This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will force a POST HTTP request to the local webserver, which will, in turn, deliver the serialized gadget that will deploy the agent.
CVE Link
Exploit Platform
Exploit Type
Product Name