Unauthenticated RCE in Citrix NetScaler ADC and NetScaler Gateway

Repository contains a single Python exploit script (CVE-2023-3519.py) and a short README. Core exploit behavior: - Builds a malicious HTTP GET request to the Citrix endpoint /gwtest/formssso with parameters event=start and an overlong 'target' value. - The 'target' parameter is constructed as: 168 bytes of padding ('A' * 168) + a hardcoded return/gadget address (jmp_esp = 0x6d8c62, packed with pwntools p64) + URL-encoded shellcode bytes. - Writes the full HTTP request to a local file (payload.tmp) and sends it to the target over SSL on port 443 using a shell call to ncat. Payload/capabilities: - The embedded shellcode is msfvenom-generated (bsd/x64/exec) and executes /var/python/bin/python to run an os.system() command. - That command drops a PHP reverse-shell style script to /var/netscaler/logon/rce.php which connects back to a hardcoded attacker IP/port (192.168.232.128:4444) and spawns an interactive shell using /var/netscaler/logon/sh -i. - It also copies /bin/sh to /var/netscaler/logon/sh and sets the SUID bit (chmod +s), providing persistence/privileged shell access. Notable implementation details: - The script URL-encodes shellcode bytes below 0xA0 to fit into the HTTP request. - It relies on external tooling (ncat) rather than Python sockets for delivery. - The hardcoded gadget address suggests the exploit may be build/firmware dependent and may require adjustment for different target versions/builds. Overall purpose: - Operational RCE exploit for CVE-2023-3519 (Citrix NetScaler ADC/Gateway), delivering a reverse shell/persistence payload via a stack overflow triggered through an HTTPS request.

This repository contains a single Python script (poc.py) that exploits CVE-2023-3519, a remote code execution vulnerability in Citrix ADC/Gateway appliances. The script allows an attacker to execute arbitrary shell commands on a vulnerable Citrix device by sending a specially crafted HTTPS request to the /gwtest/formssso endpoint. The exploit first fingerprints the target by requesting /logon/LogonPoint/init.js to extract the Last-Modified header, which is used to determine the target's version and select the appropriate payload offsets. The attacker can specify a single target IP or a file containing multiple targets, as well as the command to execute. The result of the command can be written to a file on the target (e.g., /var/netscaler/logon/b.txt). The script uses multi-threading for scanning multiple targets and disables SSL verification for requests. The exploit is operational and requires the attacker to provide the command to execute, making it flexible but not fully weaponized. No hardcoded C2 or callback infrastructure is present; the exploit is a direct RCE tool for Citrix ADC/Gateway appliances.

This repository contains a working exploit for CVE-2023-3519, a remote code execution vulnerability in Citrix ADC (NetScaler) appliances (specifically version 13.1-48.47, but adaptable to others). The main exploit script (cve-2023-3519.py) crafts and sends a malicious HTTPS request to the target's /gwtest/formssso endpoint, exploiting a buffer overflow to execute custom shellcode. The shellcode, generated via mkshellcode.py (using NASM), downloads and executes a shell script payload from an attacker-controlled HTTP(S) server. Upon successful exploitation, the shellcode creates a persistent PHP backdoor at /var/netscaler/logon/a.php and sets the SUID bit on /bin/sh for privilege escalation. The included 'sh' script demonstrates a payload that runs 'id' and 'uname -a', then cleans up the backdoor and resets permissions. The exploit requires knowledge of certain memory offsets, which are hardcoded for the tested version but can be adapted for others. The repository is structured with clear separation between the exploit logic, shellcode generation, and example payloads, and is intended for offensive security research and red teaming.

This repository provides a fully functional exploit for CVE-2023-3519, a critical remote code execution vulnerability in Citrix ADC (NetScaler) appliances (notably version 13.1-48.47, FreeBSD-based). The repository contains two main exploit scripts (exploit.py and exploit2.py), a shellcode generator (mkshellcode.py), a custom OpenSSL configuration, and a requirements.txt for dependencies. The exploit works by sending a specially crafted payload to the vulnerable Citrix ADC endpoint (/gwtest/formssso?event=start&target=...), exploiting the vulnerability to execute arbitrary code. The payload is custom shellcode (generated via mkshellcode.py) that writes a PHP webshell to the target system (either /var/netscaler/logon/a.php, /var/netscaler/logon/b.php, or /vpn/theme/x.php) and sets the SUID bit on /bin/sh for privilege escalation. The webshell allows the attacker to execute arbitrary commands remotely via HTTP requests. The exploit scripts support both single-target and mass-scanning modes, with multithreading for efficiency. They also feature automatic callback URL generation using the fars.ee short-link service, which is used to deliver or retrieve command output. The README provides detailed usage instructions, prerequisites (including NASM for shellcode assembly), and notes on adapting the exploit for other Citrix/FreeBSD versions. Overall, this repository is a mature, operational exploit with real-world impact, capable of granting remote code execution and root shell access on vulnerable Citrix ADC appliances.