Thursday, June 23, 2011

Restricted Citrix Excel Application Escapes


SynJunkie has a couple good posts on citrix escapes:

http://synjunkie.blogspot.com/search/label/Citrix

and of course iKat

http://ikat.ha.cked.net/

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.


Click the visual basic button, and paste in some sweet macro code.



Then you save the file as macro enabled workbook.


Once its saved, you can hit the macro button and run your macro.



and get shell


** To be clear all of this is running remotely on the citrix host.**

The macro code

Sub GETSHELL()
'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub

You could also just type a url into excel...


and click it..But that's pretty low tech and not much fun :-)

Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

CG

3 comments:

CG said...

ET hit me up on twitter and said you can skip all the macro nonsense and just File Open-->navigate to windows\system32\cmd.exe--> right click-->open as well

CG said...

also you can use %systemroot% if for some reason the root drive isnt "C:\"

Anonymous said...

were you able to escalate to system from the shell?