# CVE-2024-3400 RCE Test Script
## Overview
This Python script is designed to test for a remote code execution (RCE) vulnerability, specifically CVE-2024-3400, which affects certain Palo Alto Networks GlobalProtect portals. The vulnerability allows unauthorized command execution via cookie manipulation.
The script sends a benign HTTP GET request to a list of specified URLs with a cookie payload that includes a base64-encoded command (`echo test`). If the command executes, it indicates potential vulnerability.
## How It Works
### Components
- **Base64 Encoding**: Commands are encoded in base64 to simulate how an attacker might obscure malicious commands to bypass basic security filters.
- **HTTP Requests**: The script uses the `requests` Python library to send HTTP GET requests with the malicious cookie.
- **File Handling**: It reads a list of target URLs from an input file and writes the test results to an output file.
### Steps
1. **Command Encoding**: The `echo test` command is encoded into base64.
2. **Cookie Crafting**: A cookie payload is crafted with the encoded command inserted in a way that would be executed if the system is vulnerable.
3. **Request Sending**: For each URL, the script sends an HTTP request with the crafted cookie.
4. **Response Analysis**: The script checks the HTTP response to see if the test command's output appears, indicating command execution.
5. **Result Logging**: Results are logged to an output file, noting whether each URL is potentially vulnerable.
## Usage
Run the script from the command line by providing the input file (containing URLs to test) and the output file (to store results):
```bash
python script_name.py input_file.txt output_file.txt
```
Replace `script_name.py` with your script's filename, `input_file.txt` with your input file, and `output_file.txt` with your desired output file.
## Dependencies
- Python 3.x
- `requests` library (install via `pip install requests`)
## Articles and References
- [Watchtowr Labs Analysis on CVE-2024-3400](https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/)
This article provides an in-depth look at the CVE-2024-3400 vulnerability, detailing how it can be exploited and its potential impact.
- [LinkedIn Post by Justin Elze](https://www.linkedin.com/posts/justinelze_palo-alto-putting-the-protecc-in-globalprotect-activity-7186009203759624192-RTle)
Justin Elze discusses the significance of the CVE-2024-3400 discovery and its implications for security in enterprise environments.
## Disclaimer
This script is for educational and testing purposes only. Use it responsibly. Executing this script without authorization on systems you do not own or have permission to test is unethical and illegal. Always ensure compliance with all applicable laws and regulations.
[4.0K] /data/pocs/38d43dbfee0ebc819fd0c7e0511bd07e22d11da3
├── [2.7K] cve-2024-3400.py
└── [2.8K] README.md
0 directories, 2 files