Authentication Bypass in Palo Alto Networks PAN-OS Management Web Interface

This repository contains a single main exploit tool, PanOsExploitMultitool.py, written in Python. The tool targets Palo Alto Networks PAN-OS devices vulnerable to CVE-2024-0012 and CVE-2024-9474, providing exploitation and post-exploitation capabilities. The script supports several commands: - 'check': Tests if a target is vulnerable. - 'shell': Exploits the target to obtain a reverse shell by chunking and writing a base64-encoded bash shell payload to a writable directory, then executing it to connect back to the attacker's listener. - 'dump': Retrieves and decrypts credentials from the target's configuration files using a known AES master key, and can also extract the full running configuration. - 'local': Decrypts credentials from a local XML config file, useful for offline analysis. - 'decrypt': Interactively decrypts encrypted credential strings using the public master key. The tool interacts with the PAN-OS management interface over HTTPS (default port 443), and uses file paths such as /var/tmp/ and /opt/pancfg/mgmt/saved-configs/ on the target device. It is operational and provides real exploitation and credential extraction capabilities, not just detection. The repository includes a README with detailed usage instructions and references, a requirements.txt for dependencies, and an Apache 2.0 license.

This repository contains a Python GUI exploit tool targeting Palo Alto Networks PAN-OS vulnerabilities CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (authenticated command injection) in the management web interface. The main file, 'cve-2024-0012-gui.py', provides a PyQt5-based interface allowing the user to specify a target URL, command to execute, SSL verification, and request timeout. The exploit works by sending a crafted POST request to '/php/utils/createRemoteAppwebSession.php/cve.js.map' with a malicious 'user' parameter that injects a shell command. The output of the command is written to '/var/appweb/htdocs/unauth/cve.php', which is then accessed via HTTP to verify execution and retrieve the result. The tool automates the full exploit chain, including session creation, command execution, and output retrieval, and is operational with customizable command input. The README provides context and credits but no additional code.

This repository contains a Python proof-of-concept exploit for CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (command execution) affecting Palo Alto Networks PAN-OS. The main file, 'CVE-2024-0012_CVE-2024-9474_Exploit_Palo_Alto_PAN-OS_PoC.py', automates the exploitation process: it first checks if the target is vulnerable, extracts a PHP session ID, generates a double-base64-encoded bash reverse shell payload, and uploads it in chunks to the target using a vulnerable PHP endpoint. The script then reconstructs and decodes the payload on the target, writes it to a shell script, and executes it, resulting in a reverse shell connection to the attacker's listener. The exploit leverages specific HTTP endpoints on the target PAN-OS device and uses temporary files for payload assembly. The repository also includes a detailed README with usage instructions, vulnerability descriptions, and references. The exploit is operational and provides a working reverse shell if the target is vulnerable and properly configured.

This repository contains a Python exploit script (cve-2024-0012.py) targeting CVE-2024-0012, an authentication bypass vulnerability in Palo Alto Networks PAN-OS. The exploit allows an unauthenticated attacker with network access to the management web interface to execute arbitrary commands as an administrator. The script supports both arbitrary command execution and deploying a reverse shell to the attacker's machine. It works by sending crafted HTTP requests to specific endpoints on the target PAN-OS device, exploiting the authentication bypass to inject commands. The repository consists of a single exploit script and a README with usage instructions. The exploit is operational, providing real command execution and reverse shell capabilities, and is not part of a larger framework.

This repository contains a Python proof-of-concept exploit for CVE-2024-0012, targeting Palo Alto Networks PAN-OS. The exploit leverages a command injection vulnerability via a crafted POST request to a specific endpoint. The payload executes 'netstat -ano' on the target and writes the output to a web-accessible file, which is then retrieved to confirm successful code execution. The script supports both single and batch URL testing via command-line arguments. The main code file is 'CVE-2024-0012', and the repository also includes a README with usage instructions. The exploit demonstrates operational maturity, as it provides a working payload and automates the exploitation process, but does not include advanced features such as a customizable shell. The attack vector is network-based, requiring HTTP access to the target endpoints. Several fingerprintable endpoints and a file path are hardcoded in the exploit, which are indicative of the targeted application structure.

This repository contains a Python proof-of-concept exploit for CVE-2024-0012, a command injection vulnerability in Palo Alto Networks PAN-OS. The repository consists of a README.md with usage instructions and a single exploit script (cve-2024-0012-pan-os-poc.py). The script targets a PAN-OS device by sending a crafted POST request to '/php/utils/createRemoteAppwebSession.php/watchTowr.js.map' with a command injection payload that writes the output of 'uname -a' to '/var/appweb/htdocs/unauth/watchTowr.php'. It then triggers the execution and verifies exploitation by retrieving the output file via '/unauth/watchTowr.php'. The exploit demonstrates successful command execution but does not provide a weaponized or customizable payload. The main attack vector is network-based, requiring HTTP(S) access to the target device. The endpoints used in the exploit are clearly defined in the script.