metasploit-gs/documentation/modules/exploit/linux/http/panos_readsessionvars.md

This module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance.

Vulnerable Application

This exploit was specifically written against PAN-OS 7.1.0 runing in a QEMU (kvm) virtual machine. This VM is not generally available, but the specific disk image used was PA-VM-KVM-7.1.0.qcow2.

Verification Steps

1. Start msfconsole
2. use exploit/linux/http/panos_readsessionvars
3. set RHOST [IP]
4. exploit
5. You should get a session (eventually)

Options

CBHOST The callback listener address if the default is not accurate (port forwarding, etc)

CBPORT The callback listener port