Palo Alto PAN-OS User-ID Authentication Portal Buffer Overflow RCE

This repository is a small standalone Python proof-of-concept consisting of one README and one executable script, research_poc.py. The script is the sole exploit implementation and uses only Python standard libraries (socket, struct, argparse, sys, time). It presents itself as a PoC for CVE-2026-0300 affecting Palo Alto Networks PAN-OS User-ID / captive portal functionality. Exploit flow: the script accepts a target IP, target port, callback IP/port, overflow offset, and return address. It generates hardcoded Linux x64 reverse shell shellcode, dynamically embedding the operator-provided LHOST and LPORT. It then constructs an overflow buffer as padding + packed return address + NOP sled + shellcode, wraps that buffer in an HTTP POST request to /php/login.php, and sends it over a raw TCP socket to the target service (default port 6082). The intended outcome is unauthenticated remote code execution followed by a reverse shell callback to the attacker. Main capabilities: unauthenticated network delivery of a crafted exploit request, configurable overflow parameters (offset and return address), and embedded reverse shell payload generation. This is not a scanner or detector; it is an active exploitation script. The payload is basic and partly customizable through CLI arguments, but the shellcode type is fixed, so the repository is best classified as OPERATIONAL rather than weaponized. Repository structure is minimal: README.md documents the claimed vulnerability, affected PAN-OS versions, usage syntax, and mitigation guidance; research_poc.py contains the full exploit logic and CLI entry point. No framework affiliation, auxiliary modules, persistence logic, or post-exploitation tooling are present.

The repository is a small standalone PoC consisting of one Python exploit script (Poc.py) and two Markdown documents (README.md and docs/VULNERABILITY.md). The only executable code is Poc.py, which uses Python's socket and struct modules to build a raw HTTP POST request and send it directly to a target host. The script accepts a target host, port, overflow offset, and return address. It constructs a payload of repeated 'A' bytes, appends a little-endian 64-bit return address, then adds a short NOP sled and 0xCC breakpoint bytes as placeholder shellcode. This indicates a proof-of-concept for memory corruption / buffer overflow testing rather than a complete weaponized RCE exploit. Notably, the exploit code targets POST /php/login.php on a default port of 6082, while the documentation claims the vulnerability affects Palo Alto Networks PAN-OS User-ID Portal and references port 5007 and other paths such as /sslvpn/logout and /api/endpoint. That mismatch suggests the documentation and code are not well aligned, reducing confidence that the PoC accurately implements the described PAN-OS vulnerability. Still, the script is clearly exploit-oriented: it delivers a crafted network payload intended to overwrite control flow and potentially execute attacker-controlled bytes. Capabilities: network-based unauthenticated delivery of a crafted HTTP request; configurable target, port, offset, and return address; attempt to trigger remote memory corruption and gain instruction-pointer control. Limitations: no real post-exploitation payload, no target fingerprinting, no reliability logic, no HTTPS/TLS handling, and no verification of successful exploitation beyond sending the request. Overall, this is best classified as a basic PoC exploit with placeholder shellcode and inconsistent targeting details.

This repository is a small standalone Python proof-of-concept for alleged CVE-2026-0300 affecting the Palo Alto Networks PAN-OS User-ID Authentication Portal. The repo contains only three files: an MIT LICENSE, a README describing the claimed vulnerability and usage, and a single executable script, research_poc.py. The script is the sole code artifact and clear entry point. The exploit logic is straightforward: it accepts a target IP, port, overflow offset, and return address from the command line; constructs a malicious buffer consisting of repeated 'A' padding, a user-supplied packed 64-bit return address, a short NOP sled, and INT3 bytes; then embeds that buffer directly as the body of an HTTP POST request to /php/login.php. It opens a raw TCP connection with socket.create_connection() to the specified host and port (default 6082), sends the request, and heuristically interprets the outcome based on whether the service closes the connection, responds, or times out. Main capabilities: network delivery of a crafted overflow request, configurable offset and return address for basic exploit experimentation, and simple response-based assessment of possible crash/vulnerable behavior. It does not contain a real shell payload, persistence, lateral movement, credential theft, or automated target discovery. The included payload bytes are placeholder/debug-oriented rather than a practical RCE implant. From a classification standpoint, this is an exploit PoC rather than merely a detector, because it actively sends a malformed request intended to corrupt memory. However, it remains relatively immature and research-oriented: there is no target fingerprinting, no architecture/version adaptation, no reliable exploitation chain, and no post-exploitation capability. The most realistic immediate effect of running it would be service instability or crash if the target were actually vulnerable.