the check routine was getting the /_layouts/15/error.aspx page, this will not be accessable unless Forms Based Authentication (FBA) is enabled on the site. A better choice is /_layouts/15/start.aspx as this is accessible regardless of FBA being enabled. Thanks @alexey-at-work-bc for identifying this and sugesting a fix.

sfewer-r7 · sfewer-r7 · commit b8cf458706c2 · 2025-07-23T23:03:43.000+01:00
diff --git a/modules/exploits/windows/http/sharepoint_toolpane_rce.rb b/modules/exploits/windows/http/sharepoint_toolpane_rce.rb
@@ -86,7 +86,7 @@ def initialize(info = {})
   def check
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'error.aspx')
+      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'start.aspx')
     )
 
     return CheckCode::Unknown('Connection failed') unless res

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ def initialize(info = {})`
`86`	`86`	`def check`
`87`	`87`	`res = send_request_cgi(`
`88`	`88`	`'method' => 'GET',`
`89`		`- 'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'error.aspx')`
	`89`	`+ 'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'start.aspx')`
`90`	`90`	`)`
`91`	`91`
`92`	`92`	`return CheckCode::Unknown('Connection failed') unless res`