Microsoft Office Shell.Explorer.1 OLE Security Feature Bypass

This repository is a small proof-of-concept exploit generator consisting of one Python script and a minimal README. The main file, CVE-2026-21509.py, creates a crafted DOCX document intended to trigger CVE-2026-21509 in Microsoft Office/Word by embedding a valid OLE compound file inside the Office Open XML package. The exploit does not perform exploitation over the network and contains no reverse shell, downloader, or post-exploitation payload. Its core capability is file generation: it decodes a hardcoded minimal OLE template, patches a 16-byte CLSID placeholder at offset 0x80 using a user-provided or default COM CLSID, and then assembles a complete DOCX structure in a temporary directory before zipping it into the final output document. Repository structure is straightforward: - README.md: brief description only. - CVE-2026-21509.py: full exploit logic and CLI entry point. Within the Python script, the main functional components are: - patch_ole_clsid(): parses a CLSID string with Python's uuid module and inserts the little-endian CLSID bytes into the embedded OLE template. - create_malicious_docx(): builds the Office document structure, including required directories, OLE binary placement, content types, relationship files, document properties, and the main Word XML that references the embedded object. - __main__ block: exposes command-line options for output filename and CLSID. The exploit is best classified as a POC rather than an operational weapon. It demonstrates document construction needed to exercise the vulnerability, but it does not include a secondary payload or automated delivery. The attack vector is a malicious file that must be opened in a vulnerable Office environment, likely on Windows due to COM/OLE CLSID usage. No external URLs, IPs, domains, or C2 infrastructure are present in the code; the only fingerprintable artifacts are the internal DOCX package paths and the default CLSID value.

Repository contains a single Python proof-of-concept script and a README describing CVE-2026-21509 as a Microsoft Office security feature bypass involving embedded OLE/COM content. Structure & purpose: - `CVE-2026-21509.py`: Generates a DOCX with low-level OpenXML elements (via `python-docx` + direct XML manipulation) and creates a minimal OLE-like binary stream containing a user-supplied COM CLSID. The script writes the stream to `embedded_ole.bin` and saves the DOCX to a user-chosen path. Comments explicitly state it is conceptual and that real exploitation would require a real vulnerable CLSID and a properly embedded binary part inside the DOCX package. - `README.md`: Provides background, affected Office versions, and testing guidance (run script, open in a vulnerable VM, monitor with ProcMon). It suggests extending the PoC with oletools/VBA/ActiveX, but those capabilities are not implemented in code. Exploit capabilities (as implemented): - Client-side document generation for research/testing. - Embeds a chosen CLSID into a padded binary blob intended to represent an OLE stream. - Does not implement delivery, network callbacks, macro execution, or code execution; it is primarily a scaffold to help researchers craft/test OLE embedding and observe Office behavior. Notable targeting/IOCs: - Writes `embedded_ole.bin` and a DOCX (default `CVE-2026-21509_Test.docx`). - Uses OpenXML namespace URI `http://schemas.openxmlformats.org/drawingml/2006/picture` in document XML (not an external request). - References monitoring `HKCR\CLSID\{...}` for COM activation during testing.

Repository contains a single Python proof-of-concept script plus documentation and pinned dependencies. The PoC claims to relate to CVE-2026-21509 (Microsoft Office security feature bypass) and focuses on generating a DOCX with low-level OpenXML elements intended to represent an embedded object, alongside a separately generated minimal OLE binary stream. Structure & purpose: - CVE-2026-21509.py: Main PoC generator. Uses python-docx to create a Word document, then manually injects OpenXML drawing elements (w:drawing/wp:inline/a:graphic/a:graphicData/pic:pic) as a simplified placeholder for an embedded object. It generates an OLE stream consisting of a small header plus a user-supplied CLSID (little-endian UUID bytes), pads it to 512 bytes, and writes it to embedded_ole.bin. The script explicitly notes that python-docx does not directly support embedding OLE binary parts, and suggests manual embedding via external tools. - README.md: High-level description of the alleged Office zero-day/bypass, affected Office versions, and testing guidance (open in an unpatched Office VM; monitor CLSID registry lookups; suggests using oletools/OleViewDotNet and mentions kill-bit mitigations). - requirements.txt: python-docx, olefile, urllib3 (urllib3 is imported but not used for network activity in the script). Exploit capabilities: - Generates a test DOCX and a standalone OLE stream file to support research into OLE handling/bypass behavior. - Requires user interaction (opening the document in Office). No preview-pane vector. - Does not include a working embedded OLE part inside the DOCX (only a placeholder XML structure) and does not include a real malicious payload (no shellcode/VBA/command execution logic). Notable code concern: - The function generate_ole_stream() calls check_vuln() which invokes subprocess.Popen([p, u], shell=True) using two obfuscated strings. This behavior is unrelated to DOCX/OLE generation and could be suspicious or simply non-functional; it does not clearly implement exploitation but does represent an unexpected process-spawn attempt.

Repository contains a single Python proof-of-concept script and a README describing CVE-2026-21509 as a Microsoft Office security feature bypass involving OLE/embedded content. Structure & purpose: - `CVE-2026-21509.py`: Generates a DOCX with low-level OpenXML elements (a `w:drawing`/`wp:inline` structure with `a:graphicData` set to the DrawingML picture URI) and creates a separate OLE binary blob (`embedded_ole.bin`). The script’s intent is to help researchers test how Office handles embedded OLE objects/CLSID activation in allegedly vulnerable builds. - `README.md`: Provides background, affected product list, and usage steps. It explicitly frames this as research/testing in an isolated VM and suggests follow-on tooling (oletools, OleViewDotNet, ProcMon) and mitigations (kill bit/patching). Exploit capabilities (as implemented): - User-assisted attack vector: produces a document artifact that must be opened in Office. - Configurable CLSID embedding: `--clsid` controls the COM CLSID written into the OLE stream (little-endian UUID bytes). - No actual code execution/payload: `generate_ole_stream()` builds only a minimal header + CLSID + padding; the script does not embed the OLE binary into the DOCX package relationships/parts in a way that would reliably trigger OLE activation. It prints that manual embedding may be required. Overall assessment: - This is a conceptual/document-generation PoC rather than an operational exploit. It is primarily useful for creating test artifacts and as a starting point for further manual crafting of OLE parts/ActiveX embedding rather than delivering a complete bypass chain.