Skip to content

CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)

Notifications You must be signed in to change notification settings

wildkindcc/CVE-2018-9276

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)

https://nvd.nist.gov/vuln/detail/CVE-2018-9276

Improved version of an exploit written by https://github.com/M4LV0. I used the POST data from their script but just made it more reliable as I didnt have much success with it.

Payload delivery is essentially smb_delivery. Impacket serves up a .dll generated by msfvenom, rundll32.exe does all the work.

Tested on Windows Server 2016 against PRTG 18.1.37.

Dependancies

By no means is this well written and it's cobbled together from stackoverflow. This was developed for use with Kali Linux and assumes the following is available:

  • Impacket
  • Netcat
  • Msfvenom

Assumptions

This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin). Depending on the configuration of the target machiene, your milage may vary. The following assumptions have been made:

  • Target machine is Windows;
  • Defender / Applocker is not running; and
  • Outbound SMB access is permitted

Installation

git clone https://github.com/wildkindcc/CVE-2018-9276.git
python CVE-2018-9276.py -h

Usage

Figure out the credentials and drop shells :)

usage: CVE-2018-9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT
                        [--user USER] [--password PASSWORD] [--https]

optional arguments:
  -h, --help            show this help message and exit
  -i HOST, --host HOST  IP address / Hostname of vulnerable PRTG server
  -p PORT, --port PORT  Port number
  --lhost LHOST         LHOST for MSFVENOM
  --lport LPORT         LPORT for MSFVENOM
  --user USER           Administrator Username
  --password PASSWORD   Administrator Password
  --https               Negotiate SSL connection to the server (Requires
                        socket to be compiled with SSL support)

Disclaimer

This won't let you hack the Gibson. Do not use this against ANY systems for which you are unauthorised. I wrote this for fun. Educational purposes only etc etc.

About

CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages