jacob Baines, which exploits CVE-2019-3929
- Plantronics Hub SpokesUpdateService Privilege Escalation by Markus Krell and bcoles, which exploits CVE-2019-15742
Enhancements and features
- PR #12779, Adding PrependSetuid support for ARMLE Targets by nstarke
- PR #12797, Add mouse-move keepalives for >30 second BlueKeep grooming, verbose progress by zerosum0x0
- PR #12804, Support osx in web_delivery by phra
- PR #12811, enhance print payload generate raw by L-codes
- PR #12812, update port processing for openvas by jmartin-r7
- PR #12785, fix telnet login with a / in it being parsed as a regex by h00die
- PR #12792, Check for nil response due to connection failure by bcoles
- PR #12799, Ignore SSL cert in python web_delivery by phra
- PR #12819, Twitter handle correction by wvu-r7
- PR#12820, prefer send_request_cgi over send_request_raw by wvu-r7
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from