From a1092fcfd75bc1e69d93d4cd466da2ec0230a468 Mon Sep 17 00:00:00 2001
From: HD Moore <x@hdm.io>
Date: Sat, 5 May 2018 15:48:44 -0500
Subject: [PATCH] Add documentation

---
 .../linux/http/panos_readsessionvars.md       | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 documentation/modules/exploit/linux/http/panos_readsessionvars.md

diff --git a/documentation/modules/exploit/linux/http/panos_readsessionvars.md b/documentation/modules/exploit/linux/http/panos_readsessionvars.md
new file mode 100644
index 0000000000..d2963259b0
--- /dev/null
+++ b/documentation/modules/exploit/linux/http/panos_readsessionvars.md
@@ -0,0 +1,26 @@
+This module exploits a chain of vulnerabilities in Palo Alto Networks products running
+PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
+an authentication bypass flaw to to exploit an XML injection issue, which is then
+abused to create an arbitrary directory, and finally gains root code execution by
+exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
+to stage arbitrary payloads on the target appliance.
+
+## Vulnerable Application
+
+This exploit was specifically written against PAN-OS 7.1.0 runing in a QEMU (kvm) virtual machine.
+This VM is not generally available, but the specific disk image used was `PA-VM-KVM-7.1.0.qcow2`.
+
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/panos_readsessionvars```
+4. ```set RHOST [IP]```
+7. ```exploit```
+8. You should get a session (eventually)
+
+## Options
+
+**CBHOST** The callback listener address if the default is not accurate (port forwarding, etc)
+
+**CBPORT** The callback listener port