ToolShell RCE in Microsoft SharePoint Server

This repository provides a comprehensive proof-of-concept exploit and analysis toolkit for the SharePoint ToolPane unauthenticated remote code execution vulnerability (CVE-2025-53770), along with related authentication bypass and deserialization flaws (CVE-2025-49706, CVE-2025-53771, CVE-2025-49704). The main exploit (exploit/exploit.py) sends a crafted HTTP POST request to the ToolPane.aspx endpoint, leveraging a chain of vulnerabilities to achieve RCE without authentication. The payload is a base64-encoded, gzipped .NET LosFormatter/TypeConfuseDelegate gadget chain that executes arbitrary commands (e.g., PowerShell or cmd.exe) on the target server. Auxiliary scripts include a scanner (scanner/scanner.py) to fingerprint vulnerable SharePoint versions and an analysis tool (analysis/analyse.py) to decode and inspect payloads. The repository also contains a Metasploit module and cURL example for alternative exploitation methods. The exploit targets SharePoint Server 2019 (specific vulnerable versions) and requires only network access to the target. The structure is well-documented, with clear separation between exploitation, scanning, and analysis components.

This repository provides a functional exploit for CVE-2025-53770 targeting Microsoft SharePoint. The exploit consists of a Python script (toolshell_exploit.py) that automates the upload of a C# webshell (spinstall0.aspx) to a vulnerable SharePoint instance. The attacker must supply valid __VIEWSTATE, __VIEWSTATEGENERATOR, and __EVENTVALIDATION values, which can be obtained from the page source of a SharePoint page. The script uploads the webshell by POSTing these values to the ToolPane.aspx endpoint. Once uploaded, the webshell allows arbitrary command execution via HTTP GET requests to spinstall0.aspx, with the command specified in the 'cmd' query parameter. The exploit also supports delivering a PowerShell reverse shell payload, enabling the attacker to gain an interactive shell on the target. The repository includes a README.md with usage instructions, the Python exploit script, and the C# webshell. The main attack vector is network-based, requiring access to the SharePoint web interface.

This repository contains a proof-of-concept exploit for CVE-2025-53770, an unauthenticated remote code execution vulnerability in Microsoft SharePoint Server 2019 (version 16.0.10383.20020) on Windows Server 2019. The exploit targets the ToolPane.aspx endpoint, abusing unsafe .NET deserialization in the Scorecard:ExcelDataSet control. The repository consists of a README.md with detailed vulnerability and usage information, and a Python script (cve-2025-53770.py) that sends a crafted payload to the vulnerable endpoint. The payload is a GZip-compressed, Base64-encoded .NET object embedded in an ASP.NET control, which, when deserialized by the server, can lead to arbitrary code execution. The script extracts and decodes the server's response, saving the result to a local file for further analysis. No authentication is required, and the exploit is network-based. The code is a functional proof-of-concept and does not include a fully weaponized or customizable payload.

This repository provides a C# proof-of-concept tool for building exploit payloads targeting CVE-2025-53770, a deserialization remote code execution vulnerability in Microsoft SharePoint. The main code is in 'OurSharePoint/Program.cs', which takes a Base64-encoded LosFormatter payload (such as one generated by ysoserial.net), wraps it in a custom .NET DataSet with a crafted XML schema and diffgram, serializes it using BinaryFormatter, compresses it with GZip, and outputs a Base64-encoded file ready for use in an exploit scenario. The tool is configurable via command-line arguments for input file, output prefix, and XML element names. The README provides clear instructions and references to public research and a Metasploit implementation. The exploit does not itself deliver the payload to a target but prepares a payload that, when delivered to a vulnerable SharePoint instance, can result in arbitrary code execution. The attack vector is network-based, as exploitation requires sending the payload to a SharePoint deserialization endpoint. No hardcoded network endpoints or IPs are present; the tool is a payload builder, not a delivery mechanism.

This repository contains a proof-of-concept Python exploit for CVE-2025-53770, targeting Microsoft SharePoint (version 16.0.0.0). The main file, 'exploit.py', reads a list of target SharePoint URLs from 'target.txt', then for each target, sends a crafted POST request to the '/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx' endpoint with a custom payload. The script disables SSL verification and uses a specific Referer header. It analyzes the server's response for a 'CompressedDataTable' value, decodes and decompresses it, and searches for patterns indicating vulnerability. If found, it saves the decompressed data to a file in '/tmp/'. The exploit is a POC and does not provide a shell or advanced payload, but demonstrates the vulnerability and extracts potentially sensitive data from the target. The repository structure is simple, with only a README and the exploit script.

