Skip to content
CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
Python
Branch: master
Clone or download
Latest commit a7b9a18 Mar 31, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CVE-2018-9276.py Initial commit Mar 31, 2019
README.md Initial commit Mar 31, 2019

README.md

CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)

https://nvd.nist.gov/vuln/detail/CVE-2018-9276

Improved version of an exploit written by https://github.com/M4LV0. I used the POST data from their script but just made it more reliable as I didnt have much success with it.

Payload delivery is essentially smb_delivery. Impacket serves up a .dll generated by msfvenom, rundll32.exe does all the work.

Tested on Windows Server 2016 against PRTG 18.1.37.

Dependancies

By no means is this well written and it's cobbled together from stackoverflow. This was developed for use with Kali Linux and assumes the following is available:

  • Impacket
  • Netcat
  • Msfvenom

Assumptions

This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin). Depending on the configuration of the target machiene, your milage may vary. The following assumptions have been made:

  • Target machine is Windows;
  • Defender / Applocker is not running; and
  • Outbound SMB access is permitted

Installation

git clone https://github.com/wildkindcc/CVE-2018-9276.git
python CVE-2018-9276.py -h

Usage

Figure out the credentials and drop shells :)

usage: CVE-2018-9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT
                        [--user USER] [--password PASSWORD] [--https]

optional arguments:
  -h, --help            show this help message and exit
  -i HOST, --host HOST  IP address / Hostname of vulnerable PRTG server
  -p PORT, --port PORT  Port number
  --lhost LHOST         LHOST for MSFVENOM
  --lport LPORT         LPORT for MSFVENOM
  --user USER           Administrator Username
  --password PASSWORD   Administrator Password
  --https               Negotiate SSL connection to the server (Requires
                        socket to be compiled with SSL support)

Disclaimer

This won't let you hack the Gibson. Do not use this against ANY systems for which you are unauthorised. I wrote this for fun. Educational purposes only etc etc.

You can’t perform that action at this time.