Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/a-hydrae/ToolShell-Honeypot
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
Honeypot for CVE-2025-53770 aka ToolShell
Readme
# ToolShell-Honeypot (SharePoint Zero-Day)

A Docker-based honeypot focused on detecting and logging exploitation attempts against Microsoft SharePoint zero-day vulnerabilities.  
**This honeypot is designed for early detection and threat intelligence, not for simulating a full SharePoint environment or post-exploitation activity.**

## Main Features
- Logs all HTTP requests (GET, POST, etc.)
- Emulates IIS headers and key SharePoint endpoints
- IOC tagging and YARA-based detection (including obfuscation)
- HTTPS with self-signed certificate
- Streamlit dashboard for visualization and export
- Modular, Docker-based architecture

## Coverage and Limitations

**What this honeypot does:**
- Detects and logs exploit attempts targeting known SharePoint vulnerabilities ([CVE-2025-49704](https://www.cve.org/CVERecord?id=CVE-2025-49704), [CVE-2025-49706](https://www.cve.org/CVERecord?id=CVE-2025-49706), [CVE-2025-53770](https://www.cve.org/CVERecord?id=CVE-2025-53770), [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771))
- Captures payloads, including webshells, encoded commands, and obfuscated content
- Provides IOC and YARA-based detection for threat intelligence and research

**What this honeypot does NOT do:**
- Does **not** simulate full SharePoint authentication, session management, or dynamic content
- Does **not** allow post-exploitation interaction (e.g., webshell command execution, file download/upload, lateral movement)
- Attackers may quickly realize the system is a honeypot after the initial response

## Architecture
```
Docker Compose
├── honeypot (Flask, port 443, /data)
└── dashboard (Streamlit, port 8501, /data)
```

## Detection Pipeline

```mermaid
flowchart TD
    A[HTTP Request Received] --> B{Python Detection}
    B -->|Pattern match detected| C[Log Python detection fields]
    B -->|Encoded content detected| D[Decode/Extract Payload]
    B -->|No Python detected| F[YARA Scan - Raw]
    D --> E[YARA Scan - Decoded]
    C --> F[YARA Scan - Raw]
    E --> G[Log YARA matches - Decoded]
    F --> H[Log YARA matches - Raw]
    C --> I[Save JSON log]
    G --> I
    H --> I
    I --> J[Dashboard/Export]
```
*Detection pipeline: Python logic and YARA scanning for both raw and decoded payloads. All results are logged and visualized in the dashboard.*

- **Python Detection:** Uses regex, heuristics, and custom logic to detect suspicious PowerShell, webshell, 
and exploit patterns, including obfuscation (concatenation, char codes, variable indirection, base64, etc.).
- **YARA Scan:** Applies YARA rules to both raw and decoded payloads for known exploit/webshell/obfuscation 
signatures.
- **Complementary:** Python detection can catch advanced, dynamic, or obfuscated patterns that YARA alone may 
miss; YARA provides standardized, portable detection for known threats.


### IOC and Detection Matrix
| Attack/IOC/Use Case                        | Python | YARA | Both |
|--------------------------------------------|:------:|:----:|:----:|
| ToolPane exploit endpoint                  |   X    |      |      |
| DisplayMode=Edit param                     |   X    |      |      |
| a=/ToolPane.aspx param                     |   X    |      |      |
| Referer SignOut.aspx                       |   X    |      |      |
| Suspicious User-Agent                      |   X    |      |      |
| Webshell probe endpoints                   |   X    |      |      |
| ViewState payload                          |   X    |  X   |  X   |
| Generic ASPX webshell                      |        |  X   |      |
| ToolShell/SharePoint exploit (ysoserial)   |        |  X   |      |
| PowerShell -EncodedCommand                 |   X    |  X   |  X   |
| PowerShell base64 (UTF-8/UTF-16LE)         |   X    |  X   |  X   |
| PowerShell concatenation ("I"+"EX")        |   X    |  X   |  X   |
| PowerShell char codes ([char]73+...)       |   X    |  X   |  X   |
| PowerShell variable indirection ($a='IEX') |   X    |  X   |  X   |
| PowerShell pipeline (IEX (Get-Content ...))|   X    |  X   |  X   |
| Invoke-Obfuscation artifacts               |   X    |  X   |  X   |
| Suspicious long base64                     |   X    |  X   |  X   |
| NOP sled, PE upload                        |        |  X   |      |

## Monitored Endpoints and Patterns
- `/` (catch-all)
- `/favicon.ico`
- `/_layouts/SignOut.aspx`
- `/_layouts/15/ToolPane.aspx` and `/_layouts/16/ToolPane.aspx` (POST/GET, parameters DisplayMode=Edit, a=/
ToolPane.aspx)
- `/_layouts/15/spinstall0.aspx`, `/_layouts/16/spinstall0.aspx`, `spinstall.aspx`, `spinstall1.aspx`, `info3.aspx`, `xxx.aspx`

