Unauthenticated RCE in Veeam Backup & Replication

This repository is a proof-of-concept (PoC) exploit for CVE-2024-40711, targeting unsafe .NET object deserialization in Microsoft .NET Framework 4.8 applications. The core exploit logic is implemented in C# within the 'ExploitClass' and 'GhostWebShell' classes. The exploit demonstrates multiple payloads, including displaying a message box, writing files to disk, making DNS requests for out-of-band detection, executing arbitrary system commands, and deploying a persistent ASP.NET webshell by registering a custom VirtualPathProvider. The webshell is written to a virtual path (e.g., /fakepath31337/ghostfile.aspx) and can persist across application restarts. The exploit requires the target application to deserialize attacker-controlled data using vulnerable gadget chains. The repository also includes a test console application for local code execution testing and various package dependencies. The exploit is operational and provides real payloads for code execution and persistence, making it a valuable tool for both offensive security testing and defensive research.

This repository is a comprehensive proof-of-concept and exploitation toolkit for CVE-2024-40711, a critical .NET deserialization vulnerability affecting Veeam Backup & Replication. The core of the repository is based on ysoserial.net, a well-known framework for generating .NET deserialization payloads using various gadget chains. The structure includes: - **ysoserial**: The main payload generator, supporting multiple gadgets and formatters for .NET deserialization attacks. - **ExploitClass/ExploitClass.cs**: Example C# class for custom payloads, demonstrating code execution (e.g., message box, file creation, DNS exfiltration, command execution). - **ExploitClass/GhostWebShell.cs**: Implements a webshell dropper via virtual path provider manipulation, allowing persistent webshell deployment on vulnerable ASP.NET applications. - **TestConsoleApp**: Used for local testing of code execution. - **ExploitRemotingService**: Example .NET Remoting server for testing and exploitation. The exploit works by generating a malicious serialized payload (using ysoserial.net) that, when deserialized by a vulnerable .NET application (such as Veeam's Remoting service), results in arbitrary code execution. The toolkit supports a variety of payloads, including command execution, file creation, and webshell deployment. The main attack vector is network-based, targeting the .NET Remoting TCP service (commonly on port 6170). The repository also provides example endpoints and payloads for exfiltration and post-exploitation (e.g., DNS, HTTP, file system). Overall, this is a weaponized, operational exploit framework for CVE-2024-40711, suitable for both research and real-world exploitation scenarios.