Unauthenticated RCE in Palo Alto PAN-OS GlobalProtect

This repository is a standalone Python exploit for CVE-2024-3400 targeting Palo Alto Networks PAN-OS devices. The repo is small and focused: README.md documents usage, requirements.txt lists dependencies, and exploit.py contains the full exploit logic. The script is not part of a larger framework. Core capability: it performs multithreaded remote exploitation over HTTPS. For each supplied target, it normalizes the host to an https:// URL, sends a crafted POST request with a malicious Cookie header, and injects a bash command. The injected command copies /opt/pancfg/mgmt/saved-configs/running-config.xml to /var/appweb/sslvpndocs/global-protect/portal/css/cert.main.css, making the configuration retrievable via the web server. The command is base64-encoded and executed through bash -i in the header payload. Operational flow: the script reads targets from a user-provided file, deduplicates them, and processes them concurrently with ThreadPoolExecutor. It logs possible successes to maybe_rce.log, then enters a confirmation phase where it repeatedly polls pending targets for up to 12 retries at 5-minute intervals. When the dropped file becomes accessible, it downloads the artifact into output/ using a filename derived from the target domain and records the target in confirmed_rce.log. Notable implementation details: thread-safe file writes via a lock, disabled TLS verification warnings, rich-based console logging, graceful shutdown handling, and helper functions for domain extraction and file download. Based on the visible code and README, this is a real exploit rather than a detector: it attempts command execution and artifact exfiltration, with a hardcoded payload intended to prove RCE and collect sensitive configuration data.

This repository contains a Python-based exploit for CVE-2024-3400, an OS command injection vulnerability. The main file, exploit.py, prompts the user for a target IP/host, a local host, and a port for a reverse shell. It generates a base64-encoded bash reverse shell payload and crafts a malicious POST request to the vulnerable endpoint '/ssl-vpn/hipreport.esp' on the target, injecting the payload via the SESSID cookie. If the target is vulnerable, the exploit establishes a reverse shell from the target to the attacker's machine, granting remote command execution. The repository structure is simple, consisting of a README.md describing the vulnerability and the exploit.py script implementing the attack. The exploit targets network-accessible systems and leverages a specific HTTPS endpoint and file path for exploitation.

This repository contains a proof-of-concept exploit for a path traversal and arbitrary file write vulnerability in Palo Alto Networks GlobalProtect SSL VPN. The exploit is documented in two files: README.md and exploit.txt, both of which provide step-by-step instructions for exploiting the vulnerability. The attack involves sending a crafted POST request to the /ssl-vpn/hipreport.esp endpoint with a specially crafted SESSID cookie that uses directory traversal to write a file (0xr2r.txt) to a web-accessible directory on the target device. The exploit demonstrates the ability to create files with root access, which can be verified by accessing the file via HTTPS and observing the change in HTTP response codes. No automated code is provided; the exploit is manual and consists of HTTP request templates. The repository is a clear proof-of-concept and does not include weaponized or automated exploitation scripts.

This repository contains a Bash proof-of-concept exploit for CVE-2024-3400, a file write vulnerability in Palo Alto Networks GlobalProtect VPN. The exploit script (gp-exploit.sh) automates the process of identifying vulnerable GlobalProtect instances and attempts to write an arbitrary file to the target system by exploiting a path traversal flaw. It uses the 'httpx' tool to send a POST request to the '/ssl-vpn/hipreport.esp' endpoint with a specially crafted Cookie header, aiming to write a file to '/var/appweb/sslvpndocs/global-protect/portal/images/'. The script then verifies the exploit by attempting to access the written file via the '/global-protect/portal/images/<file_name>' endpoint. The repository includes a README with usage instructions and guidance on gathering target URLs using Shodan and httpx. The exploit is intended for educational purposes and demonstrates the risk of arbitrary file write on exposed GlobalProtect VPN instances.

