Privilege Escalation in Palo Alto Networks PAN-OS Management Web Interface

This repository contains a single main exploit tool, PanOsExploitMultitool.py, written in Python. The tool targets Palo Alto Networks PAN-OS devices vulnerable to CVE-2024-0012 and CVE-2024-9474, providing exploitation and post-exploitation capabilities. The script supports several commands: - 'check': Tests if a target is vulnerable. - 'shell': Exploits the target to obtain a reverse shell by chunking and writing a base64-encoded bash shell payload to a writable directory, then executing it to connect back to the attacker's listener. - 'dump': Retrieves and decrypts credentials from the target's configuration files using a known AES master key, and can also extract the full running configuration. - 'local': Decrypts credentials from a local XML config file, useful for offline analysis. - 'decrypt': Interactively decrypts encrypted credential strings using the public master key. The tool interacts with the PAN-OS management interface over HTTPS (default port 443), and uses file paths such as /var/tmp/ and /opt/pancfg/mgmt/saved-configs/ on the target device. It is operational and provides real exploitation and credential extraction capabilities, not just detection. The repository includes a README with detailed usage instructions and references, a requirements.txt for dependencies, and an Apache 2.0 license.

This repository is a Go-based Proof of Concept (PoC) exploit for two vulnerabilities in Palo Alto PAN-OS: CVE-2024-0012 and CVE-2024-9474. The main exploit logic resides in 'main.go', which provides two modes: scan mode and exploit mode. In scan mode, the tool checks a list of target URLs for unauthenticated access to a specific endpoint, indicating vulnerability. In exploit mode, it provides an interactive shell for the user to execute arbitrary commands on a single vulnerable target. The exploit works by sending a specially crafted POST request to '/php/utils/createRemoteAppwebSession.php/peppa.js.map' with a payload that writes the output of a shell command to a web-accessible file, which is then retrieved by the tool. The repository includes a README with detailed usage instructions, a Go module definition, and a single Go source file implementing the exploit. The exploit targets network-accessible PAN-OS devices and leverages unauthenticated HTTP endpoints to achieve command execution.

This repository contains a Python proof-of-concept exploit for CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (command execution) affecting Palo Alto Networks PAN-OS. The main file, 'CVE-2024-0012_CVE-2024-9474_Exploit_Palo_Alto_PAN-OS_PoC.py', automates the exploitation process: it first checks if the target is vulnerable, extracts a PHP session ID, generates a double-base64-encoded bash reverse shell payload, and uploads it in chunks to the target using a vulnerable PHP endpoint. The script then reconstructs and decodes the payload on the target, writes it to a shell script, and executes it, resulting in a reverse shell connection to the attacker's listener. The exploit leverages specific HTTP endpoints on the target PAN-OS device and uses temporary files for payload assembly. The repository also includes a detailed README with usage instructions, vulnerability descriptions, and references. The exploit is operational and provides a working reverse shell if the target is vulnerable and properly configured.

This repository contains a Python exploit script (exploit_fw.py) targeting Palo Alto Networks PAN-OS devices vulnerable to CVE-2024-0012 and CVE-2024-9474. The exploit abuses a vulnerable PHP endpoint to inject a shell command (up to 19 characters) via a POST request, which writes the command output to a PHP file in a web-accessible directory on the target device. The script then retrieves the output by making a GET request to the created PHP file. The exploit requires the attacker to specify the target hostname and the command to execute. The README provides references to a blog post and social media for further context. The repository is structured simply, with one main exploit script and a README. The exploit is operational and demonstrates remote command execution, potentially allowing for further exploitation such as reverse shells.

This repository is a Go-based exploit tool targeting Palo Alto Networks PAN-OS, specifically for CVE-2024-9474 (and possibly CVE-2024-0012). The tool provides two main modes: a scan mode for batch testing multiple targets for authentication bypass, and an exploit mode that offers an interactive shell-like interface to execute arbitrary commands on a single target. The exploit works by sending a crafted POST request to a vulnerable endpoint, causing the target to execute arbitrary shell commands and write their output to a web-accessible file, which the tool then retrieves. The code is well-structured, with clear separation between scanning and exploitation logic, and uses several third-party Go libraries for argument parsing, progress bars, and colored output. The main entry point is 'main.go'. The tool is operational and provides real exploitation capabilities, not just detection. No hardcoded IPs or domains are present; the user supplies targets via command-line arguments or a file.