This repository contains a Python-based exploit (main.py) and an ASPX webshell payload (pwn.aspx) targeting Microsoft SharePoint servers. The exploit works by encoding the ASPX payload, embedding it in a PowerShell script, and then crafting a complex HTTP POST request to the SharePoint ToolPane.aspx endpoint. If the exploit is successful, the payload is written to a specific location on the target server (spinstall0.aspx). The webshell, when accessed, uses .NET reflection to extract and display sensitive cryptographic keys (ValidationKey, DecryptionKey, etc.) from the server's MachineKey configuration. The repository is structured with a main exploit script and a payload file, and is operational in nature, providing a working attack chain for uploading and executing a webshell on vulnerable SharePoint installations.

This repository provides a C# proof-of-concept tool for building exploit payloads targeting Microsoft SharePoint deserialization vulnerabilities (CVE-2025-53770). The main code is in 'OurSharePoint/Program.cs', which takes a Base64-encoded LosFormatter payload (typically generated by ysoserial.net), wraps it in a custom .NET DataSet with a crafted XML schema and diffgram, serializes it using BinaryFormatter, compresses it with GZip, and outputs the result as a Base64-encoded file. The tool allows customization of XML element names for obfuscation. The README provides clear instructions and references to public research and Metasploit implementation. The exploit does not itself deliver the payload to a target but prepares a file suitable for use in further exploitation of vulnerable SharePoint instances. No hardcoded network endpoints or IPs are present; the attack vector is network-based, assuming the payload is delivered to a vulnerable SharePoint deserialization sink.

This repository provides a sophisticated Python exploit tool ('divine_absolute.py') targeting CVE-2025-53770, a critical unauthenticated remote code execution vulnerability in Microsoft SharePoint Server (2016, 2019, Subscription Edition, and EOL 2010/2013). The exploit leverages a deserialization flaw in the '/_layouts/15/ToolPane.aspx' endpoint, allowing attackers to deliver .NET deserialization payloads (generated via ysoserial.net) to achieve RCE. The tool features multiple operational modes: reconnaissance (detects SharePoint and endpoint accessibility), exploitation (delivers payloads), and full (combines both with optional aggressive exploitation). Payloads can be customized, including PowerShell AMSI bypasses and out-of-band HTTP/DNS pingbacks for verification. The tool supports advanced evasion (URI suffixes, referer spoofing), adaptive rate limiting, concurrency, and forensic logging. Results are output in JSON for analysis. The repository includes a detailed README, the main exploit script, and a requirements file. The exploit is operational, with customizable payloads and verification mechanisms, and is intended for authorized penetration testing and research only.

This repository provides a comprehensive exploit toolkit for CVE-2025-53770, a .NET deserialization vulnerability in Microsoft SharePoint (on-premises) via the ToolPane.aspx endpoint. The exploit targets authenticated users who can inject a malicious WebPart containing a GZIP-compressed, Base64-encoded serialized .NET object, leading to remote code execution (RCE) on the server. The toolkit consists of: - 'exploit.py': The main exploit script, written in Python, which automates detection of SharePoint, version checking, endpoint validation, and delivery of the malicious payload to the /_layouts/15/ToolPane.aspx endpoint. It supports multi-threaded exploitation, proxying, and batch targeting. - 'YSLosf/Program.cs': A C# utility for generating and deserializing LosFormatter-based .NET payloads. It serializes user-supplied commands or objects, encodes them in Base64, and can also deserialize payloads for testing. - 'compress.py': A helper Python script to GZIP-compress and Base64-encode the serialized payload, preparing it for injection. - 'requirements.txt': Lists Python dependencies for the exploit tool. - 'README.md': Extensive documentation covering usage, payload generation, supported versions, and legal disclaimers. The exploit does not include any built-in reverse shell or web shell payloads; users must generate their own payloads using the provided tools. The attack vector is network-based, requiring authenticated access to a vulnerable SharePoint instance. The main fingerprintable endpoint is '/_layouts/15/ToolPane.aspx', with the 'MSOTlPn_DWP' POST parameter used for payload delivery. The toolkit is intended for security researchers and red teamers to test and demonstrate the vulnerability, not for unauthorized use.

This repository is a proof-of-concept (POC) exploit for Microsoft SharePoint CVE-2025-53770. It contains two files: a README.md describing the exploit and a 'payload' file containing a raw HTTP POST request. The exploit targets the /_layouts/15/ToolPane.aspx endpoint on a SharePoint server, attempting to inject a malicious web part (DWP) via form parameters. The payload includes ASP.NET control registrations and a compressed data table, suggesting an attempt to execute or manipulate server-side code. The exploit is network-based, requiring access to the SharePoint web interface. No detection scripts or fake elements are present; the payload is a direct exploitation attempt. The repository is structured as a minimal POC, with the main exploit logic in the 'payload' file.