This repository contains a proof-of-concept (POC) exploit for CVE-2024-3400, an OS command injection vulnerability in Palo Alto Networks PAN-OS. The main file, 'main.py', is a Python script that automates the exploitation process by reading a list of target IP addresses from a user-supplied file. For each IP, it sends a crafted POST request to the '/ssl-vpn/hipreport.esp' endpoint with a malicious 'Cookie' header designed to exploit a path traversal vulnerability and create a file on the target system. It then checks for the presence of the file at '/global-protect/portal/images/poc.txt' to determine if the exploit was successful. The script prints the HTTP status codes of both requests to inform the user of the outcome. The repository is structured simply, with a README describing the exploit and usage, and a single Python script implementing the exploit logic. No weaponized payload is included; the script is intended for vulnerability verification and assessment.

This repository provides a weaponized exploit for CVE-2024-3400, a critical Remote Code Execution (RCE) vulnerability affecting certain Palo Alto Networks PAN-OS devices (notably those with GlobalProtect enabled). The exploit leverages a directory traversal flaw in the '/ssl-vpn/hipreport.esp' endpoint, abusing the 'SESSID' cookie to write files or execute arbitrary commands on the target device. The repository contains two main Python scripts: - 'exploit.py': The primary exploit script, supporting both single-target exploitation (with reverse shell capability) and bulk scanning of multiple targets. In single-target mode, it attempts to open a reverse shell from the target device to the attacker's machine using a base64-encoded bash payload. In bulk mode, it identifies vulnerable devices without attempting exploitation. - 'scanner_oob.py': A secondary script for out-of-band (OOB) detection, which triggers the vulnerability by making the target device perform a 'curl' to an attacker-controlled URL, useful for blind detection. Other files include a sample OpenSSL configuration ('openssl.cnf'), a requirements file for Python dependencies, and a detailed README with usage instructions. The exploit is operational, providing both detection and weaponized exploitation capabilities, and is intended for use by authorized security professionals to test and validate the presence of CVE-2024-3400 on network-accessible Palo Alto devices.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-3400, targeting Palo Alto Networks GlobalProtect. The main exploit code is in 'Poc.py', a Python script that sends a crafted HTTPS GET request to the '/global-protect/login.esp' endpoint of a specified host. The exploit injects a malicious 'SESSID' cookie containing a payload that attempts to execute a base64-decoded bash command on the target system. The repository includes minimal supporting files (CODEOWNERS, README.md) and is structured as a simple PoC for remote code execution via a network attack vector. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit demonstrates the vulnerability but does not provide a weaponized or fully automated attack chain.

This repository provides multiple proof-of-concept (POC) exploits and detection templates for CVE-2024-3400, a critical command injection vulnerability in Palo Alto Networks PAN-OS (GlobalProtect). The repository includes: - A Bash script (CVE-2024-3400.sh) that tests for the vulnerability by creating a 0-byte file on the target system and verifying its existence, indicating a successful exploit. - Two Nuclei YAML templates (CVE20243400.yaml and telemet.yaml) that automate detection and exploitation of the vulnerability by sending crafted HTTP POST requests to the /ssl-vpn/hipreport.esp endpoint. These templates leverage OS command injection via the SESSID cookie, allowing for exfiltration of system information to an attacker-controlled server (e.g., via interactsh or oast.fun domains). - A Python script (fofax3r.py) that scrapes the FOFA search engine for potential vulnerable targets by extracting hostnames from search results. - A README.md file that documents the vulnerability, usage instructions for each script/template, and references for further research. The main exploit vector is unauthenticated network access to the /ssl-vpn/hipreport.esp endpoint on vulnerable PAN-OS devices, with exploitation achieved through path traversal and command injection in the SESSID cookie. The repository is structured to facilitate both exploitation and large-scale detection of vulnerable systems.

This repository contains a Python exploit script (exploit.py) targeting CVE-2024-3400, a command injection vulnerability in Palo Alto Networks PAN-OS firewalls with the GlobalProtect feature enabled. The exploit works by sending a crafted XML payload to the firewall's API endpoint (https://<target_ip>/api/), allowing unauthenticated attackers to execute arbitrary commands as root. The script supports both single-target and multi-target (CSV-driven) exploitation, with optional SSL certificate verification. The README.md provides detailed usage instructions, example payloads, and CSV formatting guidance. The exploit is operational, requiring the attacker to supply the target IP and desired command payload. The repository is structured simply, with one main Python script, a requirements.txt for dependencies, and a comprehensive README.md.