TrueConf Client Update Integrity Check Bypass Leading to Arbitrary Code Execution

This repository is a standalone Python exploit toolkit for a claimed TrueConf Windows update hijacking issue, CVE-2026-3502. It is not tied to a common exploit framework. The structure contains four main code files: `exploit.py` (primary exploit simulation and reporting), `detectors/vulnerability_checker.py` (server/client/IOC checker), `malicious_update_builder.py` (builder for a malicious update package using generated C stubs and an Inno Setup script), and `update_server.py` (Flask-based fake update server for MITM or server-compromise simulation). Supporting files include `README.md`, usage notes, requirements, and an example output file. Main exploit capability: `exploit.py` checks whether a target exposes `/downlods/trueconf_client.exe` and treats missing `ETag`/`Last-Modified` headers as evidence of weak integrity protection. It can then simulate an attack by validating a supplied malicious EXE, hashing it, printing deployment steps, and generating a JSON report. It does not automatically compromise the target server; instead, it operationalizes the attack workflow by documenting how to replace the server-hosted update binary in `C:\Program Files\TrueConf Server\ClientInstFiles\trueconf_client.exe`. The builder component is more aggressive: `malicious_update_builder.py` generates source for a DLL sideload payload (`7z-x64.dll`), an Inno Setup installer script, and decoy binaries. The generated installer script drops files under `C:\ProgramData\PowerISO`, launches a client binary, adds persistence via `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck`, and creates a scheduled task `TrueConfUpdate`. The DLL payload is demonstrative but includes a proof action writing `C:\ProgramData\pwned.txt`; comments reference downloading a Havoc payload from `http://attacker.com/havoc.exe`. `update_server.py` provides a fake TrueConf server with routes `/downlods/trueconf_client.exe`, `/config`, `/version.js`, and `/`, allowing an operator to serve a malicious update and spoof version metadata to clients. `detectors/vulnerability_checker.py` performs HEAD requests to the update endpoint, checks local Windows install paths for vulnerable client versions, and looks for IOC artifacts such as dropped files, Run keys, and scheduled-task references. Overall, this is an operational proof-of-concept repository for malicious update delivery in a Windows enterprise/internal-network scenario. It combines vulnerability checking, fake infrastructure, payload packaging, and deployment guidance. While some actions are simulated and several payload steps are instructional rather than fully automated, the repository clearly aims to demonstrate arbitrary code execution through update hijacking and includes persistence-oriented payload examples.