Unauthenticated RCE in Palo Alto PAN-OS User-ID Authentication Portal

Single-file Python exploit PoC targeting purported CVE-2026-0300. The repository contains one executable script, CVE-2026-0300.py, which uses argparse for operator input, socket/struct for network communication and shellcode construction, and simple terminal UI helpers for status output. The script is not a scanner or detector; it is an active exploitation tool. Core behavior: it builds hardcoded Linux x64 reverse-shell shellcode, dynamically patches in the attacker callback IP and port, then constructs a classic memory-corruption payload consisting of user-controlled padding (default offset 2048), a user-supplied 64-bit return address (default 0xdeadbeef), a 128-byte NOP sled, and the shellcode. That payload is placed directly into the body of an HTTP POST request sent to /php/login.php on the target service, defaulting to TCP port 6082. Exploit capability: remote network exploitation of a presumed buffer overflow or similar memory corruption flaw in a web-facing service. On success, the intended outcome is remote code execution with a reverse shell back to the attacker listener (default port 4444). The script includes minimal error handling for refused connections and timeouts, and interprets a timeout as a possible crash or successful shell spawn. Repository structure is minimal: one Python entry-point script and no auxiliary files, documentation, or framework integration. The exploit is operational rather than weaponized because it contains a real payload and delivery logic, but relies on hardcoded shellcode and manual tuning of offset/return address for the target environment.

This repository is a small standalone Python proof-of-concept consisting of one README and one executable script, research_poc.py. The script is the sole exploit implementation and uses only Python standard libraries (socket, struct, argparse, sys, time). It presents itself as a PoC for CVE-2026-0300 affecting Palo Alto Networks PAN-OS User-ID / captive portal functionality. Exploit flow: the script accepts a target IP, target port, callback IP/port, overflow offset, and return address. It generates hardcoded Linux x64 reverse shell shellcode, dynamically embedding the operator-provided LHOST and LPORT. It then constructs an overflow buffer as padding + packed return address + NOP sled + shellcode, wraps that buffer in an HTTP POST request to /php/login.php, and sends it over a raw TCP socket to the target service (default port 6082). The intended outcome is unauthenticated remote code execution followed by a reverse shell callback to the attacker. Main capabilities: unauthenticated network delivery of a crafted exploit request, configurable overflow parameters (offset and return address), and embedded reverse shell payload generation. This is not a scanner or detector; it is an active exploitation script. The payload is basic and partly customizable through CLI arguments, but the shellcode type is fixed, so the repository is best classified as OPERATIONAL rather than weaponized. Repository structure is minimal: README.md documents the claimed vulnerability, affected PAN-OS versions, usage syntax, and mitigation guidance; research_poc.py contains the full exploit logic and CLI entry point. No framework affiliation, auxiliary modules, persistence logic, or post-exploitation tooling are present.

The repository is a small standalone PoC consisting of one Python exploit script (Poc.py) and two Markdown documents (README.md and docs/VULNERABILITY.md). The only executable code is Poc.py, which uses Python's socket and struct modules to build a raw HTTP POST request and send it directly to a target host. The script accepts a target host, port, overflow offset, and return address. It constructs a payload of repeated 'A' bytes, appends a little-endian 64-bit return address, then adds a short NOP sled and 0xCC breakpoint bytes as placeholder shellcode. This indicates a proof-of-concept for memory corruption / buffer overflow testing rather than a complete weaponized RCE exploit. Notably, the exploit code targets POST /php/login.php on a default port of 6082, while the documentation claims the vulnerability affects Palo Alto Networks PAN-OS User-ID Portal and references port 5007 and other paths such as /sslvpn/logout and /api/endpoint. That mismatch suggests the documentation and code are not well aligned, reducing confidence that the PoC accurately implements the described PAN-OS vulnerability. Still, the script is clearly exploit-oriented: it delivers a crafted network payload intended to overwrite control flow and potentially execute attacker-controlled bytes. Capabilities: network-based unauthenticated delivery of a crafted HTTP request; configurable target, port, offset, and return address; attempt to trigger remote memory corruption and gain instruction-pointer control. Limitations: no real post-exploitation payload, no target fingerprinting, no reliability logic, no HTTPS/TLS handling, and no verification of successful exploitation beyond sending the request. Overall, this is best classified as a basic PoC exploit with placeholder shellcode and inconsistent targeting details.

This repository is a small standalone Python proof-of-concept for alleged CVE-2026-0300 affecting the Palo Alto Networks PAN-OS User-ID Authentication Portal. The repo contains only three files: an MIT LICENSE, a README describing the claimed vulnerability and usage, and a single executable script, research_poc.py. The script is the sole code artifact and clear entry point. The exploit logic is straightforward: it accepts a target IP, port, overflow offset, and return address from the command line; constructs a malicious buffer consisting of repeated 'A' padding, a user-supplied packed 64-bit return address, a short NOP sled, and INT3 bytes; then embeds that buffer directly as the body of an HTTP POST request to /php/login.php. It opens a raw TCP connection with socket.create_connection() to the specified host and port (default 6082), sends the request, and heuristically interprets the outcome based on whether the service closes the connection, responds, or times out. Main capabilities: network delivery of a crafted overflow request, configurable offset and return address for basic exploit experimentation, and simple response-based assessment of possible crash/vulnerable behavior. It does not contain a real shell payload, persistence, lateral movement, credential theft, or automated target discovery. The included payload bytes are placeholder/debug-oriented rather than a practical RCE implant. From a classification standpoint, this is an exploit PoC rather than merely a detector, because it actively sends a malformed request intended to corrupt memory. However, it remains relatively immature and research-oriented: there is no target fingerprinting, no architecture/version adaptation, no reliable exploitation chain, and no post-exploitation capability. The most realistic immediate effect of running it would be service instability or crash if the target were actually vulnerable.