Directory Traversal and RCE in Citrix ADC/Gateway

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Bash script exploit for CVE-2019-19781, a critical remote code execution vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway devices. The exploit works by sending a crafted HTTP POST request to the vulnerable endpoint '/vpn/../vpns/portal/scripts/newbm.pl' on the target device, injecting a malicious template that executes an arbitrary shell command provided by the user. The output of the command is written to a file in '/netscaler/portal/templates/' and then retrieved via a subsequent HTTP GET request. The script takes two arguments: the IP address of the vulnerable Citrix device and the command to execute. The repository also includes a README with usage instructions and references. The exploit is operational and allows attackers to execute arbitrary commands on vulnerable Citrix devices over the network.

This repository contains a Python exploit script (CVE-2019-19781.py) and a detailed README for CVE-2019-19781, a critical remote code execution vulnerability in Citrix ADC (NetScaler) and Citrix Gateway appliances. The exploit script allows an unauthenticated attacker to execute arbitrary system commands on a vulnerable Citrix device by abusing a directory traversal and template injection flaw. The script works interactively: it prompts the user for commands, crafts a malicious POST request to the /vpn/../vpns/portal/scripts/newbm.pl endpoint to create a template containing the command, and then retrieves the output via a GET request to /vpns/portal/<random>.xml. The README provides background, affected product versions, detection tips, and references. The exploit is operational and demonstrates real-world impact, but is not part of a larger framework. No hardcoded IPs or domains are present; the target URL is supplied by the user at runtime.

This repository contains a working exploit for CVE-2019-19781, a critical remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway appliances. The exploit is implemented in a single Python script (CVE-2019-19781.py) and is accompanied by a detailed README.md with usage instructions and background information. The exploit works by abusing a directory traversal and template injection vulnerability. It uploads a malicious XML template to the target device via the '/vpn/../vpns/portal/scripts/newbm.pl' endpoint, using crafted HTTP headers and POST data. The template contains a payload that executes arbitrary system commands. The attacker then accesses the uploaded template via '/vpn/../vpns/portal/{cdl}.xml' to trigger command execution and retrieve the output. The script is interactive, allowing the user to specify commands to execute on the target. The README provides example requests, expected responses, and screenshots, as well as references for further reading. The exploit targets unpatched Citrix ADC and Gateway devices and requires network access to the device's web interface. No authentication is required for exploitation. Overall, this repository provides a fully operational exploit for remote code execution on vulnerable Citrix appliances, with clear instructions and a functional payload.

This repository contains a shell script exploit (shitrix.sh) for CVE-2019-19781, a critical path traversal and template injection vulnerability in Citrix ADC (NetScaler) appliances. The exploit works by sending crafted HTTP requests to the target device, exploiting the vulnerability to write a malicious template file and then execute arbitrary shell commands provided by the user. The script uses Python to generate random filenames and nonces, base64-encodes the user-supplied command, and injects it into the template. The README provides usage instructions, indicating that the script requires curl >= 7.42.0 and is invoked with the target, port, and command to execute. The exploit is operational, allowing for arbitrary command execution on vulnerable Citrix appliances. The main fingerprintable endpoints are the crafted HTTP paths used in the exploit, and the file path targeted for template injection. The repository is concise, containing only the exploit script and a README.

This repository provides two main Python scripts: 'citrixmash.py' and 'cve-2019-19781_scanner.py'. 'citrixmash.py' is a full exploit for CVE-2019-19781, a critical directory traversal vulnerability in Citrix ADC (NetScaler) devices. The exploit works in two stages: first, it uses a crafted POST request to the '/vpn/../vpns/portal/scripts/newbm.pl' endpoint to write a malicious XML template file to the target system. This template contains a payload that, when triggered, executes a Python-based reverse shell, connecting back to the attacker's listener. The second stage triggers the execution of this template, resulting in remote code execution on the Citrix device. The exploit leaves artifacts in '/var/tmp/netscaler/portal/templates/' and '/netscaler/portal/templates/'. 'cve-2019-19781_scanner.py' is a scanner script that checks if a target is still vulnerable to CVE-2019-19781 by attempting to access the 'smb.conf' file via a traversal path. It supports scanning single IPs, CIDR ranges, hostnames, and ASN lookups, and can import targets from a file. The scanner reports if the target is vulnerable or patched. The repository also includes a 'requirements.txt' for dependencies and a 'README.md' with detailed usage instructions and background information. The exploit is operational, providing a working reverse shell payload, and is intended for use against unpatched Citrix ADC (NetScaler) devices vulnerable to CVE-2019-19781.

This repository contains a Bash script exploit (CVE-2019-19781.sh) targeting Citrix Application Delivery Controller and Citrix Gateway devices vulnerable to CVE-2019-19781, a critical remote code execution vulnerability. The exploit works by sending a crafted HTTP POST request to the target's '/vpn/../vpns/portal/scripts/newbm.pl' endpoint, injecting a malicious template that executes an arbitrary command provided by the user. The output of the command is written to a file on the target device ('/netscaler/portal/templates/<FILENAME>.xml'), which is then retrieved via a subsequent HTTP GET request. The script is operational and allows attackers to execute arbitrary shell commands on vulnerable Citrix devices. The repository includes a README with usage instructions and references to official advisories. No detection or fake code is present; the exploit is functional and straightforward, requiring only the target's IP and a command to execute.