HD Moore
27 lines
1.0 KiB
Markdown
27 lines
1.0 KiB
Markdown
This module exploits a chain of vulnerabilities in Palo Alto Networks products running
|
|
PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
|
|
an authentication bypass flaw to to exploit an XML injection issue, which is then
|
|
abused to create an arbitrary directory, and finally gains root code execution by
|
|
exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
|
|
to stage arbitrary payloads on the target appliance.
|
|
|
|
## Vulnerable Application
|
|
|
|
This exploit was specifically written against PAN-OS 7.1.0 runing in a QEMU (kvm) virtual machine.
|
|
This VM is not generally available, but the specific disk image used was `PA-VM-KVM-7.1.0.qcow2`.
|
|
|
|
|
|
## Verification Steps
|
|
|
|
1. Start msfconsole
|
|
2. ```use exploit/linux/http/panos_readsessionvars```
|
|
4. ```set RHOST [IP]```
|
|
7. ```exploit```
|
|
8. You should get a session (eventually)
|
|
|
|
## Options
|
|
|
|
**CBHOST** The callback listener address if the default is not accurate (port forwarding, etc)
|
|
|
|
**CBPORT** The callback listener port
|