## Indicators of Compromise (IOC)
- ToolPane exploit endpoint (with suspicious params)
- DisplayMode=Edit param
- a=/ToolPane.aspx param
- Referer SignOut.aspx
- Suspicious User-Agent (e.g., Firefox/120.0)
- Webshell probe endpoints
- ViewState payload in POST body

*All detected IOCs are shown as badges in the dashboard and can be used to filter requests.*

## YARA Rules and Advanced Detection
- Detects known exploits, webshells, PowerShell encoded/obfuscated payloads, and suspicious binaries
- Rules are applied to both raw and decoded (base64, UTF-16LE) payloads
- Easily extensible for new threats

## Data Collected and Displayed
- Request metadata: method, path, IP, headers, query args, IOC tags, YARA matches, PowerShell patterns
- POST bodies: saved as .bin files, archived daily in ZIP
- Logs: JSON per request, Apache-style access.log
- Dashboard: filter/search, download bodies/logs, CSV export, IOC/YARA highlighting

## Quick Start
1. Generate a self-signed certificate:
   ```bash
   openssl req -x509 -nodes -days 365 \
     -newkey rsa:2048 -keyout key.pem -out cert.pem \
     -subj "/CN=sharepoint.local"
   cp cert.pem key.pem ToolShell-Honeypot/
   ```
2. Build and start:
   ```bash
   cd ToolShell-Honeypot
   docker-compose build
   docker-compose up
   ```
3. Test the honeypot:
   ```bash
   # Run the basic endpoint test script
   ./test_toolshell.sh

   # Run the body content test script (covers text, JSON, XML, form, binary, and IOC cases)
   ./test_toolshell_bodies.sh

   # Run the advanced YARA/PowerShell test script
   ./test_toolshell_yara.sh
   ```
   These scripts will send a variety of requests to the honeypot, simulating real-world attack and probe scenarios. After running them, check the dashboard at http://localhost:8501 to review the results, IOC detection, and data previews.

## Service Management (manage.sh)
A management script is provided for easy control of the honeypot and dashboard services.

**Usage:**
```bash
cd ToolShell-Honeypot
chmod +x manage.sh   # (first time only)
./manage.sh
```

**Menu options:**
- 0: Build all Docker images
- 1: Start only the honeypot
- 2: Start only the dashboard
- 3: Start both honeypot and dashboard
- 4: Show status
- 5: Stop only the honeypot
- 6: Stop only the dashboard
- 7: Stop all containers
- q: Quit



## Notes
- Data is saved in ./data
- ZIP archives are rotated daily (YYYY-MM-DD.zip)
- Dashboard and honeypot are separated for security
- access.log is SIEM-compatible

## Threat Intelligence and Detection Logic
The IOC patterns, YARA rules, and detection logic are based on real-world attack campaigns and public threat intelligence for ToolShell/SharePoint vulnerabilities, including:
- Exploit attempts on ToolPane.aspx endpoints with specific parameters
- Use of known malicious Referer and User-Agent headers
- Probing of webshell endpoints
- Detection of ViewState payloads in POST bodies
- Advanced PowerShell obfuscation and webshell delivery techniques

**Relevant CVEs:**
- [CVE-2025-49704](https://www.cve.org/CVERecord?id=CVE-2025-49704): Improper code generation control (code injection) in SharePoint
- [CVE-2025-49706](https://www.cve.org/CVERecord?id=CVE-2025-49706): Improper authentication in SharePoint
- [CVE-2025-53770](https://www.cve.org/CVERecord?id=CVE-2025-53770): Deserialization of untrusted data in SharePoint
- [CVE-2025-53771](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771): Path traversal in SharePoint


## TODO
- Webhook alerting, advanced parsing, SIEM integration, dashboard authentication, extend honeypot capabilities to simulate authentication, session management, dynamic content, limited post-exploitation interaction (e.g., webshell command execution, file upload/download) for deeper attacker engagement and analysis and many more...
File Snapshot

 [4.0K]  /data/pocs/6f6e69a5c83178444a5a0f5b6a9b0a85fbb4fdcf
├── [9.4K]  dashboard.py
├── [ 391]  docker-compose.yml
├── [ 201]  Dockerfile.dashboard
├── [ 203]  Dockerfile.honeypot
├── [9.6K]  honeypot.py
├── [1.0K]  LICENSE
├── [1.3K]  manage.sh
├── [8.3K]  README.md
├── [5.0K]  test_toolshell_bodies.sh
├── [5.0K]  test_toolshell.sh
├── [4.4K]  test_toolshell_yara.sh
└── [4.0K]  yara_rules
    └── [3.4K]  toolshell_honeypot.yar

1 directory, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →