Authentication Bypass in ConnectWise ScreenConnect

This repository contains a Python exploit tool targeting ConnectWise ScreenConnect (ConnectWise Control) servers vulnerable to CVE-2024-1708 (authentication bypass) and CVE-2024-1709 (remote code execution). The main script, 'screenconnect_exploit.py', provides both a vulnerability checker and an exploitation assistant. In check mode, it tests if the target is vulnerable to authentication bypass by accessing '/SetupWizard.aspx/RemoteSupport'. In exploit mode, it attempts to access various admin endpoints ('/Admin', '/Administration', '/SetupWizard.aspx'), detects if the target is in setup mode (allowing for manual admin account creation), and tries to access the backup/restore endpoint ('/Services/ConfigurationService.asmx/GetBackupFile') for further exploitation. The tool does not automate remote code execution but provides guidance for manual exploitation, including instructions for setting up a reverse shell listener. The repository is well-structured, with clear documentation and a single Python code file implementing the exploit logic.

This repository contains a Python exploit script (exploit.py) and a README.md. The exploit targets an authentication bypass vulnerability in ConnectWise ScreenConnect by interacting with the /SetupWizard.aspx/ endpoint. The script allows an attacker to create a new user with arbitrary credentials by sending a sequence of crafted HTTP requests, effectively bypassing normal authentication controls. The script accepts command-line arguments for the username, password, and target URL(s), supporting both single and batch modes. Successful exploitation results in the creation of a new user on the target system, with credentials saved to results.txt. The repository is structured simply, with the exploit logic contained in a single Python file and usage instructions in the README.

This repository provides a full exploit chain for ConnectWise ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709, targeting versions 23.9.7 and below. The main exploit script, 'ScreenConnect-AuthBypass-RCE.py', automates the process of adding a new user (if necessary), obtaining an anti-forgery token, uploading a malicious C# web shell as an extension, and providing an interactive command execution interface via HTTP. The payload is a dynamically generated .ashx handler that executes arbitrary system commands on the target Windows server. The 'batchAdduser.py' script allows mass exploitation by adding users to multiple targets, and 'check.py' is used to identify vulnerable instances by checking their version. The exploit requires network access to the target's web interface and abuses the extension upload functionality. The repository is operational, providing a working exploit with a real payload, and includes detection and mass exploitation utilities. No hardcoded IPs or domains are present, but the scripts interact with several fingerprintable HTTP endpoints typical of ScreenConnect installations.

This repository provides a mass exploitation toolkit for CVE-2024-1709, an authentication bypass and remote code execution vulnerability in ConnectWise ScreenConnect (<= 23.9.7). The main script, ScreenConnect-AuthBypass-RCE.py, automates the process of exploiting vulnerable ScreenConnect instances by first attempting to add a new user (if necessary), then uploading a malicious C# extension (web shell), and finally providing an interactive shell for arbitrary command execution. The batchAdduser.py script is used to add users in bulk to multiple targets, while check.py scans a list of URLs to identify potentially vulnerable instances based on version information. The exploit targets HTTP(S) endpoints on port 8040 by default and leverages the ScreenConnect extension mechanism to achieve code execution. The payload is a C# web shell that executes commands received via HTTP query parameters. The repository is operational and can be used for mass exploitation of vulnerable ScreenConnect servers.