CitrixBleed

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Python proof-of-concept exploit for CVE-2023-4966, a critical memory disclosure vulnerability in Citrix NetScaler (ADC) appliances configured as Gateways or AAA virtual servers. The main exploit script (exploit.py) allows an unauthenticated attacker to leak session tokens by sending a GET request with an oversized Host header to the /oauth/idp/.well-known/openid-configuration endpoint. The script parses the response for session tokens and can optionally test their validity by POSTing them as cookies to /logon/LogonPoint/Authentication/GetUserName, extracting associated usernames if successful. The exploit supports both single-target and multi-target modes, with output options and verbosity controls. The repository also includes an OpenSSL configuration file (openssl.cnf) to enable legacy renegotiation, and a requirements.txt file listing necessary Python dependencies. The README provides clear usage instructions and context about the vulnerability. This exploit is a functional proof-of-concept and does not include weaponized payloads, but demonstrates the ability to extract sensitive session information from vulnerable Citrix appliances.

This repository contains a Python exploit for CVE-2023-4966, a critical memory leak vulnerability in Citrix ADC (NetScaler) appliances. The main script, exploit.py, allows unauthenticated attackers to leak session tokens from vulnerable Citrix ADC instances by sending a GET request with an oversized Host header to the /oauth/idp/.well-known/openid-configuration endpoint. The script parses the leaked memory for session tokens, optionally tests their validity by sending them as cookies to the /logon/LogonPoint/Authentication/GetUserName endpoint, and can output results to a file. The exploit supports both single-target and multi-target modes, with options for verbose output and filtering for only valid session tokens. The repository also includes a minimal OpenSSL configuration file (openssl.cnf) to enable legacy renegotiation if required, and a requirements.txt for dependencies. The exploit is operational and provides a practical method for extracting sensitive session information from affected Citrix appliances.

This repository contains a Python exploit script (exploit.py) targeting CVE-2023-4966, a critical information disclosure vulnerability in Citrix Gateway and ADC devices. The exploit works by sending a GET request with an oversized Host header to the /oauth/idp/.well-known/openid-configuration endpoint on the target device, causing it to leak memory contents in the HTTP response. The script supports both single-target and mass exploitation modes, with results saved to a specified output file. The code uses concurrency to efficiently target multiple domains. The README provides usage instructions and credits. The requirements.txt lists necessary Python dependencies. The exploit is operational and can be used to extract sensitive information from vulnerable Citrix devices.

This repository contains a Python proof-of-concept exploit for CVE-2023-4966 (Citrix Bleed), targeting Citrix ADC and Gateway devices. The main file, 'citrix-bleed.py', adapts Assetnote's original exploit to support parallel scanning and improved error handling. The script allows the user to specify a single target or a file containing multiple targets. For each target, it sends a specially crafted HTTPS GET request to the '/oauth/idp/.well-known/openid-configuration' endpoint with an oversized Host header, exploiting the vulnerability to leak memory contents from the device. The exploit is network-based and does not require authentication. The repository is structured simply, with a README and the main exploit script. No hardcoded IPs or credentials are present; targets are supplied at runtime.