Silly admin, Citrix is for script kiddies

A hot, new module has landed in Metasploit Framework this week. It takes advantage of CVE-2019-19781 which is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway. This exploit takes advantage of unsanitized input within the URL structure of one of the API endpoints to access specified directories. Conveniently there is a directory available that houses executable code. I think you see where this is going. Thanks to mekhalleh for adding this one.

BlueKeeping up appearances

zerosum0x0 made a nice improvement to the BlueKeep RCE module that makes it much more reliable. He had the clever idea to send mouse movement events to the RDP connection periodically to prevent timeouts. This should help improve the reliability of the the module over slow connections or VPNs and reduce the chance of crashing the target.

Projecting insecurity

Presenting your screen during a meeting or conference can be a pain. Luckily, projector manufacturers have come up with a solution. Even luckier, they included a bug that lets you execute remote code on those projectors to allow a “world class, next-level presentation full of synergy”. Community member jacob-baines has added a new module that takes advantage of this vulnerability to allow you to find a nice little hiding spot in a room where everyone is looking (or playing on their phones).

New year, new flags

If you haven’t heard, registration for the 3rd Annual(ish) Metasploit Capture The Flag competition is now live. Teams of all sizes are encouraged to come and test their mettle against the devious challenges that the Metasploit team has put together. There are lots of prizes and bragging rights to be had. There’s only room for 1,000 teams, so be sure to hurry over and register to secure your spot. Play starts on January 30th, 2020 at 12:00 PM EST and runs until 11:59 AM EST on February 3rd, 2020. Good luck and happy hunting!

New modules (5)

Enhancements and features

Bugs fixed

  • PR #12785, fix telnet login with a / in it being parsed as a regex by h00die
  • PR #12792, Check for nil response due to connection failure by bcoles
  • PR #12799, Ignore SSL cert in python web_delivery by phra
  • PR #12819, Twitter handle correction by wvu-r7
  • PR#12820, prefer send_request_cgi over send_request_raw by wvu-r7

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub: