Windows Shell Zero-Click Authentication Coercion / Spoofing Vulnerability

This repository is a small proof-of-concept consisting of a README and one Python script, poc.py. The script builds a malicious Windows .lnk shortcut file from scratch using Python struct packing. Its purpose is to coerce Windows Explorer into initiating an outbound SMB connection during icon resolution, without the victim needing to open the shortcut. The README explains the underlying behavior: Explorer traverses Control Panel shell item handling, eventually checking whether a module path exists; if that module path is a UNC path, Windows performs a remote file attribute/stat operation that opens SMB to the attacker and triggers automatic NTLM authentication. The exploit structure is straightforward: build_header() creates a Shell Link header, shitemid_clsid() creates CLSID-based shell items, shitemid_unicode_cpl() creates a crafted Unicode Control Panel applet item with the attacker-controlled module path at offset +0x18, build_idlist() chains the Control Panel CLSID, All Control Panel Items CLSID, and malicious CPL item into a LinkTargetIDList, and build_lnk() assembles the final .lnk bytes. main() exposes CLI arguments for the UNC path and output filename, then writes the malicious shortcut. Primary capability: generation of a crafted .lnk file that causes zero-click credential coercion when merely viewed in Explorer. The practical result is outbound SMB authentication to an attacker-controlled host, leaking Net-NTLMv2 material. There is no post-exploitation shell or code execution payload in the repository; it is focused on credential leakage/coercion via a malicious file and remote UNC path.

Repository contains a single Python proof-of-concept script and a detailed README. The main file, CVE-2026-32202.py, is a research-oriented generator for crafted Windows .lnk files that reproduce the LinkTargetIDList structure associated with CVE-2026-21510 / CVE-2026-32202. The script reconstructs three shell items: (1) a Control Panel root CLSID item, (2) an 'All Control Panel Items' category item, and (3) a Unicode _IDCONTROLW structure containing a user-supplied module path, typically a UNC path to a remote .cpl file. It exposes CLI options for the embedded UNC/local path, output filename, applet ID, display name, infotip, and optional hex dump suppression. The exploit capability is file generation rather than direct network communication; however, the generated LNK is intended to cause Windows Explorer/shell32 to access the embedded UNC path during rendering, which can coerce outbound SMB authentication or connection to an attacker-controlled share. The README provides reverse-engineering context, structure layouts, call-chain analysis, and explains that the vulnerable behavior occurs before later trust verification stages. Overall, this is a focused PoC/research tool for crafting malicious shortcut files to reproduce Windows shell path-resolution behavior, not a full weaponized framework or post-exploitation implant.