Citrix NetScaler ADC/Gateway SAML IdP Memory Overread

This repository is a multi-script Python exploit toolkit for CVE-2026-3055, described as a Citrix NetScaler ADC / Gateway memory overread affecting systems configured as a SAML IdP. It is not tied to a known exploitation framework; instead it is a standalone repository with one main exploit and three supporting utilities. Repository structure: the main operational file is exploit.py, which performs vulnerability checking, repeated triggering of the vulnerable endpoint, decoding of the NSC_TASS cookie, extraction of sensitive data from leaked memory, optional session harvesting, and report generation. detectors/vulnerability_checker.py is a lighter-weight detector that only checks whether the target appears vulnerable by requesting /wsfed/passive?wctx and inspecting the returned NSC_TASS cookie. memory_leaker.py is a continuous polling tool that repeatedly hits the same endpoint and prints likely session IDs or cookies found in decoded memory. session_harvester.py is a focused post-exploitation helper that repeatedly collects leaked data, extracts candidate session IDs with regexes, saves them to JSON, and can test a supplied session by replaying it as NSC_TASS and NSC_AAAC against /vpn/index.html. The remaining files are documentation, usage examples, and requirements. Exploit capability: the code performs unauthenticated network/web requests to the target appliance, specifically to /wsfed/passive?wctx, and treats the NSC_TASS cookie as the memory disclosure channel. It base64-decodes the cookie, checks for unusually large decoded content as a sign of vulnerability, and searches leaked memory for session-like strings, cookie material, and other sensitive data. The toolkit is clearly intended to support session theft and administrative session hijacking rather than code execution. The session_harvester component extends this by storing unique sessions and testing whether replayed cookies yield access to /vpn/index.html. Notable observables: the primary fingerprintable target path is /wsfed/passive?wctx, used in all exploit components. A secondary path, /vpn/index.html, is used to validate harvested sessions. Cookie names NSC_TASS, NSC_TEMP, and NSC_AAAC are central to the logic. Example output files include harvested_sessions.json, sessions.json, and report.json. The code disables TLS certificate verification globally for requests sessions. Assessment: this is a real exploit-oriented repository, not just a detector, because it automates repeated triggering of the bug, extracts sensitive data from leaked memory, and includes session replay/testing logic for hijacking. It is best classified as OPERATIONAL rather than WEAPONIZED because the payload is fixed to this vulnerability and target workflow, but it provides practical post-exploitation utility.